Published: 19 July 2024
Contributor: Matthew Kosinski
Privileged access management (PAM) is the cybersecurity discipline that governs and secures privileged accounts (such as admin accounts) and privileged activities (such as working with sensitive data).
In a computer system, “privilege” refers to access permissions that are higher than a standard user’s. A regular user account might have permission to view entries in a database, while a privileged administrator would be able to configure, add, change and delete entries.
Nonhuman users, such as machines, apps and workloads, can also hold elevated privileges. For example, an automated backup process might have access to confidential files and system settings.
Privileged accounts are high-value targets for hackers, who can abuse their access rights to steal data and damage critical systems while evading detection. In fact, hijacking valid accounts is the most common cyberattack vector today, according to the IBM® X-Force® Threat Intelligence Index.
PAM tools and practices help organizations protect privileged accounts against identity-based attacks. Specifically, PAM strategies strengthen organizational security posture by shrinking the number of privileged users and accounts, protecting privileged credentials and enforcing the principle of least privilege.
Identity and access management (IAM) is a broad field that encompasses all of an organization’s identity security efforts for all users and resources. PAM is a subset of IAM of that focuses on securing privileged accounts and users.
There is significant overlap between IAM and PAM. Both involve provisioning digital identities, implementing access control policies and deploying authentication and authorization systems.
However, PAM goes further than standard IAM measures because privileged accounts require stronger protection than standard accounts. PAM programs use advanced security measures such as credential vaults and session recording to strictly control how users obtain elevated privileges and what they do with them.
It would be impractical and ineffective to apply such strong measures to nonprivileged accounts. These measures would interrupt regular user access and make it hard for people to do their day-to-day jobs. This difference in security requirements is why PAM and IAM have diverged into separate, but related, disciplines.
Learn why IBM Security Verify has been recognized as a Leader in the latest Gartner® Magic Quadrant™ for Access Management report.
Privileged accounts pose heightened security risks. Their elevated permissions are ripe for abuse, and many organizations struggle to track privileged activity across on-premises and cloud systems. PAM helps organizations gain more control over privileged accounts to stop hackers while connecting users with the permissions they need.
Identity-based attacks, in which hackers take over user accounts and abuse their valid privileges, are on the rise. IBM’s X-Force reports that these attacks increased by 71% last year. They now account for 30% of security breaches. These attacks often target privileged accounts, either directly or through lateral movement.
Bad actors—insider threats or external attackers—who get their hands on privileged accounts can do serious damage. They can use the elevated permissions to spread malware and access critical resources without restriction, all while tricking security solutions into thinking they are legitimate users with valid accounts.
According to the IBM Cost of a Data Breach Report, breaches where hackers use stolen credentials are among the costliest at USD 4.62 million on average. Insider threats who abuse their valid privileges can cause even more damage, with those breaches costing USD 4.90 million on average.
Moreover, digital transformation and the growth of artificial intelligence have increased the number of privileged users in the average network. Every new cloud service, AI application, workstation and Internet of Things (IoT) device brings new privileged accounts. These accounts include both the admin accounts human users need to manage these assets and the accounts these assets use to interact with network infrastructure.
Complicating matters further, people often share privileged accounts. For example, instead of assigning each system admin their own account, many IT teams set up one admin account per system and share the credentials with the users who need them.
As a result, it’s hard for organizations to track privileged accounts while malicious actors are focusing their attention on those very accounts.
PAM technologies and strategies help organizations gain more visibility into and control over privileged accounts and activities without disrupting legitimate user workflows. The Center for Internet Security lists core PAM activities among its “critical” security controls.1
Tools such as credential vaults and just-in-time privilege elevation can facilitate secure access for users who need it while keeping hackers and unauthorized insiders out. Privileged session monitoring tools allow organizations to track everything that every user does with their privileges across the network, enabling IT and security teams to detect suspicious activity.
Privileged access management combines processes and technology tools to control how privileges are assigned, accessed and used. Many PAM strategies focus on three pillars:
Privileged account management: The creation, provisioning and secure disposal of accounts with elevated permissions.
Privilege management: Managing how and when users get privileges, as well as what users can do with their privileges.
Privileged session management: Monitoring privileged activity to detect suspicious behavior and ensure compliance.
Privileged account management oversees the entire lifecycle of accounts with elevated permissions, from creation to retirement.
A privileged account is any account with higher-than-average access rights in a system. Users of privileged accounts can do things such as change system settings, install new software and add or remove other users.
In modern IT environments, privileged accounts take many forms. Both human users and nonhuman users, such as IoT devices and automated workflows, can have privileged accounts. Examples include:
Local administrative accounts give users control over a single laptop, server or other individual endpoint.
Domain administrative accounts give users control over an entire domain, such as all the users and workstations in a Microsoft Active Directory domain.
Privileged business user accounts give users elevated access for non-IT purposes, such as the account that a finance employee uses to access company funds.
Superuser accounts grant unrestricted privileges in a particular system. In Unix and Linux® systems, superuser accounts are called “root” accounts. In Microsoft Windows, they are called “administrator” accounts.
