Privileged Identity Management (PIM) and identity-centric security controls

The number of identities in the enterprise is exploding.

Gaining control of identities related to people as well as machines is a challenge for many organizations. You need to know who your users are and what they do. If you experience a security incident, you must be able to reverse engineer who did what in order to meet compliance requirements and make sure it doesn’t happen again.

Therefore, each person and each technology in your IT environment, including apps, databases, code, and devices, must have its own digital identity.

Privileged Identity Management (PIM) is one of many security solutions that help organizations create, manage, and secure digital identities.

What is Privileged Identity Management?

In its Wave report, Forrester uses the term PIM. In its Magic Quadrant report, Gartner uses the term PAM.

For the most part, these terms are used interchangeably. But there is a subtle difference.

PIM focuses on managing identities

PIM determines a specific distribution of rights for each privileged user identity across multiple systems in your organization, ensuring that they can only access data and perform certain actions within set boundaries. PIM governs privileged identities throughout their lifecycle, from creation or provisioning new identities to revoking or de-provisioning identities. PIM determines how identities should be organized in groups so that they can be managed consistently according to your security policies.

PAM focuses on managing access

PAM allows organizations to determine exactly what level of access a privileged user or system may have, related to resources (devices, applications, environments, network files, etc.) for a set time period. PAM solutions provide just-in-time access and allow elevated or emergency access in specific situations. They also allow organizations to control and audit that access, through functionality like credential creation and storage, password rotation, and session monitoring.

PIM and PAM are a subset of IAM

Identity Access Management (IAM) applies to all users in an organization—not just IT admins or superusers—who have a digital identity that needs to be managed. Regardless of the user type, IAM systems follow the idea that each user must have their own digital identity that includes username, password, and online activities.

During provisioning and de-provisioning processes, IAM checks each identity to confirm that it has the appropriate access. These solutions connect to Active Directory or other systems like Okta that centralize identity management. IAM systems also give organizations the ability to modify a user, create usage reports, and reinforce policies.

Today, every user is a privileged user

The line between PIM and IAM is increasingly blurry because, in an enterprise setting, virtually all users are in fact, privileged users.

Traditionally, the term “privileged users” referred to superusers such as system administrators responsible for managing an IT environment or enterprise software or hardware. For example, a privileged user account might be used by an IT professional to access internal servers in order to perform an upgrade, modify settings, or conduct general maintenance.

Other enterprise users also have privileged identities in order to do their work using systems that contain sensitive data or critical business functions. For example:

HR team members have privileged identities for payroll, benefits, and other workplace systems that contain personally identifiable information.
Finance teams have privileged identities to access data and complete transactions.
Sales, marketing, product, and other teams have privileged identities because they may see customer information and intellectual property that must be protected.

Everyday business users may also have privileged identities, which many organizations don’t consider. Consider that business users who retain local administrative rights to their workstations are privileged users. They can make configuration changes, add and remove applications, and execute programs. This elevated level of account permissions makes local account credentials attractive assets for cyber criminals to target via social engineering and phishing strategies.

Privileged identity and security operations

In the past, identity has often operated outside of security, according to the Identity Defined Security Alliance (IDSA), but that is changing. “In the last several years, identity has started the transition from an operational and user experience driven entity to its current recognition as the core component of security.”^[1]

Why has Privileged Identity Management become so important?

Identity-related breaches have become ubiquitous. These types of attacks have a lot in common, but they can take on many different forms, including:

Phishing — pretending to be a legitimate person or institution via email, phone, or text to trick an individual into sharing sensitive information
Stolen credentials — illegally gaining access to an organization or individual’s passwords and usernames
Inadequately managed privileges — unintentionally giving access to sensitive information or resources to individuals who do not need access
Brute-force attacks — using trial and error to input many different login credentials until one works
Social engineered passwords — tricking an individual into divulging their password
Compromised privileged identities — illegitimately gaining access to an account that has access to sensitive information or resources
Man in the Middle attacks — secretly relaying or altering communication between two different individuals^[2]

The spate of identity-related breaches in the past year means there is a wealth of personal data available for sale on the Dark Web. As a result, digital identity fraud is increasing as are insider threats, both malicious and accidental.

Privileged identity management challenges abound

According to a February 2021 survey of 300+ enterprises from Dimension Research^[3], 72% of organizations report it takes at least a week for a typical worker to get a privileged identity provisioned with access to required systems.

De-provisioning time for privileged identities is more concerning. Half of the enterprises report it usually takes three days or longer to revoke access for a worker that leaves.

Enterprise leaders are invested in privileged identity security, but poor behaviors still exist.

81% believe they share responsibility for access issues
56% of Sales Managers report they had staff who stole information when they left
Only 38% would immediately terminate access based on suspicious behavior
70% confess to having personally engaged in poor system identity behavior

New PIM use cases for machine identities

“Our clients tell us that machine identities are growing at twice the rate of human identities,” reports Forrester in its most recent Wave.

“PIM solutions should support DevOps teams, IT admins configuring cloud infrastructure, bots, IoT, and API-driven workloads. CISOs are burning a lot of calories trying to secure privileged access for these use cases right now.”

According to Forrester, “PIM solutions for these new use cases are best delivered as SaaS for speed, modular architecture, and better integration.”

Benefits of Privileged Identity Management

Privileged Identity Management (PIM) solutions empower users to do the right thing.

People want to do the right things to secure privileged information. They need the right tools and controls in place to maintain an appropriate level of security.

PIM solutions make the rising number of identities manageable, with automated, policy-based controls and consistent governance.

Five Privileged Identity Management best practices to include in your security strategy

As you develop your cybersecurity strategy, keep the following PIM best practices in mind.

In addition to administrators and superusers, incorporate business users and business applications in your PIM strategy.
Make sure you consider non-human accounts and manage those identities throughout the lifecycle. Ensure each non-human identity has a human “owner” who knows that the identity is used for, what downstream processes are connected, and has oversight for approvals and de-provisioning when the identity is no longer needed.
PIM doesn’t work in isolation. To be most effective, it should be integrated tightly into your technology stack as well as people’s everyday workflow.
Integrate your PIM solution with Active Directory for consistency and ease of use.
Consolidate identities using an Identity Bridge so that you can manage and report on user access and behavior from a single hub.
Integrate your PIM solution with IAM, IGA, and any provisioning and workflow tools so that you can build them directly into the workflow of your IT operations team.

Look for PIM solutions with centralized dashboards and reporting. Forrester recommends, “analytics to correlate across different solutions to discover privileged access blind spots and detect threats,”
Finally, make sure whatever PIM solution you choose delivers an intuitive user experience that makes adoption easier. As Forrester says, “Just because IT environments and business demands are complex doesn’t mean PIM solutions need to be too.”

^[1] https://www.idsalliance.org/white-paper/identity-defined-security-framework/

^[2] https://www.okta.com/blog/2020/06/idsa-report-the-state-of-identity-related-security-in-2020/

^[3] https://www.idsalliance.org/wp-content/uploads/2021/02/IAM-Stakeholder-Perspective.pdf