PAM | ProVision
PAM | ProVision
2769
page-template,page-template-full_width,page-template-full_width-php,page,page-id-2769,tribe-no-js,tec-no-tickets-on-recurring,ajax_fade,page_not_loaded,,qode-title-hidden,qode_grid_1400,footer_responsive_adv,qode-theme-ver-16.4,qode-theme-bridge,wpb-js-composer js-comp-ver-5.4.7,vc_responsive,elementor-default,elementor-kit-8005,tribe-theme-bridge
Identity & Access Management  > 

Privileged Access Management (PAM)

Consists of the cybersecurity strategies and technologies for exerting control over the elevated (“privileged”) access and permissions for users, accounts, processes, and systems across an IT environment.

How PAM help organizations?

Condensing their organization’s attack surface and  preventing, or at least mitigating, the damage arising from

external attacks as well as from insider malfeasance or negligence.

Through streamlining the authorization and control of privileged accounts,

PAM lets organizations stay in control and be safe from both intentional and unintentional admin rights abuse.

Privilege access management helps manage entitlements, not only of individual users but also shared accounts such as super users, administrative or service accounts. A PAM tool protects and manages all types of privileged accounts.

Mature PAM solutions go even further than simple password generation and access control to individual systems, and also provide a unified, robust, and—importantly—transparent platform integrated into an organization’s overall identity and access management (IAM) strategy.

Difference between the two major

categories of IT accounts

User Accounts

A user account typically represents a human identity (such as an Active Directory user account) and has an associated password to Protect information and prevent anyone else accessing without permission. There is usually a single account password per user that needs to be memorized by a person.
Privileged Accounts

Privileged accounts provide administrative or specialized levels of access to enterprise systems and sensitive data, based on higher levels of permissions. A privileged account can be associated with a human being or non-human IT system.
Organizations often have two to three times more privileged accounts than they have employees. In most organizations, IT staff have one account with standard-level permissions and another account for performing operations that require elevated permissions.
account
Privileged accounts are the keys to your IT, since they can be used to:

 

      • access a sensitive server
      • adjust permissions
      • make backdoor accounts
      • change or delete critical data

What are the risks associated

with unmanaged privileged accounts?

Many recent high-profile breaches have one thing in common: They were accomplished through the compromise of privileged credentials. Industry analysts estimate that up to 80% of all security breaches involve the compromise of privileged accounts.

Virtually all organizations have some unknown or unmanaged privileged accounts, increasing their risk. Some may have thousands. This can happen for various reasons:

 

        • An ex-employee’s access was never disabled.
        • An account is utilized less and less often until it becomes obsolete and is abandoned.
        • Default accounts for new devices were never disabled.

How do cyber-criminals

compromise privileged accounts?

01. Compromise a local account.

Criminal hackers use malware or social engineering to get access to desktops, laptops, or servers. Employees are typically fooled by phishing scams that appear to be legitimate requests from an employee’s manager, company executive, or another trusted source. They may unknowingly click on a malicious link, download a piece of software with malware hidden inside, or enter their password credentials into fake websites.
02. Capture a privileged account.

An attacker’s primary goal is to obtain a privileged account (such as a local Windows administrator account) to move around. After an employee’s password is captured, the perpetrator can log onto a network and simply bypass many of the traditional IT security controls because they appear as a user with legitimate credentials. Common techniques include Man in the Middle or Pass the Hash attacks to elevate privileges.
03. Hide and observe.

Sophisticated criminal hackers are patient, preferring to remain undetected rather than crack-and-dash. After attackers establish a breach, they typically use compromised privileged accounts to perform reconnaissance and learn about the normal routines of IT teams. This includes observing regular schedules, security measures in place, and network traffic flow. They use these observations to blend in and make sure they don’t trigger any network security alarms. Eventually they can get an accurate picture of the entire network and its operations.
01. Compromise a local account.

Criminal hackers use malware or social engineering to get access to desktops, laptops, or servers. Employees are typically fooled by phishing scams that appear to be legitimate requests from an employee’s manager, company executive, or another trusted source. They may unknowingly click on a malicious link, download a piece of software with malware hidden inside, or enter their password credentials into fake websites.
02. Capture a privileged account.

An attacker’s primary goal is to obtain a privileged account (such as a local Windows administrator account) to move around. After an employee’s password is captured, the perpetrator can log onto a network and simply bypass many of the traditional IT security controls because they appear as a user with legitimate credentials. Common techniques include Man in the Middle or Pass the Hash attacks to elevate privileges.
03. Hide and observe.

Sophisticated criminal hackers are patient, preferring to remain undetected rather than crack-and-dash. After attackers establish a breach, they typically use compromised privileged accounts to perform reconnaissance and learn about the normal routines of IT teams. This includes observing regular schedules, security measures in place, and network traffic flow. They use these observations to blend in and make sure they don’t trigger any network security alarms. Eventually they can get an accurate picture of the entire network and its operations.
04. Impersonate employees.

