Privileged access management (PAM) consists of the cybersecurity strategies and
technologies for exerting control over the elevated (“privileged”) access and permissions
for users, accounts, processes, and systems across an IT environment. By dialing in the
appropriate level of privileged access controls, PAM helps organizations condense their
organization’s attack surface, and prevent, or at least mitigate, the damage arising from
external attacks as well as from insider malfeasance or negligence.
While privilege management encompasses many strategies, a central goal is the
enforcement of least privilege, defined as the restriction of access rights and
permissions for users, accounts, applications, systems, devices (such as IoT) and
computing processes to the absolute minimum necessary to perform routine, authorized
activities.
In a least privilege environment, most users are operating with non-privileged
accounts 90-100% of the time. Non-privileged accounts, also called least privileged
accounts (LUA).
Alternatively referred to as privileged account management, privileged identity
management (PIM), or just privilege management, PAM is considered by many analysts
and technologists as one of the most important security projects for reducing cyber risk
and achieving high security ROI.
The domain of privilege management is generally accepted as falling within the broader
scope of identity and access management (IAM). Together, PAM and IAM help to
provide fined-grained control, visibility, and auditability over all credentials and
privileges.
While IAM controls provide authentication of identities to ensure that the right user has
the right access as the right time, PAM layers on more granular visibility, control, and
auditing over privileged identities and activities.
Special types of privileged accounts, known as superuser accounts, are primarily used
for administration by specialized IT employees and provide virtually unrestrained power
to execute commands and make system changes. Superuser accounts are typically
known as “Root” in Unix/Linux and “Administrator” in Windows systems.
Superuser account privileges can provide unrestricted access to files, directories, and
resources with full read / write / execute privileges, and the power to render systemic
changes across a network, such as creating or installing files or software, modifying files
and settings, and deleting users and data.
Privileged credentials (also called privileged passwords) are a subset of credentials that
provide elevated access and permissions across accounts, applications, and systems.
Privileged passwords can be associated with human, application, service accounts, and
more. SSH keys are one type of privileged credential used across enterprises to access.