Privileged access management (PAM) enables organizations to address access to business systems by those provided specific access privileges such as domain or account administrators, those managing networking equipment accounts, help desk personnel, HR, and so on. PAM can monitor access to prevent security issues with these high-tier systems.
Whatever study you review, the primary points of access are phishing emails that enable criminals to steal credentials, install malware, or initiate a ransomware attack. The emails of lower-level personnel are useful to cybercriminals, but they crave access to privileged accounts as that is where they can do real damage. Therefore, such accounts require more than just a watchful eye. That’s where PAM comes in.
Table of Contents
Key Features of Privileged Access Management
PAM is one of the fastest-growing areas in cybersecurity today, according to analyst firm KuppingerCole. The market is expected to be worth $5.4 billion by 2025. And the reason is simple. Forrester estimates that 80 percent of all cybersecurity breaches involve privileged credentials. No wonder there are so many companies keen to serve this market.
PAM solutions vary from vendor to vendor. But they generally include the following:
- Storing of the login credentials of privileged accounts in a secure repository.
- A specific authentication process to log into such accounts.
- Logging of who accesses what accounts and what was done with them.
- Monitoring of suspicious or malicious behavior.
- Severe restriction of high-level privileges to a small group of approved users that can override certain security restraints, such as shutdowns, loading or apps or drivers, network configuration, and provisioning.
The benefits of PAM include:
- Visibility into the activities of privileged users, accounts, assets, and credentials.
- The ability to spot inactive privileged accounts or those that belonged to personnel no longer with the company.
- Compliance to regulatory and security requirements.
- Safeguarding the organization against internal and external threats.
- Condensing the attack surface of critical systems.
- Reducing the propagation of malware.
PAM Vendor Selection
Here are some tips to aid in the selection of a PAM solution.
- PAM is as much about policy as it is about technology. Therefore, establish your policy first and then look for technology that helps you to implement it.
- Favor tools that help you centralize the management of privileged accounts. This is especially relevant to global firms or those operating multiple centers in different regions.
- Narrow down to PAM tools that align with your existing security tool vendor mix, and with the operating systems and cloud environments in play.
- Look for PAM tools that help you enforce least privilege rights for most users and that heavily restrict privileged access. This includes the elimination of admin rights on endpoints.
Top PAM Solutions
Enterprise Networking Planet reviewed the various PAM solutions out there. Here are our top picks, in no particular order:
Thycotic Secret Server
Thycotic Secret Server is a multi-layered solution that provides protection for privileged access and credentials. It is designed for integration into an organization’s cybersecurity fabric. A private equity firm TPG capital owns the company and earlier acquired one of its biggest rivals Centrify. The plan is to eventually combine the two.
- Discover, manage, and delegate access to privileged accounts with role-based access controls, encryption, multi-factor authentication support, and centralized administration.
- Meet cyber security PAM best practices and regulatory obligations with immutable auditing and reporting, and event-driven email alerts.
- Easy installation and user experience.
- Discovery of local and service accounts across an organization along with additional features such as automation, auditing, reporting and alerts, secret workflow, session monitoring and control, and custom script support.
- Wizard-driven setup and a knowledge base built to enable self-service.
- Secret Server Cloud can be incorporated alongside existing employee processes, allowing for integration into existing systems.
BeyondTrust Universal Privilege Management (UPM) allows customers to start with the use cases that are most critical to their organization and expand over time. It integrates privileged credential management with endpoint and remote access security and is non-intrusive to users.
- BeyondTrust has a customer base of over 20,000.
- UPM can be implemented as a standalone solution.
- It offers session auditing, least privilege management, and monitoring.
- Session logging allows for the review of all end system and network interactions, detailing remote and third-party users involved, which endpoints they connected to, and system information.
- Enables credential injection, eliminating the need for privileged users to remember or checkout credentials for the systems they need to access.
- Available as on-premises and private cloud, as well as a SaaS/PaaS hosted offering.
CyberArk Privileged Access Management addresses various use cases to secure privileged credentials and confidential information on-premises or in the cloud. It makes it possible to continuously discover and manage privileged accounts and credentials, isolate and monitor privileged sessions and remediate risky activities across environments.
- The ability to secure privileged identities, whether human or machine, in a tamper-resistant repository.
- Meet internal requirements, manage access, and maintain a centralized, tamper-proof audit.
- Securely authenticate users with VPN-less access from a single web portal.
- Automatically discover and onboard privileged credentials.
- Centralized policy management allows administrators to set policies for password complexity, frequency of password rotations.
Centrify Server Suite
Centrify Server Suite addresses how organizations secure privileged access across hybrid- and multi-cloud environments. It allows humans and machines to authenticate, enforcing least privilege with just-in-time privilege elevation. It comprises three core products to protect Windows, Linux, and UNIX. Private equity firm TPG capital owns the company and recently acquired one of its biggest rivals Thycotic. Currently, both tools are being sold separately, but they are likely to be combined in the near future.
