What Does PAM Mean To You?
The term is not as straightforward as most people think… it has evolved over the years in parallel with the ever-changing security landscape. Take any combination of password management, least privilege, and session management, then throw in a smattering of role-based directory groups and you’ve kinda got it. The key misunderstanding though is that a PAM solution must come wrapped around a password vault. This is not to say that password vaults are not important, it’s just that they are a commoditized component that all too often dictates how the rest of the solution is implemented. To understand why vaults have taken such a central position, let’s take a quick history lesson about how the market has evolved over the last two decades
2000-2010ish: A surge in regulatory compliance legislation forced organizations to perform due diligence remediation around password management. This was low hanging fruit as often, passwords were not complex and not very often rotated, something that would almost be unthinkable today. Understandably, PAM in this decade stood for Privileged Account Management. However, there were challenges insofar as users have access to the password even if it were for short periods.
Around 2012 we saw the mainstream acceptance of leveraging session proxies as a means to connect users to servers. The benefits being that the password never got exposed, the user did not have to have direct access to the server, and the activity through the proxy could be recorded and played back. The session proxies were wrapped in the vault so that users could pick an account and then be logged onto a host automatically. As legislation started to require better segregation between user and server environments, proxies were used in place of bastion hosts and the term Privileged Access Management became interchangeable with Privileged Account Management.
Today, we have a PAM market that is largely made up of vendors with a vault at the core of their offerings as this is where the market evolved from. Unfortunately, this adds layers of complexity to what is, in essence, a very simple problem. Administrators need secure access to servers to do their job. It is as simple as that. Vaults map people to accounts and accounts to systems and systems to applications. This many-to-many-to-many approach results in massive complexity and a house of cards that’s ready to come tumbling down the moment something breaks. Not only that, but each account under management still retains its privileges even when not in use, this represents an attack surface that can be easily exploited.
PAM has become far too complex with a high cost of implementation and ongoing maintenance. It doesn’t need to be – there is a better way.
STEALTHbits Privileged Activity Manager (SbPAM) has been built from the ground up to solve the fundamental challenge of allowing administrators to safely and securely access the systems and applications required as part of their job. It leverages a unique patent-pending process that supports any access control use case for any platform.
- Grant – Add just in enough permissions, just in time
- Connect – Start the activity for the user (e.g. this could be logging onto a server or automatically starting an application)
- Remove – Reset the account so that there are no privileges
A granular 3-step process sets up the activity for the administrator, connects them to the required system, and then tears everything down so there are no standing privileges when complete. The benefit is a reduction of the attack surface and reduced complexity in a deployment that does not rely on mapping privileged accounts to upstream security groups.
SbPAM enables administrators and helpdesk professionals to perform their day-to-day activities easily and without the complexity of traditional PAM tools. As a next-generation Privileged Access Management solution, SbPAM focuses on controlling the activity that needs to be performed rather than mapping access to an account. The result is a reduced attack surface that drastically improves an organization’s overall security posture.
To speak to a STEALTHbits Sales or Support Representative, please email info@STEALTHbits.com.
Martin is Vice President of Product Strategy at Stealthbits.
Martin is an experienced technologist, with over 30 years in the Privileged Access Management and security space. Prior to Stealthbits, Martin led the privileged access team at BeyondTrust where he took their password management solution from unknown to a recognized leader in the industry within 3 years. At BeyondTrust he also drove the development of their first SaaS PAM product as well as a new micro service-based platform for DevOps security. Prior to BeyondTrust, Martin held key management positions at Quest/Dell, Novell, Fortefi and Symantec. He is a recognized expert and a regular speaker for security events and webinars.