Privilege Elevation and Delegation Management (PEDM) Explained: Definition, Benefits and More
All You Need to Know about PEDM.
A game-changer in the PAM market, PEDM is now on everybody’s lips when talking about more efficient methods to mitigate cybersec risk by properly controlling privileged permissions. Featuring three essential elements: appropriate privileges for appropriate users just at the appropriate time, PEDM dramatically improves your cybersec posture. Read on to gain more knowledge surrounding this topic and stay until the end to see how Heimdal can help you implement privilege elevation and delegation management in your company and achieve a top-rated level of cybersecurity.
What Is Privilege Elevation and Delegation Management (PEDM)?
Privilege Elevation and Delegation Management, also known under the PEDM acronym, refers to a category of Privileged Access Management (PAM) that focuses on delivering more granular access controls than Privileged Account and Session Management (PASM) technologies normally do.
How Does PEDM Work?
The Privilege Elevation and Delegation Management’s workflow unfolds like this:
- as Gartner says, it works through host-based command control filtering and privilege elevation functionalities;
- by entirely removing user privileges and enabling administrators, including developers too, to work with typical standard accounts, it adheres to the principle of least privilege;
- this way, only tasks, apps, or scripts that require admin privileges will have them reassigned. This method allows users to execute commands with greater privileges on a case-by-case basis;
- it also has the ability to block the execution of harmful or unauthorized programs, such as.DLL files, and scripts/installers, and only allows trustworthy apps to run;
- IT team can grant limited access considering specifically defined roles and the validity of the user’s request;
- after the privileged session comes to an end, the access is revoked.
What Are the PEDM Components?
Privilege elevation and delegation management technologies can be split into two broad categories:
Endpoint Least Privilege Management
These solutions typically encompass least privilege enforcement, including privilege elevation and delegation, across Windows and Mac endpoints (e.g., desktops, laptops, etc.).
Server and Infrastructure Privilege Management
These technologies enable businesses to specify who has access to Unix, Linux, and Windows servers, as well as what they may do with that access.
What’s the Relation with PASM?
Gartner analysts split the PAM (Privileged and Access Management) market into two broad categories in 2017: PASM (Privileged Account and Session Management) and PEDM.
To better understand the difference between the two concepts, remember that what PASM does is to provide an “all or nothing” temporary admin access through the so-called “ephemeral accounts”. What does that mean? It means that the admin receives access on a temporary basis when he needs it, but it does not have access only to a certain area specifically needed to perform a task, but to everything on the target server.
Password vaulting is a term used to describe PASM solutions. The solution creates and distributes privileged account credentials in a secure manner. A temporary account with full admin power will be provided to the users who require access to a specific server and they must request it from the vault. Keep in mind that this account works for only one session. Besides, what happens in the privileged session is observed and recorded.
However, PASM is limited in terms of providing fine-grained access security, and here is where Privilege Elevation and Delegation Management comes into play, going beyond the limitations of PASM and making you benefit from a more granular security strategy of PAM. PEDM plays a significant role in protecting the organizations’ important assets since the users’ access is thus besides temporary, also restricted to certain areas they specifically need to access.
Access privileges are distributed depending on work roles in PEDM solutions. Instead of employing temporary privileged accounts, PEDM tools give normal accounts permanent privilege. PEDM tools establish the two w: who has access to which system areas and what they can do with that access.
That’s why PASM and PEDM should be regarded as complementary solutions, not as competing ones. So, as Gartner recommends, when you start with a PAM solution, the best approach is to implement PASM first to build the foundation and then to use PEDM to maintain and strengthen it.
Why Is Privilege Elevation and Delegation Management Important?
PEDM is important for a variety of reasons when talking about improving a company’s cybersecurity posture. Here are the main benefits of Privilege Elevation and Delegation Management:
It Lets You Implement Granular Privilege Restrictions
As emphasized previously in this article, by implementing PEDM functionalities, IT teams can create access control policies at the device, application, service, and process level rather than at the user level which gives us a compelling opportunity: to provide expanded privileges under certain conditions. Users will be given access and visibility into applications but they will not be able to alter their content by performing data updates or configurations. This is called privilege segregation, which means that PEDM is a secure environment for systems and processes.
PEDM Promotes the Just-in-Time Access Concept
In a previous article, we’ve discussed how just-in-time access is an essential component of a PAM solution. PEDM supports just-in-time access because the type of access control it features is based on granting permissions for a limited timeframe.
Non-admin users who need access to critical apps and systems must submit privilege elevation requests to the admins. What happens next is that admins perform check and validation steps on these requests and the user will receive privilege elevation for a short period of time which leads us to the naming of just-in-time privilege elevation.