Service accounts allow apps and automated workflows to interact with operating systems.
Application accounts enable apps to interact with one another, make calls to application programming interfaces (APIs) and perform other important functions.
Privileged account management handles the entire lifecycle of these privileged accounts, including:
Discovery: Inventorying all existing privileged accounts in a network.
Provisioning: Creating new privileged accounts and assigning permissions based on the principle of least privilege.
Access: Managing who can access privileged accounts and how.
Disposal: Securely retiring privileged accounts that are no longer necessary.
A major goal of privileged account management is reducing the number of privileged accounts in a system and restricting access to those accounts. Credential management is a key tool for achieving this goal.
Rather than assigning privileged accounts to individual users, many PAM systems centralize these accounts and store their credentials in a password vault. The vault securely houses passwords, tokens, Secure Shell (SSH) keys and other credentials in an encrypted form.
When a user—human or nonhuman—needs to do a privileged activity, they must check out the appropriate account’s credentials from the vault.
For example, say that an IT team member must make changes to a company laptop. To do so, they need to use the local admin account for this laptop. The credentials for the account are stored in a password vault, so the IT team member starts by requesting the account password.
The team member must first pass a strong authentication challenge, such as multifactor authentication (MFA), to prove their identity. Then, the vault uses role-based access controls (RBAC) or similar policies to determine whether this user is allowed to access the credentials for this account.
This IT team member is allowed to use this local admin account, so the credential vault grants access. The IT team member can now use the local admin account to make the necessary changes to the company laptop.
For added security, many credential vaults do not directly share credentials with users. Instead, they use single sign-on (SSO) and session brokering to initiate secure connections without the user ever seeing the password.
The user’s account access typically expires after a set amount of time or after their task is complete. Many credential vaults can automatically rotate credentials on a schedule or after each use, making it harder for malicious actors to steal and misuse those credentials.
PAM replaces perpetual privilege models, in which a user always has the same static level of permissions, with just-in-time access models where users receive elevated privileges when they need to do specific tasks. Privilege management is how organizations implement these dynamic least privileged access models.
Credential vaults are one way that organizations eliminate perpetual privileges, as users can access privileged accounts only for a limited time and limited purposes. But vaults are not the only way to control user privileges.
Some PAM systems use a model called just-in-time (JIT) privilege elevation. Instead of logging in to separate privileged accounts, users have their permissions temporarily raised when they need to perform privileged activities.
In the JIT privilege elevation model, every user has a standard account with standard permissions. When a user needs to do something that requires elevated permissions—such as an IT team member changing important settings on a company laptop—they submit a request to a PAM tool. The request might include some kind of justification outlining what the user needs to do and why.
The PAM tool assesses the request against a set of predefined rules. If this user is authorized to perform this task on this system, the PAM tool elevates their privileges. These elevated privileges are valid only for a short amount of time, and they allow the user to do only the specific tasks they need to do.
Most organizations use both privilege elevation and credential vaulting for privilege management. Some systems require dedicated privileged accounts—such as the default administrative accounts built into some devices—and others don’t.
Privileged session management (PSM) is the aspect of PAM that oversees privileged activities. When a user checks out a privileged account or an app has its privileges elevated, PSM tools track what they do with those privileges.
PSM tools can record privileged session activity by logging events and keystrokes. Some PSM tools also take video recordings of privileged sessions. PSM records help organizations detect suspicious activity, attribute privileged activity to individual users and build audit trails for compliance purposes.
Privileged identity management (PIM) and privileged user management (PUM) are overlapping subfields of privileged access management. PIM processes focus on assigning and maintaining privileges for individual identities in a system. PUM processes focus on the maintenance of privileged user accounts.
However, the distinctions between PIM, PUM and other aspects of PAM are not universally agreed upon. Some practitioners even use the terms interchangeably. Ultimately, the important thing is that it all falls under the PAM umbrella. Different organizations might conceptualize PAM tasks differently, but all PAM strategies share the goal of preventing the misuse of privileged access.
It is inefficient, and often impossible, to manually conduct core PAM tasks such as privilege elevation and regular password rotations. Most organizations use PAM solutions to streamline and automate much of the process.
PAM tools can be installed on premises as software or hardware appliances. Increasingly, they are delivered as cloud-based software-as-a-service (SaaS) apps.
Analyst firm Gartner sorts PAM tools into four classes:
Privileged account and session management (PASM) tools handle account lifecycle management, password management, credential vaulting and real-time privileged session monitoring.
Privilege elevation and delegation management (PEDM) tools enable just-in-time privilege elevation by automatically evaluating, approving and denying privileged access requests.
Secrets management tools focus on protecting credentials and managing privileges for nonhuman users, such as apps, workloads and servers.
Cloud infrastructure entitlement management (CIEM) tools are designed for identity and access management in cloud environments, where users and activities are more diffuse and require different controls than their on-premises counterparts.
