What is Privileged Access Management (PAM)?
And how to safely manage admin rights and avoid security hiccups in your organization
Privileged Access Management ensures business safety through privileged accounts monitoring, preventing external and internal threats that result from the improper use of admin rights. It is based upon the Principle of Least Privilege, where users are given the absolute minimum access necessary to complete their responsibilities.
If you are concerned about intentional insider threats only, you are barely scratching the surface.
It should come as no surprise that admin rights are not only abused by malevolent employees. They can be leveraged for nefarious purposes by malicious hackers who break into privileged accounts and gain access to your systems. As a result, they have the ability to create additional users with elevated rights or view, edit, and delete your data as they please.
But Privileged Access Management (PAM) ensures you are the only one completely in charge and that you are able to manage and mitigate threats.
In the past, we’ve extensively written about PAM-related topics such as the Zero Trust model, Insider Threats, why removing admin rights closes critical vulnerabilities in your organization, the Principle of Least Privilege (PoLP), and Identity and Access Governance. Now, it’s time to connect the dots and provide you with a complete overview of Privileged Access Management – what it means and why this concept should be followed by any organization, regardless of its size.
In this article, I will also shed some light on the risks of privilege accounts and why it’s essential to effectively manage them. What’s more, I will try to equip you with the resources and tactics needed to safeguard your business against data theft and lateral movement and look at how you can spot and prevent malicious activities and insider/external attacks, so that your business remains cyber resilient.
What is Privileged Access Management?
Privileged Access Management follows the Principle of Least Privilege, which is based upon the idea that all users should have access only to the information and systems they fundamentally need to perform their job functions. The theory of least privilege is commonly recognized as a standard practice in cybersecurity, being an important move towards securing privileged access. By following the least privilege concept, companies will minimize the danger of insider and external threats, which otherwise can result in expensive data breaches.
PAM is intended to track, handle, and control privileged accounts, also being aimed at supporting organizations in the effort to protect access to sensitive data and follow the latest legal requirements. Every organization should rely on PAM to be secured against risks raised by the misuse of privileges.
Privileged Access Management refers to a holistic protection approach that involves individuals and technologies and aims to track, manage, protect, and inspect all elevated sessions within an IT ecosystem.
In another article, we also define PAM – Privileged Account Management, so I suggest you check it out as well.
Why do we need Privileged Access Management?
The only method of preventing threats is by effectively managing and tracking privileged user sessions. Through streamlining the authorization and control of privileged accounts, PAM lets organizations stay in control and be safe from both intentional and unintentional admin rights abuse.
People are starting to acknowledge the importance of Privileged Access Management, which is being reflected by the growing size of the market, as you can see below. The chart shows the PAM market size from 2013 to 2016 and a forecast for 2020. In 2016, the privileged access management market was worth $900 million worldwide.
Privileged Access Management Stats
Here are some interesting facts regarding Privileged Access Management that you should be aware of:
- 90% of organizations feel vulnerable to insider threats (Source)
- 74% of organizations that have been breached in the past say it involved privileged access credential abuse (Source)
- Forrester states that 80% of data breaches are connected to compromised privileged credentials (Source)
- Gartner has identified PAM as one of the top 10 security projects for organizations in 2019 (Source)
- The Ponemon Institute reports that 49% of organizations don’t have any policies for assigning privileged user access (Source)
The list could continue. However, I hope I’ve managed to paint a picture of the insider threat and admin rights abuse landscape and their relationship with Privileged Access Management.
Types of privileged accounts
Before I dive into more details, please keep in mind that not all privileged accounts within an organization are the same.
In simple terms, a privileged account is used to accomplish certain activities that standard user accounts are not able to, such as accessing critical data and systems.
These accounts are necessary for maintaining your IT infrastructure. However, if their credentials ever end up in the wrong hands or are misused by malevolent insiders, the damage can be irreversible. Having strong privileged user monitoring is essential to hindering attackers and preventing them from causing major harm to your systems.
The Institute of Forensics and ICT Security lists seven different types of privileged accounts you need to know about:
1. Local Administrative Accounts
These are non-personal accounts, which only provide the local host or instance with administrative access. They are used for conducting maintenance on workstations, servers, databases, etc. and they often use the same password for ease of usage across an entire network. Due to the shared password policy, they become a desirable target for cyberattacks.
2. Privileged User Accounts
They are named credentials on one or more systems and are granted administrative privileges. These are usually one of the most popular types of accounts on a corporate network, enabling users to have administrator privileges (for example, to their local desktops or on the networks they operate). Privileged User Accounts often use complex passwords and the power that they possess over networks necessitates a constant oversight of their usage.
3. Domain Administrative Accounts
Domain Administrative Accounts provide control over all of the organization’s workstations and servers. Although such accounts are small in number, they have the largest and most reliable network-wide connectivity. Having complete control over domain controllers and the right to change the membership of each administrative account within the domain, a breach of these privileged accounts is always a huge risk for any company.
4. Emergency Accounts
Emergency Accounts offer administrative access for unprivileged users to protected systems throughout an emergency and are often referred to as ‘firecall’ or ‘break-glass’ accounts. For safety reasons, access to such accounts usually requires management’s consent and they generally involve an unreliable manual procedure that lacks auditability.
5. Service Accounts
These accounts can be privileged local or domain accounts and are used to communicate with the operating system through an application or service. In certain instances, some Service Accounts have administrative privileges based on the application specifications under which they are used. Local Service Accounts have the ability to connect with Windows elements, thus password change coordination becomes challenging.
