Why should I use privileged access management?
With businesses doing ever more in the cloud, there’s more at stake when handing out privileged access to your network. Every privilege you grant to a user represents a security risk. If an account is compromised, any of the privileges afforded to it can be used maliciously — for example, your confidential data could be leaked, or records changed or deleted.
In addition to the cost of remediation and any regulatory fines, a data breach can result in a devastating loss of user confidence. A 2019 study found that 69% of survey respondents would avoid a business that had suffered a data breach, and nearly a third wouldn’t use that business again. Clearly, you need a strategy to prevent accounts from being compromised and to minimize the impact when an account is stolen.
There are many ways to handle permissions, but given the tendency for organizations to grow in size and complexity over time, it’s important to have a core philosophy around who gets which permissions. You also need to comply with regulations and adapt as they change — and you need to do all this without getting in your users’ way, which makes it even more challenging.
Privileged access management, or PAM, refers to the methodology of granting and managing access to sensitive resources. It’s important to note that PAM is about privileged access — versus a more generalized employee access — which allows employees to make production changes, update user data, view financial information, and perform other sensitive tasks.
Best practices for implementing PAM
But how exactly do you go about implementing privileged access management? Following is a set of best practices to follow.
Adopt the principle of least privilege
Under the principle of least privilege (PoLP), you grant people the minimum amount of access they need to do their jobs. Depending on the user’s role, it might also mean network access is limited. This limits the impact of compromised accounts: The fewer privileges an adversary acquires, the less damage they can do.
The other consideration here, though, is that restricting users too much can impact productivity. Constantly needing to get additional permissions to perform routine tasks is frustrating for users. This reduces buy-in and leads to people ignoring best practices in favor of convenience.
You need a system that can handle users’ needs as dynamically as possible without creating friction. Compromise and common sense will help determine where the balance lies within your organization.
No matter how many best practices you implement, they’re useless if no one actually follows them. Make sure your users are aware of their responsibilities. Encourage behaviors you want to see, and make sure that those who are able to grant privileges are fully aware of the responsibilities that entails.
Having a consistent set of company-wide policies can help make sure everyone stays informed. Companies often take a patchy approach to security, with practices differing from department to department. Educating senior staff on the potential issues and then providing them with a consistent framework for avoiding those issues is a critical step to ensuring that everyone in your organization is on the same page.
Minimize the number of highly privileged accounts
If administrator privileges are readily available across your organization, there’s more opportunity for an adversary to compromise those accounts, then rapidly move across your network. It’s just a question of numbers: By minimizing the privileges that you hand out, you reduce the pool of accounts that can be compromised by a stolen password or other security breach.
Use multifactor authentication
Initial compromise via exposed passwords makes up a large percentage of successful attacks in the wild today. Multifactor authentication (MFA) largely mitigates these risks by requiring a second factor, instead of just a password, to access sensitive resources.
There are a variety of second factors you can implement: Some authenticators utilize something you have (such as a smartphone app, a key fob that shows you a verification code, or a WebAuthn token like a Yubikey), and some authenticators are based on something you are (authentication requires a fingerprint or a retinal scan). Ultimately, the choice of an appropriate second factor is a tradeoff between the sensitivity of the resources you are trying to protect and the friction the additional factor adds to the authentication flow.
MFA ensures that stealing or guessing a password isn’t enough to grant an attacker access to your systems. Large companies increasingly require MFA, which Microsoft says prevents 99.9% of automated attacks.
While the presence of MFA largely eliminates the criticality of passwords, enforcing a strong password policy remains an important best practice.
Employee lifecycle management
Cleaning up old accounts is also important. Disgruntled former employees have been known to misuse their credentials, so ensuring their accounts are stripped of privileges saves you another potential problem. A good PAM solution should be able to automate the creation of new accounts and detect old, unused accounts to flag them for deletion.
When upgrading your processes and systems, you need to make sure that all accounts and records reflect the changes and that none of them retain legacy permissions. For example, you might decide blog writers can’t delete posts. That change needs to be applied to existing writer accounts as well as ones created after the policy is implemented.
Implement time-based elevated control
In addition to granting privileges to specific users, you can have limited privileges that work only for specific time frames. This narrows the window for serious attacks, and potential attackers may not even know which accounts are elevated.
Techniques like just-in-time (JIT) privilege are methods of granting access for just enough time to complete a task, then revoking it. JIT access is particularly well-suited for engineering teams with an on-call rotation, as it restricts sensitive production access to only those times an engineer is on their on-call shift. These access platforms can also require employees to justify why they need that additional privilege, which can help keep people accountable for their actions.