It Does Not Let Hackers Go Beyond the Compromised Accounts
Because at the end of the privileged session, PEDM has the role of revoking the granted rights, this means that, even if a hacker had gained access and compromised credentials of privileged accounts, their actions stop there as they cannot move further on the network and inflict more damage.
PEDM’s Motto Is Less Admin Accounts
If Privilege Elevation and Delegation Management is used with its brother PASM (Privilege Account and Session Management), which our colleague Vladimir described thoroughly in an insightful article, they make the perfect combo for working on limiting the admin accounts number within a company. So basically, sysadmins do not need admin accounts as they can get admin privileges through regular user accounts with PEDM. This dramatically decreases two emergent cyber risks: external threats and internal threats. Less privileged accounts and privileged sessions mean fewer attack vectors for hackers to exploit.
This way standing privileges do not longer pose a risk, as admins receive privileged access only linked with specific tasks or apps, not to mention that the access has limitations. Because PEDM shows a more granular nature in terms of access control, this leads to the improvement of the organizations’ cybersecurity by implementing the principle of least privilege. Thus, users only have the proper access level to complete their tasks and that’s it.
As All Good Cybersec, PEDM Helps You Maintaining Compliance
I’m sure you hear this every day: that tool is helping you achieve compliance, the other tool also, and so on. Reiterative, but true. Compliance requirements are important to be met in a company for the overall operational well-being of the business. Privilege elevation and delegation management helps you with that because it has monitoring and reporting functionalities.
It Facilitates Self-Service Elevation
Privilege elevation and delegation management also allows users to request custom roles that match their privileged access requirements. By means of specified criteria, which automatically authorize just-in-time controls, requests for self-service elevation are validated.
Best Practices on How to Implement PEDM in Your Company
Here are some methods on how to properly approach a Privilege Elevation and Delegation Management strategy:
Start with a Privilege Audit
First of all, you must assess how many users with standing privileges are in your organization and then clean it all.
Enforce Control Policies
Consider implementing access control policies at the application, service, and device level, not at the user level. Here you must also separate regular user accounts from admin accounts.
Remove Local Admin Privileges
Removing local admin privileges can be done by assigning default privileges to user accounts, this strategy having the role of both mitigating insider or external threats and closing vulnerabilities. What’s more, is that you can actually do that with Heimdal Privileged and Access Management by checking the box Revoke existing local admin rights from your Heimdal dashboard.
Keep Track of Privileged Sessions
Privileged sessions should be monitored and logged and then proofed against anomalous behavior, basically actions performed without prior authorization. This lets you better examine user behavior trends and also take decisions based on specific data.
Heimdal® Privileged Access Management
- Automate the elevation of admin rights on request;
- Approve or reject escalations with one click;
- Provide a full audit trail into user behavior;
- Automatically de-escalate on infection;
How You Can Implement Privilege Elevation and Delegation Management with Heimdal™’s PAM
We’re at this point when we’ve all settled with the theory surrounding this concept, now let’s move on to a more practical approach: what Heimdal brings to the table when talking about Privilege Elevation, and Delegation Management.
Heimdal’s Privileged Access Management provides for PEDM-type curation capabilities of non-privileged user accounts. This works with AD (Active Directory), Azure AD, or other hybrid setups eliminating over-privileged accounts as the access for admins part of an RBAC setup is restricted depending on the group policies.
It also supports two important elements for a PEDM strategy I mentioned throughout this article that work on securing privileged access at a granular level: Local Admin Rights Elevation (L.A.R.E.) and a Time to Live function (TIL) that enables the Just-in-Time access approach. Thus:
- through Local Admin Rights Elevation, certain Local Users and Groups’ members can ask for elevation and sysadmins can perform inclusion or exclusion of users taking into account details like username or host.
- what JIT does is limit access to L.A.R.E.-based activities for users and administrators.
The elevation part works by a user requesting single-file or process elevation during the business hours with the elevation token expiring in 24 hours if it does not receive user confirmation.
Regarding the de-elevation capability, if enforced globally, this means it will automatically log off the user and kill the process.
Another benefit of our PEDM approach in the Privileged and Access Management module is that it owns a reporting mode enabled by default which can provide you with accurate and consistent telemetry.
You can learn more details by accessing the corresponding PAM Product Sheet or contacting us at email@example.com
And if you want to see Heimdal’s Privilege Elevation and Delegation Management in action you can just BOOK A DEMO.
Because it’s not just plain words, Heimdal’s always got a solution to make your company achieve operational flexibility and implement a solid security framework. Give us a shot! What do you have to lose?
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.