6. Active Directory or domain service accounts
Password modifications may be much more complicated for these accounts, as they involve coordination across several systems. This problem also contributes to a widespread pattern of seldom changing service account passwords, which poses a significant risk across an organization.
7. Application Accounts
Application Accounts are used to access databases, run batch jobs or scripts, or facilitate access to other apps. Typically, they facilitate access to underlying company information through applications and databases. Passwords for these accounts are frequently embedded and maintained in unencrypted text files, a flaw that is repeated through several servers to have better tolerance for applications with faults. This weakness presents a significant danger to an enterprise, as the apps also contain the data that APTs seek.
Privileged Attack Vectors
In “Privileged Attack Vectors”, Morey J. Harber mentions six stages of insider attacks – which are similar to external threats.
1. Infiltration – Insider and External Threats
External threats no longer represent the primary threat to an organization. Infiltration can happen through various attack vectors, and internal access is one of them.
2. Command and Control
Intruders can easily establish a connection to a C&C server to access toolkits and payloads and receive further commands. This helps them assess the environment and prepare their next steps.
3. Privileged escalation attempts
Threat actors start learning about your network and identifying the privileged accounts and key assets, looking for ways to collect passwords and take advantage of the user rights they have already abused.
4. Lateral movement between assets, accounts, resources, and identities
Threat actors then exploit stolen credentials to compromise additional assets and accounts using lateral movement, continuing the propagation and navigation through the target’s environment.
5. Searching for additional opportunities
The purpose of threat actors is, of course, to remain undiscovered. This way, they can and extend their reach from vulnerabilities to compromised identities utilizing multiple attack vectors, installing malware, and identifying additional targets.
6. Data exfiltration or destruction
Eventually, the threat agents gather, store, and exfiltrate data and sometimes infect your systems with malware (ransomware – in most cases). You must keep in mind that an entire series of attacks can be conducted by an internal or an external threat. Obviously, an insider’s knowledge can speed up all of these steps and bypass security controls.
Why properly managing privileged accounts matters
Through implementing processes to handle privileged accounts, organizations will fix problematic user behavior, reduce the vulnerabilities associated with privileged accounts, and ensure that privileged accounts are used safely.
In addition, managing accounts with elevated rights are also turning into a matter of compliance, as authorities are enacting legislation that outlines the measures that companies need to follow to control their privileged accounts. Hence, poor management of these accounts does not only pose security dangers, but it may also prompt regulating bodies to enforce penalties.
Privileged accounts are the key to a company’s data and systems, which is why they are coveted by malicious hackers. In fact, it should come as no surprise that many major cyber-attacks involved the abuse of privileged accounts (some examples include the data breaches of JPMorgan Chase and Home Depot).
As you’ve noticed, all privileged accounts are highly sensitive assets in any organization and must be taken seriously. Systems will never be completely protected unless privileged accounts are fully secured.
This is where PAM comes into play, enabling the existence of a set of processes and resources that provide complete insight and power to IT teams over who has access to the most sensitive structures in an enterprise.
Essentially, Privileged Access Management tools offer a wide range of features, such as the possibility to log and record all privileged sessions. For instance, Thor AdminPrivilegeTM, HeimdalTM Security’s PAM SaaS solution is a highly elaborate technology that allows for both escalation and de-escalation of user rights. What’s more, when used in tandem with our threat prevention, detection, and hunting suite, it becomes the only software on the market to automatically de-escalate users’ rights, should any infection be discovered on the machine.
Implementing your PAM program
To avoid system intrusions, you must implement a carefully planned and robust Privileged Access Management program. This way, you will successfully mitigate and prevent threats and secure your privileged accounts.
Here are the fundamental aspects a good PAM program should contain:
- Having a strong password management policy in place.
- Logging and recording all privileged user sessions.
- Following the Zero Trust model and applying the Principle of Least Privilege – in other words, not keeping unnecessary privileged accounts in your environment.
- Implementing a leading-edge Privileged Access Management tool.
System admins waste 30% of their time manually managing user
rights or installations
Heimdal™ Privileged Access
System admins waste 30% of their time manually managing user
All of the above ensures that sensitive accounts and passwords are immune to attacks. Furthermore, if credentials are ever breached, the harm can be mitigated thanks to the PoLP concept, where no employees are operating with more privileges than they actually require – and should they ever need their rights to be elevated, their sessions will be monitored for suspicious behavior and will last for a limited time only.
These practices will make it highly difficult for malicious actors to leverage privileged accounts as a compromise method.
IT professionals are nowadays forced to simultaneously keep up with the accelerated evolution of attack vectors and facilitate safe access, in a timely manner, to an organization’s systems and resources.
Our Thor AdminPrivilege™ is a secure and intuitive cybersecurity PAM solution and by far the most advanced Privileged Access Management tool, which allows both the escalation and de-escalation of user rights. Sysadmins can remove permanent rights and grant rights to users only when they need them and for a specified period. All granted rights can be revoked anytime you want and all actions performed during the escalation period are logged for a full audit trail. What’s more, when used together with Heimdal™ Threat Prevention, Thor Vigilance, or Endpoint Security Suite, it becomes the only software that automatically de-escalates user rights, should any threats be detected on the machine.
How do you manage user rights in your organization? What are your thoughts on Privileged Access Management? I would love to read your comments in the section below!