- Centrify Authentication Service extends Active Directory (AD) benefits to Linux and UNIX by natively joining them to AD for access controls in hybrid environments using identity entitlements.
- Identities can be consolidated and many local privileged accounts can be removed.
- Centrify Privilege Elevation Service grants just enough, just-in-time privileged access with policy enforcement controls to increase security and accountability.
- Centrify Audit and Monitoring Service offers visibility into all privileged activity by recording and managing the IT estate.
- Detects suspicious user activity with real-time alerts to stop breaches in progress.
- Host-based auditing on each target system ensures cyber-attackers can’t bypass session recordings.
- Privilege elevation capability complements password vaulting. The combination empowers organizations to achieve a more mature PAM posture that enforces least privilege, removes reliance upon shared passwords, consolidates identities, and enforces role-based access controls.
- These capabilities are also available in Centrify Cloud Suite as a SaaS-delivered service to govern and control access to hybrid-cloud or multi-cloud hosted IT infrastructure.
ManageEngine offers a wide array of PAM solutions for Active Directory, Microsoft 365, and Exchange management and reporting. These help to manage privileged user accounts, administrative access to critical IT assets, and compliance mandates. IT can use it to provision, and monitor access to both applications and data.
- Manage digital identities across the IT environment and regulate access to critical resources.
- Provision users across multiple platforms.
- Control, track, and audit access to applications and data.
- Strictly govern privileged access to critical IT systems.
- Prevent privilege escalation with role-based access control.
- Enterprise single sign-on.
- Enterprise credential vault.
- Secure remote access and session recording.
- Privileged user behavior analytics.
- SSH key management and SSL certificate management.
- Application credential security.
Arcon PAM offers access control features, granular controls, and Just-in-time (JIT) privileged access to enforce the principle of least privilege in IT environments. It is used by more than 1000 global organizations, spanning many different industries.
- Implement privileged access practice on a need-to-know and need-to-do basis.
- Automate and secure password changing process and frequently randomize privileged passwords.
- Spot threats and mitigate risks on a real-time basis to secure privileged access environments.
- Reduce the threat surface by removing standing privileges to systems and applications.
- Securely allow one-time access to critical systems without sharing privileged credentials.
- Audit trail of privileged activities, reports and analytical.
Hitachi ID Systems
Hitachi ID Bravura Privilege provides frictionless, elevated, and time-limited access to reduce IT security risk and enhance accountability. It is part of the Hitachi ID Bravura Security Fabric that also includes Identity, Pass, Group, and Discover modules.
- Supports over a million daily password randomizations.
- Facilitates access for thousands of authorized users, applications, and systems through a geo-redundant architecture.
- Document every disclosure of access to every privileged account through custom reports.
- Integrate with every client, server, hypervisor, database, and application, on-premise or in the cloud.
- Replaces shared and static passwords tied to privileged accounts with periodically new and random values based on robust password policy controls.
- It can enforce multiple scheduled or event-triggered password policies on fixed IT assets, laptops, and rapidly provisioned virtual machines.
- Securely Store Credentials to prevent unauthorized disclosure.
- Distributed active-active architecture that replicates in real time across all instances.
- Data at rest and in transit is encrypted using a 256 AES encryption key.
One Identity PAM is available as a SaaS-delivered or traditional on-prem offering. It can secure, control, monitor, analyze, and govern privileged access across multiple environments and platforms. Additionally, it has the flexibility to provide full credentials when necessary or limit access to zero trust and least-privileged operating models.
- Control, monitor, and record privileged sessions of administrators, remote vendors, and high-risk users.
- Session recordings are indexed to accelerate searching for events.
- Automated reports to meet auditing and compliance requirements.
- Automate, control, and secure the process of granting privileged credentials with role-based access management and automated workflows.
- Manage passwords from anywhere with nearly any device.
- Analyze privileged session recordings to identify high-risk privileged users.
- Monitor questionable behaviors and other anomalies.
- For UNIX and Windows servers and desktops.
WALLIX Bastion PAM delivers oversight over privileged access. It helps to reduce the attack surface and meet regulatory compliance requirements. Manage, control, and audit access to network assets, ensuring that only the right person has access to the right IT resources.
- Deliver secure remote access to IT admins and external providers via HTML5-based secure connectivity accessible from any browser.
- Eliminate the need for RDP, SSH, or telnet connections.
- Remote Sessions benefit from the same level of control, approval, tracking and monitoring as internal sessions, enabling IT supervisors to control, audit and analyze all privileged access from anywhere.
- Just-in-Time (JIT) and zero standing privileges policies.
- With the WALLIX Bastion REST API, users may access any of the features of the Bastion as if they were accessing it from the usual user interface.