While some PAM tools are point solutions that cover one class of activities, many organizations are adopting comprehensive platforms that combine the functions of PASM, PEDM, secrets management and CIEM. These tools might also support integrations with other security tools, such as sending privileged session logs to a security information and event management (SIEM) solution.
Some comprehensive PAM platforms have extra functions, such as:
The ability to automatically discover previously unknown privileged accounts
The ability to enforce MFA on users requesting privileged access
Secure remote access for privileged activities and users
Vendor privileged access management (VPAM) capabilities for third-party contractors and partners
Analysts anticipate that PAM tools, like other security controls, will increasingly incorporate AI and machine learning (ML). In fact, some PAM tools already use AI and ML in risk-based authentication systems.
Risk-based authentication continuously assesses user behavior, calculates the risk level of that behavior and dynamically changes authentication requirements based on that risk. For example, a user requesting privileges to configure a single laptop might need to pass two-factor authentication. A user who wants to change settings for all workstations in a domain might need to supply even more evidence to verify their identity.
Research from OMDIA2 predicts that PAM tools might use generative AI to analyze access requests, automate privilege elevation, generate and refine access policies and detect suspicious activity in privileged session records.
While PAM tools and tactics govern privileged activity across an organization, they can also help address specific identity and access security challenges.
- Shrinking the identity attack surface
- Managing identity sprawl
- Regulatory compliance
- DevOps secret management
Threat actors are increasingly using valid accounts to break into networks. At the same time, many organizations are suffering from privilege creep. Users have higher privileges than they need, and obsolete privileged accounts are not properly retired.
As a result, identities have become many organizations’ greatest risks. PAM tools and tactics can help remediate these vulnerabilities.
Credential vaults make it harder to steal privileged accounts, and PEDM tools enforce granular least-privileged access that curtails lateral movement. Organizations can use these and other PAM solutions to replace perpetual privileges with a zero trust model where users must be authenticated and authorized for every connection and activity. This model can help shrink the identity attack surface and limit hackers' opportunities.
Digital transformation has fueled an explosion of privileged identities in corporate networks, which poses a significant challenge to information security.
The average business department uses 87 different SaaS apps3, to say nothing of the various IoT devices, cloud infrastructure services and remote users with BYOD devices that now populate corporate networks. Many of these assets and users need privileged accounts to interact with IT resources.
And as more organizations incorporate generative AI into their operations, these new AI apps and integrations bring yet another set of privileged identities onto the scene.
Many of these privileged identities belong to nonhuman users, such as AI apps and IoT devices. Nonhumans outnumber human users in many networks today, and they’re notoriously bad at keeping their credentials secret. For example, some apps dump their credentials in plain text to system logs and error reports.
PAM can help organizations manage identity sprawl by vaulting privileged credentials for human and nonhuman users and centrally controlling access to them. Automated credential rotation can limit the damage of any credentials that leak, and session monitoring tools help track what all these disparate users do with their privileges.
Data privacy and security regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS) and the General Data Protection Regulation (GDPR) require that organizations control access health information, credit card numbers and other sensitive data.
PAM can help organizations meet compliance requirements in a few ways. PAM tools can enforce granular access privileges so that only necessary users can access sensitive data, and only for authorized reasons.
Credential vaults and privilege elevation eliminate the need for shared admin accounts, which can result in unauthorized users accessing sensitive data.
Privileged session monitoring helps organizations attribute activity and produce audit trails to prove compliance in the event of a breach or investigation.
Managing privileged credentials, often called “secrets” in DevOps environments, can be particularly hard for DevOps teams.
The DevOps methodology heavily uses cloud services and automated processes, meaning there are many privileged human and nonhuman users scattered across many different parts of the network.
It’s not uncommon for SSH keys, passwords, API keys and other secrets to be hardcoded into apps or stored as plain text in version control systems and elsewhere. This makes it easy for users to get credentials when they need them so that workflows aren’t disrupted—but it also makes it easier for malicious actors to steal those credentials.
PAM tools can help by storing DevOps secrets in a centralized vault. Only legitimate users and workloads can access the secrets, and only for legitimate reasons. Vaults can automatically rotate secrets so that stolen credentials quickly become useless.
Protect and manage customer, workforce and privileged identities across the hybrid cloud, infused with AI.
Protect your users and apps, inside and outside the enterprise, with a low-friction, cloud-native, software-as-a-service (SaaS) approach that uses the cloud.
Learn more about a comprehensive, secure and compliant identity and access management for the modern enterprise.
Prepare for breaches by understanding their causes and the factors that increase or reduce their costs.
Understand attackers’ common tactics to better protect your people, data and infrastructure.
Read about identity orchestration and coordinating disparate identity and access management (IAM) systems into frictionless workflows.
Footnotes
All links reside outside ibm.com.
1 CIS Critical Security Controls, Center for Internet Security, June 2024.
2 Generative AI Trends in Identity, Authentication and Access (IAA), Omdia, 15 March 2024.
3 2023 State of SaaS Trends, Productiv, 21 June 2023.