What is privileged access management (PAM)?

In a computer system, “privilege” refers to access permissions that are higher than a standard user’s. A regular user account might have permission to view entries in a database, while a privileged administrator would be able to configure, add, change and delete entries.

Nonhuman users, such as machines, apps and workloads, can also hold elevated privileges. For example, an automated backup process might have access to confidential files and system settings.

Privileged accounts are high-value targets for hackers, who can abuse their access rights to steal data and damage critical systems while evading detection. In fact, hijacking valid accounts is one of the two most common cyberattack vectors today, according to the IBM® X-Force® Threat Intelligence Index.

And the danger can come from within an organization, too. An IBM Institute for Business Value study found that well-meaning staff can share private organizational data into third-party artificial intellgience (AI) products without knowing whether the tools meet their security needs. The study reports that 41% of employees acquired, modified or created technology without their IT or security team’s knowledge, creating a serious opening in security.

PAM tools and practices help organizations protect privileged accounts against identity-based attacks. Specifically, PAM strategies strengthen organizational security posture by shrinking the number of privileged users and accounts, protecting privileged credentials and enforcing the principle of least privilege.

Identity and access management (IAM) is a broad field that encompasses all of an organization’s identity security efforts for all users and resources. PAM is a subset of IAM of that focuses on securing privileged accounts and users.

There is significant overlap between IAM and PAM. Both involve provisioning digital identities, implementing access control policies and deploying authentication and authorization systems.

However, PAM goes further than standard IAM measures because privileged accounts require stronger protection than standard accounts. PAM programs use advanced security measures such as credential vaults and session recording to strictly control how users obtain elevated privileges and what they do with them.

It would be impractical and ineffective to apply such strong measures to nonprivileged accounts. These measures would interrupt regular user access and make it hard for people to do their day-to-day jobs. This difference in security requirements is why PAM and IAM have diverged into separate, but related, disciplines.

Privileged accounts pose heightened security risks. Their elevated permissions are ripe for abuse, and many organizations struggle to track privileged activity across on-premises and cloud systems. PAM helps organizations gain more control over privileged accounts to stop hackers while connecting users with the permissions they need.

Identity-based attacks, in which hackers take over user accounts and abuse their valid privileges, are on the rise. IBM’s X-Force reports that these attacks account for 30% of security breaches. These attacks often target privileged accounts, either directly or through lateral movement.

Bad actors—insider threats or external attackers—who get their hands on privileged accounts can do serious damage. They can use the elevated permissions to spread malware and access critical resources without restriction, all while tricking security solutions into thinking they are legitimate users with valid accounts.

According to the IBM Cost of a Data Breach Report, breaches where hackers use stolen credentials are among the costliest at USD 4.67 million on average. Insider threats who abuse their valid privileges can cause even more damage, with those breaches costing USD 4.92 million on average.

Moreover, digital transformation and the growth of artificial intelligence have increased the number of privileged users in the average network. Every new cloud service, AI application, workstation and Internet of Things (IoT) device brings new privileged accounts. These accounts include both the admin accounts human users need to manage these assets and the accounts these assets use to interact with network infrastructure.

Complicating matters further, people often share privileged accounts. For example, instead of assigning each system admin their own account, many IT teams set up one admin account per system and share the credentials with the users who need them.

As a result, it’s hard for organizations to track privileged accounts while malicious actors are focusing their attention on those very accounts.

PAM technologies and strategies help organizations gain more visibility into and control over privileged accounts and activities without disrupting legitimate user workflows. The Center for Internet Security lists core PAM activities among its “critical” security controls.¹

Tools such as credential vaults and just-in-time privilege elevation can facilitate secure access for users who need it while keeping hackers and unauthorized insiders out. Privileged session monitoring tools allow organizations to track everything that every user does with their privileges across the network, enabling IT and security teams to detect suspicious activity.

Privileged access management combines processes and technology tools to control how privileges are assigned, accessed and used. Many PAM strategies focus on three pillars:

• Privileged account management: The creation, provisioning and secure disposal of accounts with elevated permissions.

• Privilege management: Managing how and when users get privileges, as well as what users can do with their privileges.

• Privileged session management: Monitoring privileged activity to detect suspicious behavior and ensure compliance.

Privileged account management oversees the entire lifecycle of accounts with elevated permissions, from creation to retirement.

A privileged account is any account with higher-than-average access rights in a system. Users of privileged accounts can do things such as change system settings, install new software and add or remove other users.

In modern IT environments, privileged accounts take many forms. Both human users and nonhuman users, such as IoT devices and automated workflows, can have privileged accounts. Examples include:

• Local administrative accounts give users control over a single laptop, server or other individual endpoint.

• Domain administrative accounts give users control over an entire domain, such as all the users and workstations in a Microsoft Active Directory domain.

• Privileged business user accounts give users elevated access for non-IT purposes, such as the account that a finance employee uses to access company funds.

• Superuser accounts grant unrestricted privileges in a particular system. In Unix and Linux® systems, superuser accounts are called “root” accounts. In Microsoft Windows, they are called “administrator” accounts.

• Service accounts allow apps and automated workflows to interact with operating systems.

• Application accounts enable apps to interact with one another, make calls to application programming interfaces (APIs) and perform other important functions.

Privileged account management handles the entire lifecycle of these privileged accounts, including:

• Discovery: Inventorying all existing privileged accounts in a network.

• Provisioning: Creating new privileged accounts and assigning permissions based on the principle of least privilege.

• Access: Managing who can access privileged accounts and how

• Disposal: Securely retiring privileged accounts that are no longer necessary.

A major goal of privileged account management is reducing the number of privileged accounts in a system and restricting access to those accounts. Credential management is a key tool for achieving this goal.

