What is privileged access management (PAM)?
Protect your organization from cyberthreats by monitoring, detecting, and preventing unauthorized privileged access to critical resources.
What is privileged access management (PAM)?
Privileged access management (PAM) is an identity security solution that helps protect organizations against cyberthreats by monitoring, detecting, and preventing unauthorized privileged access to critical resources. PAM works through a combination of people, processes, and technology and gives you visibility into who is using privileged accounts and what they are doing while they are logged in. Limiting the number of users who have access to administrative functions increases system security while additional layers of protection mitigate data breaches by threat actors.
How does privileged access management work?
A PAM solution identifies the people, processes, and technology that require privileged access and specifies the policies that apply to them. Your PAM solution must have capabilities to support the policies you establish (e.g., automated password management and multifactor authentication) and administrators should have the ability to automate the process of creating, amending, and deleting accounts. Your PAM solution should also continuously monitor sessions so you can generate reports to identify and investigate anomalies.
Two primary use cases for privileged access management are preventing credential theft and achieving compliance.
Credential theft is when a threat actor steals login information to gain access to a user’s account. After they are logged in, they can access organizational data, install malware on various devices, and gain access to higher-level systems. A PAM solution can mitigate this risk by ensuring just-in-time and just-enough access and multifactor authentication for all admin identities and accounts.
Whatever compliance standards apply to your organization, a least-privilege policy is likely required to protect sensitive data like payment or personal health information. A PAM solution also enables you to prove your compliance by generating reports of privileged user activity—who is accessing what data and why.
Additional use cases include automating the user lifecycle (i.e., account creation, provisioning, and deprovisioning), monitoring and recording privileged accounts, securing remote access, and controlling third-party access. PAM solutions can also be applied to devices (the Internet of Things), cloud environments, and DevOps projects.
The misuse of privileged access is a cybersecurity threat that can cause serious and extensive damage to any organization. A PAM solution offers robust features to help you stay ahead of this risk.
- Provide just-in-time access to critical resources
- Allow secure remote access using encrypted gateways in lieu of passwords
- Monitor privileged sessions to support investigative audits
- Analyze unusual privileged activity that might be harmful to your organization
- Capture privileged account events for compliance audits
- Generate reports on privileged user access and activity
- Protect DevOps with integrated password security
Types of privileged accounts
Super user accounts are privileged accounts used by administrators who have unrestricted access to files, directories, and resources. They can install software, change configurations and settings, and delete users and data.
Privileged accounts provide access and privileges beyond those of non-privileged accounts (e.g., standard user accounts and guest user accounts).
Domain administrator accounts
Domain administrator accounts are the highest level of control in a system. These accounts have access to all workstations and servers across your domain and control system configurations, admin accounts, and group memberships.
Local administrator accounts
Local administrator accounts have admin control over specific servers or workstations and are often created for maintenance tasks.
Application administrator accounts
Application administrator accounts have full access to specific applications and the data stored in them.
Service accounts help applications interact with the operating system more securely.
Business privileged user accounts
Business privileged user accounts have high-level privileges based on job responsibilities.
Emergency accounts provide unprivileged users with admin access to secure systems in the event of a disaster or disruption.
PAM vs. PIM
Privilege access management helps organizations manage identities and makes it harder for threat actors to penetrate a network and obtain privileged account access. It adds protection to privileged groups that control access to domain-joined computers and the applications on those computers. PAM also provides monitoring, visibility, and fine-grained controls so you can see who your privileged admins are and how their accounts are being used.
Privileged identity management (PIM) provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access to sensitive resources in your organization by enforcing just-in-time access and just-enough access for these accounts. To further secure these privileged accounts, PIM enables you to enforce policy options like multifactor authentication.
While PAM and PIM have a lot of similarities, PAM uses tools and technology to control and monitor access to your resources and works on the principle of least privilege (ensuring that employees have just enough access to do their jobs) while PIM controls admins and super users with time-bound access and secures these privileged accounts.
Privileged access management best practices
As you plan for and implement your PAM solution, there are best practices to keep in mind to help improve security and mitigate risk in your organization.
Require multifactor authentication
Add a layer of protection to the sign-in process with multifactor authentication. When accessing accounts or apps, users must provide additional identity verification through another verified device.
Automate your security
Reduce the risk of human error and increase efficiency by automating your security environment. For example, you can automatically restrict privileges and prevent unsafe or unauthorized actions when a threat is detected.
