5 Key Capabilities To Consider When Evaluating Privileged Access Management (PAM) Solutions

PAM solutions key capabilities

If employees and their digital identities are your largest attack vector as cybersecurity experts contend, then your privileged users are potentially the most glaring vulnerability in your enterprise. Hackers and malicious insiders know that privileged credentials are an easy and lucrative target, and that the loss or theft of those credentials can cause catastrophic damage. In fact,  80% of security breaches involve privileged credentials, according to Forrester Research. Moreover, because of their privileged status, it can take weeks if not months to even notice the breach—by which time it may already be too late.  

Therefore, enterprises deploy privileged access management solutions, or PAM solutions, to manage the digital identities of their most empowered users. This is a far superior strategy to manually handling privileged digital identities. But what capabilities should these solutions have? What should be considered most when surveying PAM solutions for your enterprise?  

In an excerpt from the 2018 Solutions Review Privileged Access Management Buyer’s Guide, we share the 5 key capabilities for evaluating PAM solutions:

1. 2-Step or Multifactor Authentication

2-Step and Multifactor Authentication add an additional step (or factor) to the authentication process. Typically, the additional factor involves pairing something the user knows, such as username and password, with an action or something the user has, such as an SMS message to their phone, an email, or a hard token the user carries. It is imperative for small-to-midsized businesses (SMBs) and large enterprises to move past the username/password paradigm which has dominated credentials security for years, as privileged passwords have proven increasingly easy to steal in recent years.

2. Single Sign-On

Through this service tool, abbreviated SSO, users log onto a single platform that gives them automatic login access to multiple applications for a set period of time. This allows users to only present one set of credentials for multiple applications, rather than continually re-entering passwords or remembering multiple passwords. It is designed to eliminate certain kinds of passwords—specifically, ones that are frequently used and easy to remember, and thus easy to steal.

3. Role-Based Access Controls

PAM solutions will allow your enterprise to operate in a state of zero trust—giving your employees just enough privileges to do their jobs effectively, ensuring limited damage if their credentials are abused. In addition, PAM solutions will often provide granular, role-based access controls that allow administrators to regulate permissions and entitlements based on a user’s role. Additional privileges can often be granted via self-service requests, and can be approved or denied directly.

4. Limit Lateral Access

PAM solutions can also limit the authority of users over their assigned systems and the commands they can enter into those systems. This prevents employees or hackers from escalating privileges without permission or move laterally within the network into systems they should not have control over. You can set policies and adjust them to accommodate job roles to determine the lateral movement capabilities of your employees.

5. Monitoring Privilege Use

PAM solutions provide the capabilities to monitor, record, and audit privileged account activity on your network. This not only serves as a secondary layer of protection against insider threats and hackers, it often a crucial part of regulatory compliance protocols. These monitoring and recording capabilities allow IT administrators to review privileged activities in the event of an incident, and determining what actions occurred, allowing for a thorough and rapid response.

To learn more about PAM solutions, check out the full 2018 Solutions Review Privileged Access Management Buyer’s Guide, available for free here. You can also read the Gartner Best Practices for Privileged Access Management Report here.

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner