Table of Contents
Privileged credentials (administrator rights) are a top target for attackers from outside the organization, or even from among unhappy staff within, because of the access they provide. A Privileged Access Management (PAM) solution is implemented to reduce or remove the need for humans to know these privileged credentials, and reduces the chance that they might be misused.
The PAM system becomes the keeper of all privileged credentials, with policies that allow specific identified individuals access to use the appropriate credentials. To be the single source of privileged access, your PAM needs to support all of the authentication sources you use and all of the target systems to which elevated access permission is required. User acceptance is also important, and so the PAM solution should support or improve existing methods of accessing privileged systems, otherwise authorized staff will seek ways around the PAM solution.
A basic function of the PAM is to maintain an encrypted vault with the privileged credentials and other protected resources. Logging and session recording are crucial PAM features, and they allow auditing of privileged actions and forensic analysis after a privilege misuse event. Simply having logs and recordings is not sufficient; searchability is crucial for validating compliance and identifying the scope of any malicious access. Ideally, these logs would integrate into wider security analysis tools in a more holistic security approach.
Often, the PAM platform will act as a proxy or jump host to connect the unprivileged network where users operate to the privileged network that requires managed privilege credentials. The proxy function may support native tools, such as SSH or RDP gateway, or it may provide an HTML5 browser-based interface. The proxy may be part of the main vault application, or it may be deployable as a separate server, and can access the PAM vault as credentials are required. The separation of vault and proxy is essential when the PAM is used to bridge different trust levels such as internet-based privileged access, or any multi-tenant deployment such as PAM as a Service.
No matter how secure a PAM system is, there is always a risk of unintended disclosure of credentials or authorized staff who misbehave, whether accidentally or maliciously. Behavior analytics is a common method used to identify access that is being exploited inappropriately, and is commonly integrated with a PAM solution. Ideally, the user behavior analytics would be able to identify the individual user’s actions both with their own credentials and using the PAM to exercise privileged credentials.
How to Read this Report
This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding consider reviewing the following reports:
Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.
GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.
SolutionProfile: An in-depth vendor analysis that builds on the framework developed in the Key Criteria and Radar reports to assess a company’s engagement within a technology sector. This analysis includes forward-looking guidance around both strategy and product.