GigaOm Radar for Privileged Access Managementv2.0

1. Summary

Privileged credentials (or administrator rights) are a top target for attackers from outside an organization, and even from among unhappy staff within, because of the full access they provide. A privileged access management (PAM) solution is implemented to reduce or remove the need for humans to know privileged credentials, thus reducing the chance that they might be misused.

The PAM system becomes the keeper of all privileged credentials, with policies that allow specific identified individuals access to use the appropriate credentials. To be the single source of privileged access, a PAM solution should support all of the authentication sources an organization uses and all of the target systems to which elevated access permission is required. User acceptance is also important, and so the PAM solution should support or improve existing methods of accessing privileged systems; otherwise authorized staff will seek ways around the PAM solution.

A basic function of PAM is to maintain an encrypted vault with the privileged credentials and other protected resources. Logging and session recording are crucial PAM features, and they allow auditing of privileged actions and forensic analysis following a privilege misuse event. Simply having logs and recordings is not sufficient; searchability is crucial for verifying compliance and identifying the scope of any malicious access. Ideally, these logs would integrate into wider security analysis tools as part of a more holistic security approach.

Often, the PAM platform will act as a proxy or jump host to connect the unprivileged network where users operate to the privileged network that requires managed privilege credentials. The proxy function may support native tools, such as secure shell (SSH) or remote desktop protocol (RDP) gateways, or it may provide an HTML5 browser-based interface. The proxy may be part of the main vault application or it may be deployable as a separate server, and can access the PAM vault as credentials are required. The separation of vault and proxy is essential when the PAM solution is used to bridge different trust levels such as internet-based privileged access, or any multitenant deployment such as PAM as a service (PAMaaS).

No matter how secure a PAM system is, there’s always a risk of unintended disclosure of credentials or authorized staff who misbehave, whether accidentally or maliciously. Behavior analytics is a common method used to identify access that’s being exploited inappropriately, and is commonly integrated with a PAM solution. Ideally, the user behavior analytics (UBA) would be able to identify the individual user’s actions both with their own credentials and using the PAM to exercise privileged credentials.

This GigaOm Radar report highlights key PAM vendors and equips IT decision-makers with the information needed to select the best fit for their business and use case requirements. In the corresponding GigaOm report “Key Criteria for Evaluating PAM Solutions,” we describe in more detail the key features and metrics that are used to evaluate vendors in this market.