Every year we see an increase in security incidents, involving stolen credentials. More than ever, cybercriminals are trying to gain credentials using malware, social engineering, phishing, and a host of other tactics.
To protect mission-critical systems and applications, many organizations choose to implement Privileged Access Management (PAM) and Identity Governance and Administration (IGA) systems. Much of this already happens separately and in isolation. However, it is a missed opportunity if both systems remain isolated from each other.
Identity and Access Management (IAM) encompasses the following disciplines:
As defined by analyst firm Gartner, IAM is: “The security discipline that enables the right people to access the right resources at the right time for the right reasons.” With IAM solutions, you can create and manage identities for your organization’s users and manage the access they need to your organization’s systems and data.
AM focuses on (remote) access to information systems for customers, employees, and systems. Users have to authenticate themselves in different ways. Usually this is done through a username and a password, but today strong authentication/multi-factor authentication (MFA) is on the rise. This requires the user to do an extra verification via for example a SMS, a hardware token (RSA SecurID) or a software token/app (Microsoft Authenticator ). For regular accounts, such as email or Office 365, organizations often use an AM solution. For the more critical accounts, there’s PAM. With PAM you simplify the management of privileged access to IT systems, applications, and infrastructure.
Privileged Access Management is an access control system for special accounts with elevated privileges, so-called privileged accounts. This PAM solution will manage the passwords and keys of various types of privileged accounts and stores these credentials securely in a digital vault. Examples of types of privileged accounts are root/administrator accounts, system accounts, service accounts and application management accounts.
In particular, management of non-personal privileged accounts, including service accounts and built-in Administrator accounts are easily forgotten. A breach of this type of privileged account can go undetected for an extended period of time, with serious consequences if PAM is not implemented.
PAM ensures that credentials of these privileged accounts are replaced on a regular basis so that the risk of abuse of privileged accounts and thus ransomware, potential data breaches or other cybercrime is minimized.
In addition, PAM facilitates the establishment of a secure management connection (privileged session) to target systems through a proxy server, also called steppingstone or jump server. Some tasks of this proxy server are:
All usage of privileged accounts is determined by PAM, so that later it can be shown which user at which time has had privileged access. In addition, privileged sessions are secured, monitored and (optionally) recorded.
With PAM, the security risks surrounding the use of administrative accounts are minimized. An organization can prove it meets (inter) national laws and regulations (Wbni, GDPR, SOX, EBA) based on existing European or internationally accepted norms, standards and / or guidelines for the protection of network and information systems (e.g., ISO/IEC 27002, NIST SP 800-53r4, CIS Controls).
A common misconception is that PAM issues/revokes (elevate) privileges and thus can enforce least privileges. However, this is a task of IGA.
Identity Governance and Administration adds additional monitoring and reporting capabilities to Identity Management (IdM) to demonstrate compliance. IGA provides more insight into the identities and access rights of users, so that it can be checked who has which access rights to which systems. IGA automates the account lifecycle management and the management of roles and rights of individual users.
With IGA, organizations can onboard new employees faster and provide them with the right accounts with the right access rights that correspond to their role within the organization. If an employee in the organization gets another role or position, IGA automatically controls the addition of new accounts (provisioning) and/or modifies access rights. Without IGA, unnecessary access rights will in many cases not be withdrawn. If an employee leaves the organization, IGA removes all accounts from systems and applications.
A common misconception is that IdM/IGA tools provide insight in who has had access to certain information and resources at what tome. This insight can be provided by (P)AM solutions.
As mentioned, many organizations use PAM and IGA separately. But by combining them, more benefits from both solutions can be reaped. With an integrated approach you are much more in control of authorizations. A comprehensive approach enables to manage a request for a privileged account easily within the parameters of established IGA policies. All access requests and approvals are part of one single approval chain. This saves a lot of manual work and also makes audits easier.
Advantages of combining IGA and PAM :
This article has also been published on www.techzine.nl/blogs/security/461844/pam-en-iga-een-solide-duo-om-je-data-te-beveiligen/