Another method of time-based elevated control is creating ephemeral accounts that exist long enough to perform the desired action and are then removed from the system.
Monitor and log all privileged activity
Keeping records of every transaction by a privileged user means you can spot and respond to various issues. Logs can help you figure out who carried out an action, what people are trying to do, and whether your permission settings are being applied correctly. When setting up logging, you can also set up notifications for unexpected activity or behaviors.
In addition to logging actions, you can also record user actions, such as keyboard and screen activity. This can help you spot automated attacks, as these don’t produce the same kind of UI activity a human user does.
If something does go wrong, these records will allow you to see exactly what happened and when it took place, helping you attribute responsibility and find a solution. Logs can also show you if too many privileges are being handed out to users.
Review privileged access rights
Users’ roles can change with time as they take on new responsibilities or work with different software. That often means they’ll need to be granted new privileges, but it’s just as important to keep track of what privileges they no longer need. Limiting access is always beneficial from a security perspective.
You also need a system in place for revoking rights when users leave your organization or move to different departments. It’s an important but often overlooked task; having a system for dealing with it will help ensure it gets done.
Consider all attack vectors
Privileged accounts can do enormous damage when compromised but can also be a vehicle for indirect damage by leaking other credentials.
Passwords are an obvious example, but tokens, certificates, and keys are also valuable targets, and information is a valuable currency. Seemingly trivial pieces of information can help adversaries target their attacks — for example, an error message might expose the software version of your network software. This can let attackers know what exploits it is vulnerable to.
Connecting to third-party systems via integrations is increasingly popular. When doing this, you need to consider the security risks. Minimize the access that external actors get to your systems, and make sure you’re aware of the risks when granting them permissions.
Privileged Session Management
Privileged session management, or PSM, is a specific strategy that falls under the PAM banner.
PSM involves close monitoring of privileged user activity, as well as tracking and logging all user actions to make it easier to spot unusual behavior. If something suspicious happens, your logging system can notify your team that something is amiss.
Monitoring sessions is an extra layer of defense. It’s a shift toward a zero trust model. You can’t assume that a user can be trusted just because you recognize their credentials. Log and monitor everything that happens to make it harder for anything to get by you.
While they’re often thought of primarily as tools for auditing and compliance, a good PSM tool can record and play back user activity, which enables you to precisely recreate any malicious activity and find out how your systems were accessed.
There are a few other strategies that can be used alongside or — in some cases — as an alternative to PAM.
Role-based access control
Role-based access control (RBAC) is another common strategy for managing user access. Here, you assign roles to users. Each role has a specific set of permissions associated with it, which defines what users can do.
For example, in a blog, a writer might be restricted to editing articles assigned to them, but an editor is able to assign articles as well as create, edit, and delete them. You can create further roles with other permissions as needed.
RBAC is widespread and easy to implement, but it doesn’t have the granularity of PAM.
Mandatory access control
Mandatory access control (MAC) works by assigning security labels to both users and resources. If you have the relevant clearance, you can access matching elements.
MAC is popular in fields where security is prioritized, such as the military and banking. It is highly effective, but maintenance is resource-intensive, and it can be too restrictive for many organizations.
Discretionary access control
With discretionary access control (DAC), resource owners create lists of users who can access them.
DAC is simple and easy to understand, but the dependence on human management makes it prone to error, and it creates an administrative burden due to all the resource requests.
If you’re concerned about security, you don’t want to stop at access control. Tailscale is a VPN service based on the WireGuard protocol. It can be set up in minutes and allows your team to communicate securely on its own private network while connecting safely to the wider internet. It’s a great choice if you want to add an extra layer of security to your network infrastructure.
Get started with Tailscale today.
Frequently Asked Questions
Here's a quick recap of common questions people have about PAM.
What risks do privileged users represent?
Privileged users have access to resources that others don’t, and privileged users can make changes to your system. If the wrong people get the credentials of privileged users, data could be leaked, erased, or altered, and infrastructure could be changed, leading to damage or further information loss.
How can privileged access management mitigate these issues?
PAM forces you to organize your approach to granting permissions and access to resources. The more you put into it, the better equipped you’ll be to defend your organization against problems.
How can I implement PAM?
You can implement PAM by producing guidelines for people in your organization to use and by making sure your software enforces as many of the best practices listed here as possible. If this task seems overwhelming, or you don’t have the developer hours to build the system in-house, you can get outside help or use one of the many existing PAM platforms.