Privileged access management or PAM for short is critical to any modern cybersecurity workflow. It’s a subset of identity and access management (IAM) that focuses on user management. Why is this important? Because typically security control and management focus on the object the organization is managing and objectives that the organization is trying to secure. PAM extends that range to the individuals in the organization.
PAM implementation is usually flexible, meaning one can incorporate it with other access controls, like RBAC (role-based access control). Rather than simply saying “all managers from the accounting department can access this account receivable file,” PAM goes deeper by adding that “only the account receivable manager in the New York location can access this file.”
This makes the manager privileged for a specific time and location. This allows John to exert control over the file as necessary. By dialing in the appropriate level of access, it allows auditing and other entities to spend less time finding culprits when a problem (or an attack) occurs.
PAM is one of the best ways to reduce cybersecurity risks because it enables cybersecurity managers to easily quantify their security posture. PAM makes it easy for them to justify their decision. For example, it is easy to say “John is our account receivable manager in New York, he has been granted access to the file to do his job.”
Another manager, Joe, from Canada should probably not have access to the file even if they are in the same department and same company but ultimately that discretion is up to the company and PAM allows them to achieve this.
By now, you can see the ease of control that PAM gives to organizations for account management. PAM will also shrink the attack surface as the outside attack would have to narrow in on a very specific user rather than simply targeting any individual in the accounting department. Explicitly, this also means the cybersecurity team can decide the location and time making a successful attack much harder.
For example, unless John specifically requested access to the file in another country while on vacation, likely, this person trying to gain access to the file is not John. Many solutions that include PAM also have a setup where strange user behavior will notify the cybersecurity team in real-time. For example, it would be unlikely that John has an uptime of four days in another continent.
PAM doesn’t require very much change to the environment and is often a module installation on top of existing security stacks. This allows organizations to maintain existing compliances while enhancing security.
By now, the urgency to start a PAM initiative should be there, if it isn’t by now. Start by looking at PAM suppliers in the industry, establishing basic guidelines, and looking at best practices and challenges that your organization faces. Almost overnight, once the implementation is complete, the organization will have an easier time leaving them to focus on more important things.