Privileged Access Management (PAM) software comes in many forms. Some are heavy with software components (the thick client model) while others are leaner (the thin client model). Since we at SSH.COM are firm believers in the thin client model, I wanted to present five solid reasons why this is the case.
1. No constant cycle of installing, patching and configuring agents
Thick clients require that you have to install agents on the client - and usually on the server as well. Moreover, you need to ensure that those agents are always up-to-date, patched and compatible with the operating system, and installed on every client necessary.
That’s not only a lot of steps but it’s a process that often requires the help of specialist staff which increases costs. On top of that, when access is no longer valid, you should ensure that the agent is actually removed from the client.
With a thin client, there is no need to install, remove or patch any agents at any point. We prefer a model where access is granted, managed and revoked using a standard browser - the only ‘software agent’ you need.
2. Less complexity means easier endpoint security management
Every piece of software component added to the environment adds complexity to the mix. The installation and configuration needs easily add up when people join the company, switch roles and leave. This is particularly true for 3rd parties whose access needs are often temporary.
Moreover, PAM solutions grant primarily admin-level access. Installing a required PAM agent requires (local) admin rights which in turn are often under the control of other solutions since they are privileged accounts.
Client installations might also require application black or whitelisting – which adds yet another management layer to the equation. In some cases, you might need to give local admin rights to 3rd parties to get them onboarded which might not always be a good idea or even against corporate policies.
All in all, having privileged software agents on clients adds up to surprisingly complex endpoint security management.
With a thin client model, you simply skip the PAM agent installation phase which saves a lot of time, effort and money and makes access management leaner. It also means that you can have an identical installation image for all clients intended for privileged users, and you can manage software and hardware upgrades, security policies, application changes virtually and remotely using that same image.
You can also ensure that the clients have only the bare minimum setup for the required tasks, so there is nothing to steal if the client is compromised.
Last but not least, this model reduces the number of misconfigurations. Since privileged users or 3rd parties don’t need to – and can’t - install anything to use the client, unauthorized software installations or installing viruses becomes unlikely.
3. Standard, plugin-free browser for minimized management
There are access management tools that work using browsers but require plugins for privileged user access to work. This is just points 1 and 2 wrapped inside a browser: are all the plugins up-to-date, who maintains them, who has the rights to install them, are they always compatible with the latest browser versions, is the browser set up correctly per client…
We believe in an approach where your standard browser is your only access management tool that you need to update. The official browser releases are always rigorously tested, and patches are fast and automatic which is not often the case with plugins or other software components. Once again, this model is straightforward and minimizes the number of configurations and reduces complexity.
4. Thin in bloat, rich in features and usability
This point is almost ideological: many widely used applications – IT or otherwise - exist in the cloud and are based on thin clients, like Citrix Virtual Apps, Office 365 or Netflix just to name a few. With thin client PAM software, your developers get the same, consistent and secure experience across clients and your admins manage all access through a single pane of glass. Thin can be very rich in features: the features simply exist behind a clean looking UI.
This model is also very fast for onboarding: the developer just logs in to the centralized authority through a UI without anyone having to configure anything on the client. Switching clients becomes effortless. The number of access ticket requests is significantly smaller and training needs are radically reduced.
5. Respect your environment, minimize all changes
If you are not familiar with the concept of immutable infrastructure, here’s a small breakdown of the idea. Once you have a particular environment set up and servers deployed, you don’t make any run-time changes to it. If you change something, you decommission the entire environment and spin up an entirely new instance instead. The benefit is more consistency, predictability and reliability in your infrastructure.
Again, thin is key. Don’t install anything on the client or the server for that matter. When granting privileged access, you don’t even need to create any one-time passwords or temporary accounts on the server side either. All these processes require constant run-time changes and add unwanted complexity and unnecessary processes. We are suggesting that privileged access can be granted without permanent credentials with what we call ephemeral certificates, in a passwordless fashion and without making any kind of changes to your environment.
This might sound radical and we are fine with that reaction. Not all PAMs need to be the same: we built ours with a strong focus in the future which is mostly multi-cloud and hybrid driven. The fact that our solution, PrivX, is based on just-in-time authentication without a need for any type of permanent credentials for privileged users was just one of the reasons KuppingerCole credited us with one of the Overall Product Leaders in their Leadership Compass 2020: Privileged Access Management, as evidenced by the following quote.
“It’s an innovative approach but one that does bring functional and security advantages – access is faster, onboarding and offboarding of privileged users is quick and there are no passwords to issue or lose, since there are no permanent leave-behind credentials”
Paul Fisher, KuppingerCole Senior Analyst [on PrivX]
Don’t forget to check out my presentation “How to Solve the Top 5 Access Management Challenges in Hybrid Cloud Environments”.