An attacker with access to a privileged account can impersonate a trusted employee or system and therefore can carry out malicious activity without being detected as an intruder. When attackers compromise a privileged account, they can operate undetected for weeks or months at a time. Because a compromised privileged account appears to be a legitimate user, it’s very difficult to find the root cause or perform digital forensics when a breach is eventually detected.
05. Establish ongoing access.

An attacker’s next step is often to establish ongoing access by installing remote access tools, which enables them to return anytime they wish and perform malicious activities without raising an alarm.
06. Cause harm.

Depending on the motive of the attackers, they can use privileged accounts to do things such as:
  • Damage system functions or disable access by an IT administrator
  • Steal sensitive data for fraud or reputation damage
  • Inject bad code
  • Poison data

Why is PAM important?

A well-executed privileged access management strategy establishes regulated individual user access controls and behaviour transparency to mitigate security risks. PAM tools are introduced to ensure that users only have access to what is required to do their job and nothing more.

Why would I need PAM?

PAM keeps your organization safe from accidental or deliberate misuse of privileged access.
This is particularly relevant if your organization is growing. The bigger and more complex your organization’s IT systems get, the more privileged users you have. These include employees, contractors, remote or even automated users. Many organizations have 2-3 times as many privileged users as employees!
Some of these admin users can override existing security protocols.
That’s a big vulnerability. If administrators can make unauthorized system changes, access forbidden data, and then hide their actions, you’re in trouble. Insider threats aside, this is a huge opportunity if an outside attacker can gain access using these admin credentials. 
PAM solves this problem.
A PAM solution offers a secure, streamlined way to authorize and monitor all privileged users for all relevant systems.
PAM lets you:
  • Grant privileges to users only for systems on which they are authorized.
  • Grant access only when it’s needed and revoke access when the need expires.
  • Avoid the need for privileged users to have or need local/direct system passwords.
  • Centrally and quickly manage access over a disparate set of heterogeneous systems.v
  • Create an unalterable audit trail for any privileged operation.

Capabilities of the PAM solution

Under certain conditions emergency access must be granted to specific administrators and you will still need to ensure the monitoring and recording of all privileged activity in your systems.

PAM solutions can offer a secure application launcher that provides immediate entry into applications without revealing passwords.

Even with multiple security protocols in place, there is still potential for privileged accounts to be breached.

PAM software can add an additional layer of security with multi-factor authentication protocols (MAP) when a user requests access. OATH authentication and proprietary tokens can also be integrated as part of the MAP.

Once a user has accessed the system, PAM software can assist in workflow management through automation of each approval step throughout the session duration.

For each user role, you can configure check-out rules and, if needed, receive notification for specific access requests that require manual approval by an administrator.

Mobile devices are becoming common access points to enterprise systems.

PAM software can provide integration with a secure application launcher where access can be granted to remote devices.

Auditing privileged sessions is critical.

PAM solutions can provide recording and reporting for a variety of activities including password requests and session recording of transactions during privileged sessions.

Additionally, PAM software can provide dozens of critical reports including asset reports, compliance reports, and privileged activity reports.

Password leaks and data breaches are an increasing part of the IT world.

Reusing passwords increases the likelihood that a system and its data will be compromised. The primary method of security provided by privileged access management is password vaulting, where passwords are stored in a central, highly secure location and protected by strong encryption.

This ensures extremely limited access to all passwords.

With PAM, you can generate random password values or merely rotate the current password.

This can be done manually by an individual with an assigned password management role, or as an automated function of the PAM system. Each time a user requests access, a new password can be automatically generated by the PAM system to avoid password reuse or leakage, while ensuring a match between current credentials and the target systems.

To scale IT systems while managing costs, effective systems management increasingly requires a high degree of automation.

PAM systems can automatically perform repetitive password related tasks and can also alert administrators for a variety of privileged access conditions, such as failed password attempts, password requests, and web application transactions.

PAM systems can be designed with failover safeguards to ensure that no single point of failure can prevent critical access to systems during a widespread system or network failure.

Third-party personnel may need continued access to systems (as opposed to emergency, one-time only access as described below).

PAM software can provide role-based access that does not require granting domain credentials to outsiders, limiting access to only needed resources and reducing the likelihood of unauthorized privileged access.

Components of a PAM Solution

PAM_solution_

Privileged Access Management solutions vary in their architectures, but most offer the following components working in concert:

Access Manager
This PAM module governs access to privileged accounts. It is a single point of policy definition and policy enforcement for privileged access management. A privileged user requests access to a system through the Access Manager. The Access Manager knows which systems the user can access and at what level of privilege. A super admin can add/modify/delete privileged user accounts on the Access Manager. This approach reduces the risk that a former employee will retain access to a critical system. (This situation is far more common that most IT managers would like to admit!)
Password Vault
The best PAM systems prevent privileged users from knowing the actual passwords to critical systems. This prevents a manual override on a physical device, for example. Instead, the PAM system keeps these password in a secure vault and opens access to a system for the privileged user once he has cleared the Access Manager.
Session Manager
Access control is not enough. You need to know what a privileged user actually did during an administrative session. A Session Manager tracks actions taken during a privileged account session.

Contact us

to find out what PAM solution is right for your needs.