What is PAM?
Lets start with the definition of privileged: “Having special rights, advantages, or immunities”
Based on that definition, we could say the following about PAM:
Privileged Access Management (PAM) simply means controlling who or what is allowed to access infrastructure, applications and workloads (in fact, anything), for how long and what level of access they or it has in order to reduce risk.
I’m sure we could come up with 50 other ways of saying it, simplifying it, or changing it to suit the narrative of whoever is saying is.
In fact, the industry has done just that.
With so many acronyms no wonder PAM is confusing… It’s confusing to me and, I’ve been working in the PAM space for over half of my life now. Even the acronym PAM itself has different meanings depending on who you talk to, what day of the week it is and which way the wind is blowing.
So this blog aims to simplify PAM and explain what is really means. There will be follow up blogs to look at some of the challenges moving forward with PAM, traditional vs new approaches to PAM and some thoughts on what works best based on our experience.
Why do we have PAM?
I’ve been guilty in the past of talking too much about the cyber kill chain, misusing the word hacker, talking about insider threats, external threat actors vs malicious insiders.. This list can go on forever. All those things are really just hype words, the reality is: To get to sensitive data, systems, apps or anything else deemed important enough, then privilege is often required.
Yes, there are lots of scary security stories, scare tactics from vendors, stats galore etc. But from a security best practice point alone – We should do what we can to protect what is most valuable to us and PAM helps us do that.
Privilege is necessary!
For me, privilege itself is a control. Without privilege, everything or everyone would have access to everything. Imagine a firewall with an any > any rule, there is a reason deny is the number 1 rule. Privilege is a gatekeeper to get access to what is most important, you need privilege. Whilst it’s necessary, there are things that you can control to help you reduce risk, which is ultimately the name of the game.
- Scope
- Controlling the scope of privilege is often referred to as least privilege. Simply granting on the access rights required to perform the required function.
- Time
- Granting privilege for only a specified time is commonly referred to as just-in-time or JIT. This helps achieve the objectives of risk reduction by removing standing privilege.
A brief history of the PAM market?
Caveat – it’s been 26 years since I left school and unfortunately PAM was not covered in history lessons, so this information is entirely sourced from internet searches, drunken conversations, and many meetings where this has been debated and never agreed on. So if the dates are wrong, feel free to let me know
PAM is not new, and despite some wild marketing claims by vendors, no single vendor created the PAM market. There are definitely some major players in the PAM space who have shaped what its become today though.
One of the most widely used privileged access management technologies is sudo which was developed around 1980. Some 40+ years later, sudo is still widely used across the world and is probably the most widely used PAM solution out there. I bet if you ask people though, they’ll tell you the name of a vendor in the top right of a certain analysts report.
It was sometime later just after the year 2000 that Password Vaults came to market. The first enterprise vault solution was PAR (Password Auto Repository) by a company called eDMZ who were later acquired by Quest software to become the former TPAM solution.
From there forward, the market took off and has become what we know of it today. It’s been a wild ride and one I’m fortunate to have been a part of for many years working for various PAM vendors.
Traditional PAM?
Most of us will be aware of the traditional PAM vendors in this space due to marketing efforts, analyst reports, talking with peers or even just good old internet searching.
You’ll find the large established vendors who offer more of a platform play and on initial viewing seem to offer similar portfolios of capabilities which have grown organically over time and some via acquisitions.
You’ll see the common components
- Password Vaulting – Secure Storage of credentials with rotation capabilities
- Session Management – Secure connections to infrastructure and apps with the ability to record user activity
- Least Privilege for desktops/laptops – Agent or agent-less elevation of apps, tasks or user rights on workstations
- Least Privilege for Servers – Agent or agent-less elevation of applications, tasks, commands or scripts across servers
- Secrets Management – Similar to vaulting but for secrets, tokens, keys or certificates
- AD bridging – Identity consolidation in using AD logons to login to Unix/Linux machines
You’ll then see some differentiators
- Access Management – App access and SSO capabilities
- Remote Access and Support – Secure remote access without the need for a VPN
- CIEM (Cloud infrastructure Entitlements Management) – Understanding cloud entitlements and ability to move to a least privilege model
- ITDR (Identity Threat Detection & Response) – Fairly new area vendors are moving into. Identifying identity threats and automatically remediating issues typically by revoking access or stopping sessions.
- Entitlements Management – Think of this like pure identity management, managing access to applications and being able to select which app entitlements people gain
Of course, it’s not just products that differentiate vendors. It’s the company themselves, their employees, support capabilities, integrations, delivery, partners
For me personally, the two most important things are:
- User experience and adoption – yes, this really is the first thing. I promise you; your programme will fail if you get this wrong.
- How well the vendor understands my problem and solves that problem vs pitching everything at their disposal. – PAM is a marathon, not a sprint (especially in large enterprise)
PAM is classed as a sticky solution because it’s very difficult to move between vendors, and often there is little value in doing so. We’ll talk about this more in future blogs but there are options. What is key, is choosing the right solution for your purpose rather than following the crowd or just choosing the “best” vendor.
PAM for the New Age?
At least I didn’t say next gen PAM 🙂
PAM is a well-established market now and one of the benefits of being a new entrant to the market, is that you can see what has worked, what could be refined to work better and perhaps what some of the gaps are.
The reality is, the world has evolved, our use of IT has changed and some of the things we did in the old world of on-prem datacentres, servers etc. just don’t make sense anymore.
That’s not to say that traditional PAM solutions or portfolios are obsolete, it just means you need to truly understand your requirements and ensure you’re getting something that best meets them.
These new age vendors tend not to offer the large platform play. Most of them are quite niche in their focus and they tend to offer solutions in single areas where they believe they can add the most value. The below are just some of those areas
- Access Management
- Business Password Management
- Service Account Management
- Converged Identity Platforms
- Discovery
- Secrets Management
- CIEM
You tend to not see these vendors in most analyst reports. It’s not that they’re bad or anything, it’s just often the qualification criteria for these analyst reports that mean they’re often left standing in the shadows. We’ll speak more about that in a future blog though.
This introduces the basics of PAM:
- What it is
- Why we do it
- What we can control
- An intro to history
In our next blog, we’ll focus on some of the challenges with PAM and how to avoid some common