Privileged accounts are used to grant access rights that extend beyond the original work area of certain users. This includes rights for applications, middleware and infrastructure such as servers or networks. Such accounts arouse the interest of cybercriminals – because they enable access to business-relevant, sensitive data and resources. That is why the controlled administration and management of such access rights – privileged access management (PAM) – is particularly important. We explain what is important for professional PAM.
Important information in advance:
According to IT market research experts Gartner, investments in privileged account control and monitoring are on the rise: by 2025, annual spending is expected to reach a total of 2.7 billion US dollars worldwide (around 2.4 billion euros; as of July 2023). The German market is also affected by this trend. Especially for companies in a regulated environment, the area of Identity & Access Management (IAM), including the component Privileged Access Management, is a sensible field of investment. This is because the associated measures help to effectively and measurably fulfill key requirements of VAIT (Versicherungsaufsichtlichen Anforderungen an die IT), and BAIT (Bankaufsichtlichen Anforderungen an die IT). However, simply purchasing an IAM software package is not enough. The topic must be integrated into the entire company organization and into suitable processes. We explain the framework in which PAM can succeed and the course your company must set to achieve this.
How does Privileged Access Management work?
Privileged Access Management (PAM) is a subdomain of cyber security that focuses on the administration (allocation and provisioning), control and monitoring of all privileged accounts and their technical activities in the company IT. This enables companies to preventatively detect uncontrolled access and malicious actions, ensuring the protection of sensitive data.
The privileges of users and accounts with advanced access go beyond the rights of standard users. Privileged rights can be granted directly to individuals or to designated user accounts (such as technical users, super users or administrator accounts), which can be assigned to individuals on a temporary and task-related basis. The assignment is carried out after explicit approval by a user switch and ideally by removing the key from a password safe.
The approval process itself is carried out by the responsible persons or committees in several stages – for example, by managers, service owners and the IAM team. To assign user rights, a company must first obtain an overview of existing user accounts and identify privileged accounts. Appropriate security measures must then be taken and guidelines defined for these accounts. The assignment process is based on the following two principles:
Need2Know principle: The decisive factor here is that users should only be able to access the data they actually need to perform their tasks.
Minimal principle: The user is given as few rights as possible, and only temporarily when needed.
After that, the credentials of the privileged accounts must be managed and a system for documenting and analyzing user behavior must be introduced. The design focus of the PAM concept is less on the use of individual technical features. Rather, it is about the holistic consideration of the individual business process requirements, company IT and the resulting specifications.
Why is PAM important?
Unfortunately, the theft of privileged rights is not uncommon. The reason: an ever-increasing number of interfaces, systems and tools that need to be linked to privileged accounts. The greater the number of privileged accounts, the higher the risk of being affected by an attack. When attacking systems, cybercriminals usually go for the weakest link.
This is where modern ransomware attacks come into play, where the initial step is to use phishing to obtain privileged rights in order to extract data and install further malware. This way, the victim can be blackmailed twice: by encrypting and destroying data while simultaneously publishing it on dubious servers in third world countries. The implementation of a holistic PAM concept thus goes far beyond mere password security at a technical level.
A comprehensive PAM strategy takes into account the interaction of people, processes and technologies. Embedded in the entire lifecycle of privileged rights, it provides elementary IT security components such as access controls, authentication methods, password management systems and technology platforms for logging admin user behavior.
Excursus: data security vs. data protection in the context of PAM (can be displayed as a box)
When implementing systems like SIEM (Security information and event management) that document and monitor user behavior, companies must take important data protection requirements into account. In this context, data protection and security can contradict each other.
Companies must ensure both the security of company data and the privacy of employees – and exclude the possibility of comprehensive performance monitoring, for example.
A data protection impact assessment ensures that monitoring systems are implemented in compliance with the GDPR in the context of PAM. In this process, experts analyze the data protection risks and derive (technical) measures to protect personal data. This makes PAM possible despite stringent data protection requirements.
6 parameters for a holistic PAM concept
In order to handle privileged user accounts efficiently and securely, companies must take these six parameters into account:
- Holistic guidelines
PAM guidelines describe procedures and controls that manage and restrict access to systems, data and other resources of authorized users. They should be adapted to the organizational structure, the individual requirements of your IT environment and the legal requirements. The guidelines should include at least the following components: access control lists, authentication procedures, authorization rules and the logging of user activities.
- Authorization process
From the initial creation of a new user to their departure from the company or internal department change, all authorization-relevant steps and associated processes must be precisely defined. This ensures that the assignment, modification and withdrawal of privileged user rights is carried out in a controlled and traceable manner.
- Modeling of rights
The principle behind the need-to-know and least privilege principle is that users should only be given the access they absolutely need for their work with as few rights as possible. Time-limited assignment also plays an essential role in modeling. Strict and controlled assignment of rights reduces the risk of malicious actions by your own employees.
- Activity recording through logging
Comprehensive logging captures and records all activities of privileged users. This makes it possible to trace the exact course of events in the event of a security breach and can support possible forensic investigations. Compliance requirements can also be met more easily by providing auditable records.
- Password safe
Using a password safe such as CyberArk reduces the risk of unauthorized access. It also enables granular access control so that privileged entry is only granted to authorized users. This increases security and minimizes the risk of data breaches or misuse. Overall, a password safe is an important mitigating measure in risk management.
- Control and monitoring
With the help of suitable methods such as session recording, activities and user reactions can be monitored and checked. These practices are crucial to ensure the security of privileged access and to detect anomalies or potential security breaches in good time. Furthermore, monitoring facilitates accountability and thus increases compliance. However, data protection must be taken into account here, as recording and analyzing admin sessions can always be used for performance monitoring. Close coordination with the CISO or the works council is necessary.
Conclusion: PAM is an important building block of IT security
A PAM concept is not the only answer to all possible dangers from cyber-attacks. However, careful implementation can significantly minimize the risk of IT damage. A holistic PAM concept ensures that attackers cannot cause any existential damage on a global scale. With the help of PAM, companies can reduce the various risks to an acceptable residual risk.
Beyond standard solutions, a comprehensive, individually designed IT security concept is needed, which also includes the holistic PAM strategy. Do you have questions about how to make PAM effective and secure in the context of various compliance and data protection requirements?
Feel free to contact us.
Let's get talking
Carolin Neumeier
X1F