PAM

What is PAM?

In practice, the acronym PAM refers to both Privileged Access Management and Privileged Account Management. PAM handles the management and security of so-called privileged accounts. These are accounts that allow you to perform critical IT management processes, such as systems management, network management, configuration management and the management of sensitive data. In this article, we cover the role of PAM solutions.

What is the difference between Privileged Account Management and Privileged Access Management?

PAM features two types of functionality, that are an extension of each other:

• Privileged Access Management focuses on protecting access to privileged accounts. These accounts provide extensive access to IT systems. It is therefore crucial to prevent misuse by unauthorised users.
• Privileged Account Management then ensures the issuance and management of these types of accounts is well-organised. Especially in larger organisations, automated management is necessary to maintain control over who and how many people are given access to a privileged account.

What are privileged accounts?

Let’s have a deeper look into what privileged accounts are. In practice, there are several types of such accounts. Examples include:

• Administrator Accounts allow system administrators to install software, perform updates, and make changes in system settings. Admin accounts also provide access to user data and settings.
• With Root Accounts you can get complete control over UNIX and Linux systems. Root accounts enable you to modify all files and configuration settings.
• Service Accounts give privileged users access to applications and services to change application data and application configurations.
• Database Administrator Accounts (DBA accounts) are specifically designed for managing databases. This includes database configuration, optimising performance and data recovery.
• Domain Admin Accounts manage domain-wide Windows environments. These accounts allow you to configure system settings, users, groups and security.
• Application Administrator Accounts provide access to, for example, ERP and CRM applications to manage software settings, users and access to data.
• Network Administrator Accounts let you configure, monitor and secure network devices such as routers, switches and firewalls.
• Back-up Administrator Accounts offer specific access to back-up systems. These are necessary to configure and manage back-ups and execute recovery tasks.

These are, of course, examples because in practice, the names and capabilities of privileged accounts may vary from one organisation to another. However, each of these accounts grants the user direct access to the core of systems, networks, and applications.

In addition to the usual privileged accounts, most organisations also have so-called Break Glass accounts, sometimes referred to as Emergency or Firecall accounts. Break Glass access is intended for emergencies when urgent access to the IT systems is needed – for example, in case of a hack or other incidents – but regular administrators or management accounts are not available. Ordinary users can gain access through a Break Glass account in such cases. The distribution and use of these accounts are of course strictly regulated and governed by extra procedures and measure to prevent abuse.

Why is PAM important?

PAM is hugely important. These are accounts and access rights that give you direct access to the core of your IT environment. Imagine a hacker being able to copy crucial data, altering databases undetected, installing malware or changing or deleting the entire IT configuration. PAM is a critical link in your risk mitigation. This not only relates to access security to privileged accounts but also involves compliance and process automation:

• Regulatory compliance. Many industries have well-defined requirements for information security and the use of privileged accounts. PAM solutions ensure you get and stay compliant.
• Internal optimisation and security. With PAM, you automate the management of privileged accounts and access rights. Not a single person receives unwarranted access rights and they are revoked in a timely matter as well. This prevents abuse of privileged accounts.

How does PAM work in practice?

We’ve previously mentioned that for privileged users both account management and access management need to be well-organised. The principle is also that regular and privileged accounts are used completely separately. Privileged accounts or admin accounts should only be used for special administrative tasks that require those elevated privileges. For routine day-to-day operations, administrators should also user their regular user accounts.

A standard IAM platform like HelloID is well-equipped to manage multiple accounts for an individual, thereby acting as an overall identity management system. Through business rules, you can ensure that each employee has a standard account and administrators also receive an administrative account with elevated privileges. This prevents the creation of unnecessary privileged accounts. This is a key requirement within security standards like ISO 27001, the BIO, and NEN 7510.

There are also specialised PAM systems designed to support a variety of additional procedures and more stringent access requirements. These PAM solutions are particularly notable for providing real-time security for management systems. For many organisations, Just-in-Time (JIT) Access is an essential feature. With JIT, administrators are granted access only for specific actions, during certain hours or only after approval by their supervisor. Admin sessions are actively logged and monitored. Sessions exceeding a certain duration are automatically terminated. A PAM solution can also ensure that critical management tasks are always executed according to the ‘four eye principle’. It can also support a Break Glass procedure for emergencies.

This ensures that with a Privileged Access Management platform, you can manage your IT environment while simultaneously minimising security risks.