The majority of major data breaches in recent years have resulted from hackers gaining access to unmanaged and unprotected privileged accounts and credentials.
Privileged and services accounts are a significant risk because of the access they provide the user with access to an organization’s systems and data. These accounts can be used to access the most sensitive data, lock out legitimate users, and create ghost accounts and backdoors that are not easily seen.
Ultimately, these accounts are the keys to your company’s valuable assets and must be protected against improper use and unauthorized access. To effectively accomplish this, you need a modern identity management system and you need to strategically place it at the center of your security toolkit.
This blog post will cover two ways to protect privileged accounts: Privileged Access Management (PAM) and Privileged User Management (PUM). As these terms are often mistakenly used interchangeably, we will discuss what they are, as well as provide insight into key differences and benefits of each.
PAM vs. PUM
In a nutshell, user-specific PAM is a process in which users can request elevated access with their existing account for an application or system to perform duties they could not perform with their current level of access rights. For example, a standard user needs administrator access to complete a task in a system. An IAM solution with PAM enables a user to simply request the necessary access for a specific system or application, and when that request is approved, the user will have access via his or her normal account. Additionally, this elevated access can be restricted to only the appropriate amount of time required to perform the duties (e.g. 4 hours or 2 days).
The key point is that no standard user should ever have elevated privileges all the time. By keeping access to a minimum, but still providing simple mechanisms to elevate access on their existing account when needed, PAM not only streamlines business processes, but reduces overall security risk for an organization.
PAM enables organizations to provide more granularity in terms of granting access. With PAM, there are multiple levels of elevated access that can be requested—such as basic user, power user, administrative user, and system administrator. This means you don’t have to go from basic user to full administrator in one jump. Organizations can give users just the right amount of access, to the right systems, at the right time.
In contrast, account-specific PUM involves the management of a system’s existing accounts, such as administrator, root, or other administrative service accounts. These accounts are typically built into the application or systems and cannot be removed. They are often limited in number and therefore, are typically shared within organizations. Another motivation for sharing privileged account is licensing restrictions. Organizations don’t want to pay for multiple accounts, so they just share a single one. By contrast, there can be an unlimited number of PAM accounts or an unlimited number of users that can request them.
Because PUM accounts are often shared, a second authentication factor is rarely added. In most cases, authorized users access the PUM accounts by simply using passwords. PUM functions in an IAM solution can manage these privileged accounts and the passwords to them. With a PUM tool, organizations can check these accounts in and out, change the passwords to them at intervals or in response to specific events, and audit who is using these accounts and when. This oversight and flexibility enables organizations to safely and effectively manage privileged accounts that are considered exceptions to traditional accounts.
Additionally, PUM tools often provide an encrypted and hardened vault for storing account passwords, keys, or other credentials. Password history is available to support restoration from earlier backups.
To help shed some light on the differences between PAM and PUM, let’s look at a physical access analogy: Many organizations issue access badges to their employees, where each badge is tied to an individual and grants access to the organization’s facilities. However, there are different ways organizations can approach access to restricted facilities.
With the first approach, for an individual to gain access to restricted facilities, the access associated with the individual’s badge is changed for a specific time period. PAM is the equivalent to this in the digital world.
Now, let’s look at the physical access equivalent to PUM. Organizations can also have a pool of generic badges that are used to access certain, restricted facilities. These badges are checked out temporarily by a person and returned once the person no longer requires access to those facilities. Think of those obnoxious restroom passes you had to “check out” from your teacher back when you were in school. There were only a limited number, so if they were all being used, you had to wait until one was returned to go to the restroom.
Which One Should You Use?
Many large companies use PUM, because they believe it gives them more control over access by limiting the number of privileged accounts.
With PUM, the access is the same for anyone using the account. It grants account-level privileges.
Conducting an audit or forensic investigation is easier with PUM. Auditors only need to look at the activity associated with a particular account, rather than at all activity of an individual who has been granted elevated access.
PAM allows you to have user-level access—more granular and different. This can be determined by roles or attributes.
PAM provides organizations with more specific insight into who has elevated access, what level they have, and for how long that access has been granted. And, with PAM, there are many different access levels. It’s not just black and white.
While companies tend to use either PAM or PUM, the two are often combined for greater flexibility with identity management solutions.
Implement Both With RapidIdentity
Identity Automation’s RapidIdentity enables you to implement PAM or PUM or both, including managing super-privileged accounts, checking them in and out, and handling escalation-of-privileges requests.
If your employee is permitted, he or she can make a request to escalate privileges, and that request can be reviewed by approvers or the review can be automated based on user roles, entitlements, and attributes. Assuming the employee is authorized, the elevated privileges will be provided for a certain time period, depending on the privileges being granted. There is a clear chain of custody throughout the entire process.
RapidIdentity can also audit activity on all accounts, including all privileged account activity, which is required for compliance reporting and forensic analysis should an attack occur.
Whether you choose PAM, PUM, or both depends on the application, systems, and policies you have in place. It is important that you have the right identity management capabilities to handle today’s security challenges.
The bottom line is that organizations that embrace security ensure their privileged accounts are managed and protected against malicious outsiders or rogue employees. This is key to greater operational and business growth for your organization.