1 Introduction
In the age of digital transformation, the requirements for IT – but also the way IT is done – are changing. Organizations need to reinvent themselves and become agile and more innovative. Smart manufacturing and the Internet of Things expand the attack surface of organizations. Also, they must meet ever increasing regulatory requirements. To stay ahead, with the vast number of attacks that organizations are facing and the evolving regulations, organizations must invent new methods of addressing these needs while still perfectly serving their customers. Thus, they also need to constantly improve security, to have the right counter measures implemented and thus prevent attacks.
Privilege Management can be considered a domain of Cybersecurity since attackers usually go after the high privilege accounts. The users of the privileged accounts have the broadest access to sensitive company data such as HR records, financial information, payroll details or a company’s IP. Therefore, a strong emphasis needs to be placed on protecting these accounts, which eventually results in a reduced risk of breaches. Privilege Management helps in these scenarios, by increasing the protection of digital assets through protecting the most critical accounts and access to these systems.
Privilege Management is also part of the IAM (Identity and Access Management) domain, because it is about managing accounts and their passwords, as well as their access at runtime, e.g., by monitoring sessions.
Modern tools for Privilege Management must support a variety of requirements, from protecting the passwords of shared accounts, rotating the passwords of service and system accounts, to session monitoring and behavioral analytics.
Mature Privilege Management solutions go much further than simple password generation and access control to individual systems, but also provide a unified, robust, and – importantly - transparent Privilege Management platform which is integrated into an organization’s overall Identity and Access Management (IAM) strategy. While “password vaults” had been at the center of attention in earlier years, capabilities such as advanced analytics of privileged user behavior and advanced capabilities in session monitoring and analysis are becoming the new normal, all integrated into comprehensive suites. However, we also see a growing number of vendors taking different approaches to solve the underlying problem of restricting, monitoring, and analyzing privileged access and the use of shared accounts.
Among security risks associated with privileged users are:
- Leakage of credentials for shared accounts;
- Abuse of elevated privileges by fraudulent users;
- Hijacking of privileged accounts by cyber-criminals;
- Risks through abuse of elevated privileges on client systems;
- Risks through mistakes in using elevated privileges by users.
Furthermore, there are several areas of security, but also user convenience, with requirements which are associated with privileged accounts:
- Managing the ownership and knowing all privileged accounts, both individual and shared accounts;
- Single Sign-On to shared accounts for administrators and operators;
- Reducing elevated privileges of administrators, and in particular operators, to mitigate associated risks;
- Controls for managing, restricting, and monitoring access of MSPs when accessing internal systems;
- Controls for managing, restricting, and monitoring access of internal users to cloud services.
Consequently, multiple technologies and solutions have been developed to address these risks as well as provide better activity monitoring and threat detection. A specific area is the in-depth protection of server platforms such as Unix, Linux, and Windows. These focus on protecting the accounts such as “root” or “admin” on these systems as well as delivering in-depth protection against unwanted privilege elevation, altogether with capabilities of restricting the use, e.g., of specific shell commands. While they do not cover everything, such tools are an essential element in a holistic Privilege Management architecture, delivering the in-depth protection for defined target platforms.
For a detailed overview of the leading PxM vendors, please refer to the KuppingerCole Leadership Compass on Privilege Management.