How to prioritize Privileged Access Management

Homand Farahmund, VP Analyst at Gartner explains that Privileged access management (PAM) plays a key role in enabling zero trust and defense-in-depth strategies that extend beyond mere compliance requirements. 

Privileged access, which bypasses standard controls to execute operations above those with standard access, can put the target system — or systems, such as infrastructure as a service (IaaS) — at higher risk. This makes privileged access management (PAM) a high-priority cyber defense capability, but effective PAM takes a comprehensive technical strategy. Key success factors include visibility and control of privileged accounts across all assets.

Privileged access happens when an entity (human or machine) uses an administrative account or a credential with elevated rights to perform technical maintenance, make changes, or address emergency outages (privileged operations) in an IT or digital system. This can occur either on premises or in the cloud. Privileges in this context are technical, which is different from high-risk entitlements related to business processes. PAM controls ensure authorized use of privileges (including any related mechanism like privileged accounts or credentials) in authorized target systems for all relevant use cases.

Privileged access risks result from the proliferation of privileges, the potential for human error in using privileges (such as administrator mistakes) and unauthorized privilege elevation (techniques that attackers use to gain higher-level permissions on a system, platform or environment).

Traditional PAM controls, such as credential vaulting zeroand session management, ensure that privileged users, applications and services get just enough privileges (JEP) just in time (JIT) to reduce the access risk. However, such measures are essential but insufficient if deployed partially. Emphasizing JIT privilege approaches and managing machine identities are imperative; implementing privilege task automation and advanced analytics is preferred.

Broader coverage of PAM controls for cloud platforms, DevOps, microservices, and robotic process automation (RPA) scenarios require additional capabilities such as secrets management (with secretless brokering) and cloud infrastructure entitlement management (CIEM).

PAM is applicable to all local and remote human-to-machine and machine-to-machine privileged access scenarios. This makes PAM a critical infrastructure service due to risk aggregation related to storing sensitive credentials/secrets, as well as performing privileged operations in different systems. As such, PAM capabilities require thoughtful high-availability (HA) and recovery mechanisms.

It’s essential to prioritize PAM as a cyber defense mechanism. It plays a key role in enabling zero trust and defense-in-depth strategies that extend beyond mere compliance requirements. Some organizations may choose to deploy a minimum set of PAM controls to meet their compliance obligations in response to the findings of an audit. However, these organizations remain susceptible to attack vectors, such as service accounts, privilege escalation and lateral movements. Although minimalistic controls are better than nothing, expanding PAM control coverage can mitigate a broader number of risks to defend against complex cyberattacks.

The figure below shows the key steps to develop/enhance PAM architecture strategy:

Security and risk management technical professionals should:

  • Create a PAM control coverage matrix that aligns with the organization’s cybersecurity framework. Use this to develop a risk-based approach to plan and implement or enhance PAM controls and your breadth of coverage.
  • Implement core PAM capabilities by deploying solutions that cover intended use cases while driving a zero standing privilege operating model. That includes governance, discovery, protection, monitoring, auditing, and JIT privilege elevation and delegation.
  • Implement additional PAM capabilities by extending the deployed solutions or integration with other security management tools. These include:
    • Remote support
    • Task automation (especially in DevOps pipeline and infrastructure-as-code [IaC] use cases)
    • Change management
    • Vulnerability assessment and remediation
    • Secrets management
    • Secretless brokering
    • Cloud infrastructure entitlement management
  • Integrate PAM solutions with security information and event management (SIEM) and IT service management (ITSM) tools.
  • Architect resiliency for the PAM solution by using HA design and advanced disaster recovery processes, such as a hot or cold site versus simple local backup and recovery. Also plan for recovery scenarios using reliable break-glass approaches.