Privileged identity management
Privileged identity management (PIM) is a domain within identity management focused on the special requirements of powerful accounts within the IT infrastructure of an enterprise. It is frequently used as an information security and governance tool to help companies in meeting compliance regulations and to prevent internal data breaches through the use of privileged accounts. The management of privileged identities can be automated to follow pre-determined or customized policies and requirements for an organization or industry.
See also privileged password management – since the usual strategy for securing privileged identities is to periodically scramble their passwords, securely store current password values and control disclosure of those passwords.
Different market participants refer to products in this category using similar but distinct terminology. As a result, some analyst firms refer to this market as "PxM" indicating multiple possible words for "x":
- Privileged access management
- Privileged user management
- Privileged account management
- Privileged identity management
- Privileged password management
- Privileged account security
The commonality is that a shared framework controls the access of authorized users and other identities to elevated privileges across multiple systems deployed in an organization.
Special requirement of privileged identities
A privileged identity management technology needs to accommodate for the special needs of privileged accounts, including their provisioning and life cycle management, authentication, authorization, password management, auditing, and access controls.
- Provisioning and life cycle management – handles the access permissions of a personal user to shared/generic privileged accounts based on roles and policies.
- Note: built-in privileged accounts are not normally managed using an identity management system (privileged or otherwise), as these accounts are automatically created when an OS, database, etc. is first installed and decommissioned along with the system or device.
- First use case – control authentication into the privileged accounts, for example by regularly changing their password.
- Second use case – control authentication into a privileged access management system, from which a user or application may "check out" access to a privileged account.
- Authorization – control what users and what applications are allowed access to which privileged accounts or elevated privileges.
- First use case – pre-authorized access ("these users can use these accounts on these systems any time.").
- Second use case – one-time access ("these users can request access to these accounts on these systems, but such requests for short-term access must first be approved by ...").
- Password management – scheduled and event-triggered password changes and password complexity rules, all applying new password values to privileged accounts.
- Password vault – storage of privileged account passwords in a vault. While typically encrypted, this is still a potential point of attack. The SMRTe is one of the only privileged access management systems that does not require a password vault.
- Auditing – both event logs (who accessed which account, when, etc.) and session capture (record/replay what happened during a login session to a given account?).
- Access controls – Control what a given user, connected to a given privileged account, on a given system, can do. Two design principles need to be balanced here: the principle of least privilege and a desire to minimize the need to develop and maintain complex access control rules.
- Session recording – The ability to record access to privileged accounts is vital both from a security and compliance perspective.
- Session isolation – Controlling access to privileged accounts using a session proxy (or next generation jump server) can prevent issues such as pass-the-hash attacks and malware propagation.
Risks of unmanaged privileged identities
Unmanaged privileged identities can be exploited by both insiders and external attackers. If they are not monitored, held accountable, and actively controlled, malicious insiders, including system administrators, can steal sensitive information or cause significant damage to systems.
A 2009 report prepared for a US congressional committee by Northrop Grumman Corporation details how US corporate and government networks are compromised by overseas attackers who exploit unsecured privileged identities. According to the report, "US government and private sector information, once unreachable or requiring years of expensive technological or human asset preparation to obtain, can now be accessed, inventoried, and stolen with comparative ease using computer network operations tools."
The intruders profiled in the report combine zero-day vulnerabilities developed in-house with clever social exploits to gain access to individual computers inside targeted networks. Once a single computer is compromised, the attackers exploit "highly privileged administrative accounts" throughout the organization until the infrastructure is mapped and sensitive information can be extracted quickly enough to circumvent conventional safeguards.
Privileged account passwords that are secured by a privileged identity management framework so as to be cryptographically complex, frequently changed, and not shared among independent systems and applications offer a means to mitigate the threat to other computers that arises when a single system on a network is compromised.
Because common identity access management frameworks do not manage or control privileged identities, privileged identity management software began to emerge after the year 2000.
Among the reasons for a special category of software to secure access to privileged accounts (rather than using "generic" identity and access management solutions):
- In a typical IAM system, there are a few integrated systems, but thousands of managed identities on each one.
- In contrast, in a typical PAM system, there are thousands of managed systems, but only a few managed identities on each one.
- IAM systems are designed to create/delete IDs and manage their security entitlements.
- In contrast, in a typical PAM system, shared, privileged IDs already exist, and it is access to them (by users who also already have IDs) that is being managed.
- Entitlements granted in a typical IAM system are granted on a permanent/persistent basis. "User X shall have entitlement Y from now on."
- In contrast, in a typical PAM system, access to privileged accounts or elevated privileges are granted for very short time windows (on the order of minutes of hours), just long enough to perform a task.
Privileged identity management software frameworks manage each of the special requirements outlined above including discovery, authentication, authorization, password management with scheduled changes, auditing, compliance reporting, and access controls. The frameworks generally require administrators to check out privileged account passwords before each use, prompting requesters to document the reason for each access and re-randomizing the password promptly after use. Even after logging in, administrator actions are managed using access controls.
In doing so privileged identity management software can guard against undocumented access to configuration settings and private data, enforce the provisions of IT service management practices such as ITIL, and provide definitive audit trails to prove compliance with standards such as HIPAA 45 § 164.308(1)(D) and PCI-DSS 10.2. In addition, the more advanced frameworks also perform discovery of interdependent services, synchronizing password changes among interdependent accounts to avoid service disruptions that would otherwise result.
- ^ Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation by Northrop Grumman Corporation
- ^ Mismanaged Privileged Accounts: A New Threat To Your Sensitive Data by Chris Stoneff
- ^ Behr, Kim and Spafford, "The Visible Ops Handbook," p. 28.
- Cloud Computing Journal, "Requirements for Next-Generation Privileged Identity Management," October 2013
- Government Security News, "Next-generation protection for the federal hybrid Cloud," October 2013
- Wall St. Journal, "The Biggest Cybersecurity Threat Just May Be Your Own Staff," June 2012
- Wall St. Journal, "Malware Targets Vulnerable Admin Accounts," June 2012
- Cloud Security Alliance, "SecaaS Implementation Guidance, Category 1: Identity and Access Management," September 2012