Rather than assigning privileged accounts to individual users, many PAM systems centralize these accounts and store their credentials in a password vault. The vault securely houses passwords, tokens, Secure Shell (SSH) keys and other credentials in an encrypted form.

When a user—human or nonhuman—needs to do a privileged activity, they must check out the appropriate account’s credentials from the vault.

For example, say that an IT team member must make changes to a company laptop. To do so, they need to use the local admin account for this laptop. The credentials for the account are stored in a password vault, so the IT team member starts by requesting the account password.

The team member must first pass a strong authentication challenge, such as multifactor authentication (MFA), to prove their identity. Then, the vault uses role-based access controls (RBAC) or similar policies to determine whether this user is allowed to access the credentials for this account.

This IT team member is allowed to use this local admin account, so the credential vault grants access. The IT team member can now use the local admin account to make the necessary changes to the company laptop.

For added security, many credential vaults do not directly share credentials with users. Instead, they use single sign-on (SSO) and session brokering to initiate secure connections without the user ever seeing the password.

The user’s account access typically expires after a set amount of time or after their task is complete. Many credential vaults can automatically rotate credentials on a schedule or after each use, making it harder for malicious actors to steal and misuse those credentials.

PAM replaces perpetual privilege models, in which a user always has the same static level of permissions, with just-in-time access models where users receive elevated privileges when they need to do specific tasks. Privilege management is how organizations implement these dynamic least privileged access models.

Credential vaults are one way that organizations eliminate perpetual privileges, as users can access privileged accounts only for a limited time and limited purposes. But vaults are not the only way to control user privileges.

Some PAM systems use a model called just-in-time (JIT) privilege elevation. Instead of logging in to separate privileged accounts, users have their permissions temporarily raised when they need to perform privileged activities.

In the JIT privilege elevation model, every user has a standard account with standard permissions. When a user needs to do something that requires elevated permissions—such as an IT team member changing important settings on a company laptop—they submit a request to a PAM tool. The request might include some kind of justification outlining what the user needs to do and why.

The PAM tool assesses the request against a set of predefined rules. If this user is authorized to perform this task on this system, the PAM tool elevates their privileges. These elevated privileges are valid only for a short amount of time, and they allow the user to do only the specific tasks they need to do.

Most organizations use both privilege elevation and credential vaulting for privilege management. Some systems require dedicated privileged accounts—such as the default administrative accounts built into some devices—and others don’t.

Privileged session management (PSM) is the aspect of PAM that oversees privileged activities. When a user checks out a privileged account or an app has its privileges elevated, PSM tools track what they do with those privileges.

PSM tools can record privileged session activity by logging events and keystrokes. Some PSM tools also take video recordings of privileged sessions. PSM records help organizations detect suspicious activity, attribute privileged activity to individual users and build audit trails for compliance purposes.

Privileged identity management (PIM) and privileged user management (PUM) are overlapping subfields of privileged access management. PIM processes focus on assigning and maintaining privileges for individual identities in a system. PUM processes focus on the maintenance of privileged user accounts.

However, the distinctions between PIM, PUM and other aspects of PAM are not universally agreed upon. Some practitioners even use the terms interchangeably. Ultimately, the important thing is that it all falls under the PAM umbrella. Different organizations might conceptualize PAM tasks differently, but all PAM strategies share the goal of preventing the misuse of privileged access.

It is inefficient, and often impossible, to manually conduct core PAM tasks such as privilege elevation and regular password rotations. Most organizations use PAM solutions to streamline and automate much of the process.

PAM tools can be installed on premises as software or hardware appliances. Increasingly, they are delivered as cloud-based software-as-a-service (SaaS) apps.

Analyst firm Gartner sorts PAM tools into four classes:

• Privileged account and session management (PASM) tools handle account lifecycle management, password management, credential vaulting and real-time privileged session monitoring.

• Privilege elevation and delegation management (PEDM) tools enable just-in-time privilege elevation by automatically evaluating, approving and denying privileged access requests. 

• Secrets management tools focus on protecting credentials and managing privileges for nonhuman users, such as apps, workloads and servers.

• Cloud infrastructure entitlement management (CIEM) tools are designed for identity and access management in cloud environments, where users and activities are more diffuse and require different controls than their on-premises counterparts.

While some PAM tools are point solutions that cover one class of activities, many organizations are adopting comprehensive platforms that combine the functions of PASM, PEDM, secrets management and CIEM. These tools might also support integrations with other security tools, such as sending privileged session logs to a security information and event management (SIEM) solution.

Some comprehensive PAM platforms have extra functions, such as:

• The ability to automatically discover previously unknown privileged accounts

• The ability to enforce MFA on users requesting privileged access

• Secure remote access for privileged activities and users

• Vendor privileged access management (VPAM) capabilities for third-party contractors and partners

Analysts anticipate that PAM tools, like other security controls, will increasingly incorporate AI and machine learning (ML). In fact, some PAM tools already use AI and ML in risk-based authentication systems.

Risk-based authentication continuously assesses user behavior, calculates the risk level of that behavior and dynamically changes authentication requirements based on that risk. For example, a user requesting privileges to configure a single laptop might need to pass two-factor authentication. A user who wants to change settings for all workstations in a domain might need to supply even more evidence to verify their identity.

Research from OMDIA² predicts that PAM tools might use generative AI to analyze access requests, automate privilege elevation, generate and refine access policies and detect suspicious activity in privileged session records.

While PAM tools and tactics govern privileged activity across an organization, they can also help address specific identity and access security challenges.

• Shrinking the identity attack surface
• Managing identity sprawl
• Regulatory compliance
• DevOps secret management