PAM systems: what is it and why are they needed?

[Father]

From the point of view of cybersecurity, a person was and remains the most vulnerable element of protection, which is targeted by many hacker tools, from social engineering and phishing to brute force technologies and OSINT-intelligence for previously "highlighted" passwords.

A number of users are particularly attractive to hackers because, due to the specifics of their work responsibilities, they have increased privileges in the company's information systems. PAM systems are used to monitor their activities and protect them from hacking.

In this article, we will analyze the problems of controlling employees with elevated privileges, the main characteristics and tasks of privileged user control systems.

Who are privileged users?​

In the context of IT, IT implies increased access rights to the company's information systems. Conventionally, we can distinguish two large groups of employees, which can be called privileged:

1. Top management. Heads of business units that have access to the company's digital resources (for example, CRM system analytics).
2. Technical specialists. For example, administrators or developers who have direct access to security tools, source code, databases, and other infrastructure work items.

The basic characteristic of a privileged user is having access to sensitive information that ordinary employees do not have. The account of such an employee is most attractive to hackers, as it allows you to quickly gain control over the infrastructure or access to target data.

Alexey Parfentiev
Head of the Serchinform Analytics Department

Technical personnel have unlimited access to confidential information, as IT infrastructure maintenance is their direct job responsibility. Therefore, the control of such specialists should be comprehensive. A privileged user can turn out to be an attacker himself or herself and be used as the" starting point "of a cyber attack (according to our survey, about 10% of all information security incidents are hackers' actions through employees).

We need control from the point of view of information security – there must be confidence that technical specialists do not abuse their official powers. This can be done using PAM, DLP, and SIEM systems. In addition, disciplinary control is required. This is both a banal monitoring of productivity using DLP or time trackers (whether employees do not violate the work schedule), and monitoring the correctness of technical tasks.

For hackers, such "rut users" are attractive because access to their account greatly reduces the attack chain. An attacker does not need to spend a long time studying the infrastructure and independently work on improving rights in the system – just find out the username and password of a specific specialist.

What tasks does PAM solve?​

We have already mentioned above about countering external intruders and hacker activity. This is an important feature that, together with a reasonable password policy, attention to potentially phishing emails, and other elements of digital hygiene, allows you to effectively protect the privileged user's account.

Andrey Prozorovsky
Head of the Information Security Department of IMBA IT

PAM systems monitor privileged users, protect against unauthorized access to the IT infrastructure, and conduct investigations to prove erroneous or illegal actions of employees.

Main tasks:
- Provide granular and secure access to the target IT infrastructure with a time limit.
- Provide logging and recording of the administrators ' session with the IT infrastructure.
- Provide secure password management (store them in a secure database, generate and update them automatically without administrators ' knowledge).

To solve these problems, a broker server (proxy server) is usually used. Users connect to it with normal rights, and after passing authentication and authorization, they get privileged access to the administered components. At the same time, the system provides secure storage of passwords and periodic changes. This approach provides:

- secure administration of the IT infrastructure;
- management of privileged records and their security —
- conducting an investigation.

This class of solutions is designed to solve specific tasks of ensuring control over privileged users, taking into account the fact that potential threats may come from them.

Other classes of solutions can only partially perform some of the functions of PAM systems:
- IdM-provides lifecycle management for all accounts in the company.
- SIEM-collects events from managed servers.

Only PAM solves the main task of ensuring control over the actions of privileged users.

The privileged user control system allows you not only to protect yourself from hacker activity, but also to work out the risks of insider activity on the part of an employee of the company. A common scenario is when an employee downloads all available databases before leaving the company and "takes" them out of the company in order to publish them on shadow forums, or simply sell them to competitors.

Yegor Petrov
Head of Advanced Information Security Solutions at Sissoft

The need to control privileged users is very relevant for companies. PAM systems not only prevent malicious attacks and control the actions of privileged users, but also help automate the processes of transparent and secure access to the IT infrastructure. PAMs can also clean up the overall pool of accounts by separating privileged users from regular users. You can also manage access and catch intruders in real-time mode, which is extremely important for investigating incidents.

Separately, it is worth noting the relevance of managing privileged access in companies that develop software. Here the problem is even more acute, because in Russian and foreign practice, there have been cases when the head of the department leaves the company, the "core" of developers leaves, and in a month or two exactly the same digital product appears on the market. Given the imperfection of the legislation, it is better to "insure" such risks in advance than to prove your case in court for years and resolve issues of authorship of the source code.

What is a PAM system?​

PAM (privileged access management) is a system for controlling and organizing access of privileged users to the company's information systems. Depending on the specific product, it can be used both for monitoring internal employees and external ones, such as outsourced developers.

Lyubov Ermilova
Senior Manager of the Information Security Solutions Directorate at MONT

The PAM system is designed to minimize the risks of leaks and the ability to investigate an incident, as well as to strengthen security for information security in general. It allows you to control passwords, prevent massive leaks of personal data and internal documents (for managers, PR, marketing), and save on reputational costs. PAM becomes directly in front of the target systems, a kind of proxy. After connecting to the RAM server, all other access to the system will be through it. The RAM server seems to hide all usernames, passwords, and privileges in itself, and also writes everything down.

The PAM solution differs from other employee access control and restriction systems by targeting a specific group of employees who have elevated privileges within the system. From a technical point of view, there are no major differences.

PAM is characterized by the same problem as other control systems – its implementation may be misinterpreted by the company's employees. The second layer of problems is a possible decrease in the speed of work of controlled employees due to the time spent on authorization and other processes.

In this case, such risks are more than justified, since the integration of PAM allows you to significantly reduce the potential risks of data leakage and, ultimately, organize access to sensitive data and infrastructure, which increases confidence in each privileged user due to the existence of tools for their objective control.

Kirill Ugolev
Head of the TEGRUS Information Security Division

Often, when implementing such control systems, especially if they are applied to their own privileged users, companies encounter dissatisfaction with their own staff. This factor should not be overlooked. In this case, it is necessary to explain to employees that this system not only controls them, but also makes it possible to obtain objective data. In the event of an incident, it will no longer be possible to blame the person who was not involved in its occurrence. These solutions allow you to accurately determine whether they performed actions that led to an unpleasant event, or whether the problem is not related to it.

From the point of view of building security systems for the company's information systems, PAM is not a first – line tool, and, to a greater extent, is of interest to companies that are mature from the point of view of information security, which already have integrated perimeter protection systems and primary control of employees within the infrastructure.