In today’s rapidly evolving cybersecurity landscape, managing privileged access has become a critical concern for organizations of all sizes. Two common approaches to managing privileged access are Privileged User Management (PUM) and Privileged Access Management (PAM). In this article, we compare PUM vs PAM approaches and explore why they matter for your organization’s security.
The problem of uncontrolled privileges
The less control you have, the more money you risk.
Right off the bat, we’d like to define privileged access. This is access to data, systems, and computers that are unavailable to generic users. Privileged access is often reserved for highly trusted and authorized personnel, such as system administrators, network engineers, and executives who need elevated privileges to manage critical systems, applications, and data.
Simply put, privileged access is a key that unlocks the door to the most sensitive and valuable parts of an organization’s digital infrastructure. With this key, a user can perform a wide range of actions, from installing new software and configuring network settings to accessing confidential data.
That said, if privileged access ends up in the wrong hands, this may lead to dire consequences for the organization.
If malicious users have privileged credentials, they can access various business-critical resources, including:
- Critical systems – With access to a legitimate privileged account, attackers can freely use restricted resources and block business-critical systems.
- Databases – The moment attackers get privileged access credentials, they get the opportunity to access, copy, modify, and even destroy information stored in your company’s databases.
- Applications – Various application-to-application processes also involve the use of privileged credentials. If an attacker gets hold of these credentials, they can disturb critical business processes.
- Cloud environments – In cloud and containerized environments, special administrator keys and secrets are used for creating new instances, managing workloads, and interacting with databases. Once attackers get access to these credentials, they can tamper with both cloud resources and valuable information.
This is why cybercriminals seeking to obtain your sensitive and confidential data often hunt for privileged access credentials. The most acute issue, however, is that human error is typically the cause of successful cyberattacks.
Whereas some individuals may store their passwords on easily accessible sticky notes, others can click on suspicious email links without considering the consequences. Yet the outcome is always the same: an attacker, be it a malicious insider or an intruder, gains access to critical business information.
The main reasons to control privileged access
Numbers speak louder than words.
According to the Cost of a Data Breach 2022 Report by the Ponemon Institute and IBM, the main cyberattack vector in 2022 was stolen or compromised credentials. Cases with this attack vector constituted 19% of breaches, resulting in financial losses of USD 4.50 million.
Furthermore, according to the same report, stolen or compromised credentials took the longest time to detect among common attack vectors, at 243 days to identify and 84 days to contain (327 days in total). In other words, organizations need almost a year to detect and contain a cyber attack caused by stolen or compromised credentials. This long detection and containment time can be a critical issue for organizations, as it can result in significant losses of sensitive data and financial assets along with reputational damage.
Besides data breaches, financial losses, and reputational damage, there are other reasons to control privileged access.
For example, controlling privileged access can help you build trust with your customers, stakeholders, and partners. If you demonstrate that you take data security seriously and do your best to protect sensitive information, your organization will be viewed as more reliable and safer for your clients.
When implemented correctly, privileged access management can streamline your operations, reduce the risk of errors, and ensure that employees have the access needed to the systems they need to do their jobs effectively.
Finally, let’s not forget that controlling privileged access is one of the main requirements of NIST and PCI DSS standards, the Sarbanes-Oxley Act, and HIPAA. This is why establishing proper privileged user management procedures is vital for organizations of any size and in any field.
Now that you’ve seen why it’s crucial to control privileged access, we offer you to dig deeper and learn more about privileged user and access management.
Privileged access management
Privileged access management, or PAM, is all about elevating current privileges.
What is privileged access management (PAM)? According to Gartner, PAM is an umbrella term for all kinds of privilege management solutions. However, in this article, we approach PAM from a user-centric perspective, focusing on its role as a process rather than a singular solution.
At its core, privileged access management involves managing one-time permissions that temporarily elevate the privileges of regular users upon request. Gartner refers to this type of privilege control as privilege elevation and delegation management (PEDM). But here’s an easier way to think about it.
In many organizations, there are facilities with different access restrictions:
- Basic facilities that any employee or even guest can enter freely
- Working facilities that all regular employees of the organization can enter
- Restricted areas that only people with special access levels can enter
Now, imagine that to access the third type of facility, you need to request special access permission – say, a badge that will let you pass through the security check. Once you’re done with your job, you must hand the badge back to the security officer: your permission has expired.
The trick is that this badge will have your name on it, so you’ll be the only person who can use it. Furthermore, you can only use this badge once for accessing a specific facility. This is how PAM works.
In other words, PAM allows regular users to request access to protected data, applications, or systems from their current accounts. Similarly to the least privilege principle, the main idea of PAM is that there’s no such thing in your network as a regular user with permanent access to sensitive data.
