Privileged Identity Management - Privileged Identity Management Software

Privileged Identity Management Software

Because common Identity access management frameworks do not manage or control privileged identities, privileged identity management software began to emerge after the year 2000.

Among the reasons for a special category of software to secure access to privileged accounts (rather than using "generic" identity and access management solutions):

• In a typical IAM system, there are a few integrated systems, but thousands of managed identities on each one.
• In contrast, in a typical PAM system, there are thousands of managed systems, but only a few managed identities on each one.
• IAM systems are designed to create/delete IDs and manage their security entitlements.
• In contrast, in a typical PAM system, shared, privileged IDs already exist, and it is access to them (by users who also already have IDs) that is being managed.
• Entitlements granted in a typical IAM system are granted on a permanent/persistent basis. "User X shall have entitlement Y from now on."
• In contrast, in a typical PAM system, access to privileged accounts or elevated privileges are granted for very short time windows (on the order of minutes of hours), just long enough to perform a task.

Privileged identity management software frameworks manage each of the special requirements outlined above including discovery, authentication, authorization, password management with scheduled changes, auditing, compliance reporting, and access controls. The frameworks generally require administrators to check out privileged account passwords before each use, prompting requesters to document the reason for each access and re-randomizing the password promptly after use. Even after logging in, administrator actions are managed using access controls.

In doing so privileged identity management software can guard against undocumented access to configuration settings and private data, enforce the provisions of IT service management practices such as ITIL, and provide definitive audit trails to prove compliance with standards such as HIPAA 45 § 164.308(1)(D) and PCI-DSS 10.2. In addition, the more advanced frameworks also perform discovery of interdependent services, synchronizing password changes among interdependent accounts to avoid service disruptions that would otherwise result.

Increased risks associated with the movement to the hybrid cloud have created the need for enhanced capabilities in privileged identity management security solutions. Next-generation requirements for privileged identity management include a dynamic architecture, a comprehensive integrated control set, and full hybrid cloud protection. A dynamic architecture supports automated policy provisioning, and the ability to support rapidly changing virtual environments. The comprehensive set of controls required includes user monitor and reporting, credential management, role-based access control, and strong authentication capabilities. Full hybrid cloud protection also requires the ability to defend new cloud management consoles, from companies like AWS and VMware. The ability to manage all the technology domains while deploying from anywhere in the cloud is critical.

Some well-known privileged identity management solutions include Hitachi ID Systems, Xceedium, Cyber-Ark, Nakina, Lieberman, CA Technologies, and Hytrust.