Phone Number +1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

10 Features Every Privileged Access Management Solution Must Have

mm

Written by Barbara Hoffman

May 26th, 2020

The MoSCoW method is a prioritization technique used in project management and software to prioritize requirements. It stands for: Must haveShould haveCould have, and Won’t have. Using this approach can help you build a common understanding among your stakeholders as you evaluate and select a privileged access management (PAM) solution.

In this blog, we’ll focus on the 10 must-have features that create the foundation of a robust PAM system.

  1. Password vaulting

All PAM solutions must prevent privileged users from knowing the actual passwords to critical systems and resources. This way, any attempt of a manual override on a physical device can be prevented. Instead of giving passwords to privileged users, PAM solutions must protect privileged credentials in a secure vault.

  1. Password management: auto-generation, rotation, and workflow approval

PAM tools allow you to automate and control the entire process of granting access and passwords to privileged accounts.

Each time a privileged user requests access, a new password can be automatically generated by the PAM system to avoid password reuse or leakage, while ensuring a match between current credentials and target systems.

Highly critical and sensitive credentials are given only if an established policy is followed and when all required approvals are met.

PAM includes handling access permissions based on roles and policies. Within PAM solutions, you can define a fixed number of parameters that control administrative access, as well as limit access to specific functions and resources.

  1. Multi-factor authentication

Even with multiple security protocols in place, there is still potential for privileged accounts to be breached. PAM software must add an additional layer of security with multi-factor authentication protocols (MAP) when a user requests access. OATH authentication and proprietary tokens can also be integrated as part of MAP.

  1. Access for remote employees and third parties

Remote workers must be able to access the same systems and data they could while in the office.

Identities should be consolidated across all operating systems and environments, on premise and cloud, so you know which people are associated with which accounts.

PAM software must provide third-party personnel role-based access to systems without the need for domain credentials, thus limiting access to privileged resources.

Remote Access Controller Demo:

  1. Mobile access points

Mobile devices are becoming common access points to enterprise systems. PAM software that integrates with a secure application launcher can grant access to remote devices.

  1. Session Management

A PAM solution must establish sessions for each and every privileged user.

You need the capability to record all privileged sessions, both command-line and video, in a searchable and comprehensive way. This way, you can quickly show compliance with regulations for SOC2, SOX, PCI DSS 3.2, HIPAA, NERC CIP, ISO 27001 and more.

With live session monitoring, IT teams are capable of viewing all sessions in real time. A real-time view of all privileged sessions means you can quickly terminate suspicious or unauthorized sessions.

  1. Real-time visibility and alerting

When a threat is detected, preventative actions should be taken immediately. An effective PAM solution must enable you to create alerts and quickly address any deviations in account usage.

  1. Disaster recovery

PAM systems must be designed with failover safeguards to ensure no single point of failure can prevent critical access to systems during a widespread system or network outage.

  1. Emergency access

All PAM solutions must enable you to configure access controls and approval workflows for a “break glass” scenario. If an all-out emergency occurs, a user could put a flag on the system to indicate that no approval is required for any checkout. All such requests would have to be approved automatically but still audited, and you must pre-define who can request such access, who is responsible for approving it, and on which systems.

  1. Auditing and reporting

By providing risk-based scorecards that show who has access to which resources, an effective PAM solution can save you hours gathering audit and compliance information.

If a privileged account attack occurs, a forensic investigation will require you to provide the complete picture. Only few PAM solutions can give you a 360° view of when a privileged account password was checked out and by whom, as well as all the actions taken by that account.

Beyond the PAM Must haves

With the right PAM solution, you can rest assured that mission-critical infrastructure is protected. These must-haves will empower you to enforce access controls even on “super user” accounts, improve your security, and meet audit and compliance requirements.

Once the PAM must-haves are in place, the unique needs, work style, and security risks of your organization will determine how you define your list of Should haveCould have, and Won’t have requirements.

Short Demo: See Secret Server Privileged Access Management software in action

FREE Privileged Account Management for Dummies book

FREE Privileged Account Management for Dummies book

Get smart about Privileged Account password security with this quick read

 

Like this post?

Get our top blog posts delivered to your inbox once a month.

SHARE THIS