What are privileged accounts?

In a least privileged environment, most users are operating with non-privileged accounts 90-100% of the time. Non-privileged accounts, also called least privileged accounts (LUA) general consist of the following two types:

Standard user accounts have a limited set of privileges, such as for Internet browsing, accessing certain types of applications (e.g., MS Office, etc.), and for accessing a limited array of resources, which is often defined by role-based access policies.

Guest user accounts possess fewer privileges than standard user accounts, as they are usually restricted to just basic application access and Internet browsing.

A privileged account is considered to be any account that provides access and privileges beyond those of non-privileged accounts. A privileged user is any user currently leveraging privileged access, such as through a privileged account. Because of their elevated capabilities and access, privileged users/privileged accounts pose considerably larger risks than non-privileged accounts /non-privileged users. Here are examples of privileged accounts commonly in use across an organization:

• Local administrative accounts. Non-personal accounts providing administrative access to the local host or instance only.
• Domain administrative accounts. Privileged administrative access across all workstations and servers within the domain.
• Break glass (also called emergency or firecall) accounts. Unprivileged users with administrative access to secure systems in the case of an emergency.
• Service accounts. Privileged local or domain accounts that are used by an application or service to interact with the operating system.
• Active Directory or domain service accounts. Enable password changes to accounts, etc.
• Application accounts. Used by applications to access databases, run batch jobs or scripts, or provide access to other applications.

What are the Privileged Access Management features?

Privileged access management is important for companies that are growing or have a large, complex IT system. Many popular vendors have begun offering enterprise PAM tools such as BeyondTrust, Centrify, CyberArk, SecureLink and Thycotic.

Privileged access management tools and software typically provide the following features:

• Multi-factor authentication (MFA) for administrators.
• An access manager that stores permissions and privileged user information.
• A password vault that stores secured, privileged passwords.
• Session tracking once privileged access is granted.
• Dynamic authorization abilities. For example, only granting access for specific periods of time.
• Automated provisioning and deprovisioning to reduce insider threats.
• Audit logging tools that help organizations meet compliance.

How is PAM Different from Identity Access Management (IAM)?

Privileged access management system is sometimes confused with Identity Access Management (IAM). IAM focuses on authenticating and authorizing all types of users for an organization, often including employees, vendors, contractors, partners, and even customers. IAM manages general access to applications and resources, including on-prem and cloud and usually integrates with directory systems such as Microsoft Active Directory.

PAM access management focuses on privileged users, administrators or those with elevated privileges in the organization. PAM systems are specifically designed to manage and guarantee secure privileged access of these users to critical resources.

Organizations need both tools if they are to protect against attacks. IAM systems cover the larger attack surface of access from the many users across the organization’s ecosystem. PAM focuses on privileged users—but privileged access management products are important because while they cover a smaller attack surface, it’s a high-value surface and requires an additional set of controls normally not relevant or even appropriate for regular users (such as session recording).