Remove end-point users
Identify and remove unnecessary end-point users from the local admins group on IT Windows workstations. Threat actors can use an admin account to jump from workstation to workstation, steal other credentials, and elevate their privileges to move through the network.
Establish baselines and monitor deviations
Audit privileged access activity to see who is doing what in the system and how privileged passwords are being used. Knowing what the baseline is for acceptable activity helps you to spot deviations that may compromise your system.
Provide just-in-time access
Apply the least-privilege policy to everything and everyone, then elevate privileges as needed. This will help you segment systems and networks to users and processes based on levels of trust, needs, and privileges.
Avoid perpetual privileged access
Consider temporary just-in-time access and just-enough access instead of perpetual privileged access. This helps ensure that users have a valid reason for such access and only for the time required.
Use activity-based access control
Grant privileges only to the resources a person actually uses based on their past activity and usage. Aim to close the gap between privileges granted and privileges used.
The importance of privileged access management
Humans are the weakest link when it comes to system security and privileged accounts pose a significant risk to your organization. PAM equips security teams to identify malicious activities that are the result of privilege abuse and take immediate action to remediate risk. A PAM solution can ensure that employees have only the necessary levels of access to do their jobs.
In addition to identifying malicious activities linked to privilege abuse, a PAM solution will help your organization:
- Minimize the potential for a security breach. If a breach does occur, a PAM solution helps limit its reach in your system.
- Reduce entrances and pathways for threat actors. Limited privileges for people, processes, and applications protect against internal and external threats.
- Prevent malware attacks. If malware does gain a foothold, removing excessive privileges can help reduce its spread.
- Create a more audit-friendly environment. Achieve a comprehensive security and risk management strategy with activity logs that help you monitor and detect suspicious activity.
How to implement PAM security
To get started with privileged access management, you need a plan to:
- Provide full visibility to all privileged accounts and identities. Your PAM solution should let you see all privileges that are used by human users and workloads. Once you have this visibility, eliminate default admin accounts and apply the least privilege principle.
- Govern and control privileged access. You will need to stay up to date on privileged access and maintain control over privilege elevation so that it doesn’t get out of hand and put your organization’s cybersecurity at risk.
- Monitor and audit privileged activities. Institute policies that define legitimate behavior for privileged users and identify actions that violate those policies.
- Automate PAM solutions. It is possible to scale across millions of privileged accounts, users, and assets to improve your security and compliance. Automate discovery, management, and monitoring to reduce administrative tasks and complexity.
Depending on your IT department, you may be able to use your PAM solution right out of the box and gradually add modules to support bigger and better functionality. You also need to consider security control recommendations to meet your compliance regulations.
It’s also possible to integrate your PAM solution with your security information and event management (SIEM) solution.
Privileged access management solutions
Technology alone isn’t enough to protect your organization from cyberattacks. It takes a solution that considers your people, processes, and technology.
Learn how Microsoft Security identity and access solutions help protect your organization by securing access to the connected world for all of your users, smart devices, and services.
Learn more about Microsoft Security
Identity and access solutions
Protect your organization with secure access for all of your users, smart devices, and services.
Privileged identity management
Ensure your admin accounts stay secure by limiting access to critical operations.
Keep your workforce secure by enforcing granular access control with real-time adaptive policies.
Frequently asked questions
Identity and access management (IAM) consists of rules and policies that control the who, what, when, where, and how of access to resources. These include password management, multifactor authentication, single sign-on (SSO), and user lifecycle management.
Privileged access management (PAM) has to do with the processes and technologies necessary for securing privileged accounts. It is a subset of IAM that allows you to control and monitor the activity of privileged users (who have access above and beyond standard users) once they are logged into the system.
Robust session management is a PAM security tool that lets you see what privileged users (people in your organization who have root access to systems and devices) are doing once they are logged in. The resulting audit trails alert you to accidental or deliberate misuse of privileged access.
Privileged access management (PAM) can be used to strengthen your organization’s security posture. It lets you control access to your infrastructure and data, configure your systems, and scan for vulnerabilities.
Benefits of a PAM solution include mitigating security risks, reducing operational costs and complexity, enhancing visibility and situational awareness across your organization, and improving your regulatory compliance.
When deciding on a PAM solution for your organization, be sure that it includes multifactor authentication, session management and just-in-time access features, role-based security, real-time notifications, automation, and audit and reporting features.