IAM moving from PAM (Privileged Account Management) to PAM (Privileged Access Management). Are you moving too??

keywords : IAM( Identity Access Management) , PASM(privileged account and session management),PEDM(privilege elevation and delegation management)

The above heading looking a bit confusing; however, it is not; in recent years, privileged access management (PAM) has become a critical technology for addressing some of today's most pressing cybersecurity challenges. Against the backdrop of digital change, it is rapidly becoming one of the essential components of a company's overall cybersecurity strategy. Over the years, it has become not only a key technology for solving pressing cybersecurity problems but also one that is becoming an integral part of many companies "business models and processes.

The PAM industry began with the core capabilities of privileged account management. Privileged account management is the IT security process of using policy-based software and strategies to control who can access sensitive systems and information. Privileged accounts rely on credentials (passwords, keys and secrets) to control access. By creating, storing, and managing these credentials in a secure vault, privileged account management controls authorized access of a user, process, or computer to protected resources across an IT environment.

Since complexities and challenges are growing daily with increasing digital technologies, the privileged security strategies are also expanding. And the standard definition of PAM has changed. Today, most people define PAM as privileged access management rather than privilege account management. The privileged access management encompasses cybersecurity strategies for exerting control over elevated access and permissions for users, accounts, and processes. IT not only manages who can access what but what they can do once logged in.

Earlier, most of us will limit the number of people who have access by restricting access to certain organization areas, such as the most sensitive information access on a Need to Know basis. However, in this digital transformation age, where the systems are integrated to give convergence power, it's imperative for multiple systems to talk together. Such as the seamless access to data for data scientists to convert data into information and build knowledge out of it. It poses a challenge for IT professionals to mitigate risks associated with privilege access and stop compromise and misuse. How can we make our organization much less vulnerable to potential monetary and reputational damage from increasing threats associated with PAM?

"A strong PAM program helps to ensure the right person has the right access to the right resource at the right time for the right reasons."

  The PAM solutions will provide security teams with more granular control and oversight over the actions taken during privileged sessions. It includes managing the passwords of privileged accounts through tactics like credential management, least privilege enforcement, and account governance. For example, privileged access approval and workflows, two-factor/multi-factor authentication, privileged session monitoring and recording, and remote launching are critical elements of a comprehensive privileged access management program.

"Local account credentials are attractive assets for cybercriminals"

 Successful privileged access management can be achieved by neither processes nor tools alone; It requires a combination of tools and processes applied at the appropriate levels. Security and risk management leaders often lack a comprehensive understanding of all PAM use cases across the enterprise. An effective PAM starts with an intense planning phase. The first step should be defining a privileged account taxonomy for your organization: Map out what essential functions rely on data, systems, and access. Classifying privileged accounts ask 5 Ws 1. When access is needed ( all time, occasional, one time), 2. What access is required ( Broad, restricted, limited ),3. Where access is needed ( Across, restricted, depends), and 4. why access is required ( discretionary or specific purpose)

Besides the planning phase, we also need to ensure our incident response mechanism in case privileged accounts/systems are compromised. As a rule of thumb, the system should be intelligent enough not to give access to all critical systems simultaneously, including production systems, backup systems, and financial systems. Employees changing jobs within your organization shouldn't be able to keep the same access from their previous roles. We should have a strong corporate IT policy in place that treats privileged accounts separately by clearly defining a privileged account and detailing acceptable use policies. Be sure to include who's responsible and accountable for using privileged accounts.

"If you can't correctly observe what's going on with your privileged accounts, you increase your organization's risk. "

Of course, you first need to educate your organization about what privileged access management is. Privileged Access Management (PAM) is one of the most important aspects of a company's IT management system. Hopefully, the criteria described above will help you find the right PAM ( Privileged Access Management )solution for your company and its specific needs.