wladimir1804 - stock.adobe.com


7 privileged access management best practices

Privileged access is a given in enterprise environments, but it presents many security issues if breached. Follow these seven PAM best practices to mitigate risk.

Privileged access management, or PAM, has been a cornerstone of good security hygiene for decades. The framework gives organizations a dependable way to secure, control and monitor access to critical information and resources. Yet, if PAM is poorly managed, it can become a major liability and dramatically increase an organization's risk.

To ensure your PAM deployment is effective, consider the following best practices.

1. Employ temporary privilege escalation

Adhering to the principle of least privilege is a best practice in any identity and access management (IAM) strategy. Even with PAM, privileges should only be given to the level needed, and then temporary privilege escalation provided on an as-needed basis.

Build and maintain a process pipeline to determine when temporary privilege escalations are appropriate. The policies governing any escalation should include the specific reason why the escalation was approved, as well as constraining attributes, among them location, device and type of operation.

2. Keep track of assets and privileges

As new components and other assets -- both sanctioned and unsanctioned -- are added to the enterprise network, an automated asset discovery, ownership and access assessment is essential. The assessment methodology must also have the ability to revoke users' privileges if any noncompliance is detected.

3. Deploy attribute-based access control

Privileges tied to roles and assets have been the foundation of IAM. An emerging methodology, attribute-based access control (ABAC), provides companies with a new way to establish policies that establish even firmer command over users' behavior. In addition to roles and assets, ABAC incorporates two more dimensions to the mix: actions and environment. Actions -- among them read, write, copy and delete -- define what the user is trying to do with the resource. Environment speaks to the broader context of where the resource is being used, including time and date, location, the device itself and any supporting protocols.

4. Monitor assignment of privileges versus usage

Periodically assess the configured privileges assigned to a user or an entity, and contrast those against actual usage. For instance, if a user has been given read, create, destroy and modify rights to a cloud store but has never done anything other than read, then revoking the other privileges completely or ensuring these actions are automatically tied to multifactor authentication reduces the risk considerably. A one-time privilege escalation -- say, a super admin's privileges are granted to her deputy while she's on vacation -- occurs but often is never revoked after the vacation ends. Monitoring use would have alerted administrators that the deputy's privileges should be withdrawn.

5. Deploy zero trust, everywhere

This is a mindset and cultural change that is gaining significant traction. It's a model that implies a compromise has occurred and that every action is evaluated within that backdrop. To that end, resource access is denied until users and devices have been inspected and authenticated.

6. Record and audit

A standard PAM best practice is that all user activity should be recorded. But recording alone is not enough unless proper audit processes are in place. Tracking activities is obviously useful in the event of a breach tied to privilege escalation. However, there should be a process in place to routinely review access records and, if necessary, take action -- specifically when measuring privileges versus usage or within a zero-trust environment.

7. Monitor and alert

Any activity tied to accessing assets or executing actions beyond assigned privilege levels should generate an alert. Periodic monitoring of routine actions, meanwhile, can provide valuable insight into behavioral and chronological changes. As a result, baseline behavior levels can be adjusted to reduce the number of false positives and to ensure that actual deviations from normal are appropriately flagged.

Next Steps

Compare API keys vs. tokens for access management

Dig Deeper on Identity and access management

Enterprise Desktop
Cloud Computing