You can take this approach even further by implementing a just-in-time PAM approach that grants privileged access only for a very limited time to reduce the risk of unauthorized access or misuse. Also, consider utilizing the zero trust security model, which has two important characteristics:
- No general secured perimeter – Instead of securing the perimeter of the entire network, each critical application, endpoint, and database is secured individually. A user can only access a particular endpoint if they have the right level of access permission.
- No separation between trusted and untrusted users – In the zero trust model, no one is trusted by default. A user can only get access to protected assets if they verify their identity, such as with multi-factor authentication (MFA).
Getting back to the benefits of PAM, we’d like to stress that it’s the range of access granularity that makes all the difference. More precisely, PAM can let you specify:
- Who gets access
- What exactly those users get access to
- For how long access is granted
- What users with access are allowed to do within the protected perimeter
With PAM, you can set a number of elevated access levels and specify what kinds of actions are permitted and restricted for each of them.
For instance, employees with a basic user access level might be able to read protected data but won’t be able to modify or delete it. To change the protected data, they’ll need a higher level of authority, such as that of an administrator. This makes PAM a powerful, granular, and complex solution for managing privileges.
Let’s now shift our attention to PUM.
Privileged user management
PUM is all about sharing privileges with others.
Remember our example with restricted facilities? Now imagine that you still need to get a special badge. But this time, there are a limited number of these badges. And in contrast to the first type of badge, this one doesn’t have an expiration date. Moreover, it doesn’t have your name written on it, so you can use it yourself, or you can hand it over to one of your colleagues and ask them to do the job. This is how privileged user management, or PUM, works.
What is PUM exactly? As confusing as it may sound, privileged user management is all about accounts and not particular people.
What is privileged user management?
Privileged user management is the process of managing privileged accounts with permanent access to critical assets. PUM is responsible for managing and securing system administrator privileged accounts and root accounts.
Another term for PUM that’s widely used is privileged identity management (PIM), where privileged accounts are seen as digital identities and not particular people. This type of privilege control is also close to what Gartner calls privileged access and session management (PASM).
Privileged users have more privileges than regular staff. Managing privileged users is about giving such employees full and permanent access to protected data, applications, and systems. And usually, multiple employees can log into the system as privileged users under the same account. So, PUM is account-specific.
Main categories of privileged accounts
We can split all privileged accounts into two large categories:
Human accounts are associated with individual users and require elevated privileges (installing software or modifying system settings), whereas non-human accounts are application accounts that require system-level access. That is to say, human privilege accounts are used by individuals to access systems, applications, and data.
Non-human accounts are used by applications, services, and other automated processes. And since non-human accounts are not associated with an individual user, they can be more difficult to manage and secure.
Main types of privileged accounts
If we further subdivide privileged accounts, we can define the most commonly used types:
- Local admins – Usually shared, non-personal accounts that provide administrative access to the local system and services. These accounts are typically used for setting up new workstations and maintaining the system.
- Domain admins – Accounts with unrestricted access across all servers and workstations on a Windows domain. These accounts have full control over all domain controllers and administrative accounts within the domain.
- Privileged users – User accounts with elevated privileges, typically used for solving business-related tasks and working with critical data. Privileged user accounts can be either shared by several employees or assigned to a particular individual.
- Service accounts – Any type of privileged account (local or domain) that applications and services use for interacting with the operating system.
- Application accounts – Accounts used by applications to get access to system resources, databases, and other applications. Credentials for these accounts are often shared across the network.
- Emergency accounts – Special accounts that can be used for accessing protected systems or data in case of an emergency.
The use of shared privileged accounts significantly increases the risk of data breaches. The thing is that some organizations keep credentials for such accounts in unencrypted text files somewhere on the network. And if such a file falls into the wrong hands, attackers may steal all valuable data by accessing it via a compromised account.
Moreover, even though privileged user activity can be monitored, it may be a serious challenge to determine who did what under a shared account. This creates significant difficulties when investigating cybersecurity incidents.
Fortunately, there are many effective PUM practices that can address this issue, and one of the most reliable is secondary authentication. With secondary authentication, users who log in under a shared account are also required to log in to their individual account and pass additional identity verification. By doing so, you can associate a particular session started under a shared account with a specific user, thereby improving accountability and reducing the risk of data breaches.
PUM vs PAM Differences
Should you use PUM or PAM to secure your valuable data?
Finally, let’s get down to basics and summarize the main differences between PAM and PUM.
PAM allows you to configure user-level access permissions and specify who can do what according to specific roles or attributes.
PUM, in turn, can be more helpful when it comes to performing security audits, since it allows you to conduct a report on the activity of a limited number of accounts instead of investigating the activity of multiple users with elevated privileges.
Generally, PUM and PAM complement rather than substitute each other. So instead of comparing PUM vs PAM, it’s better to combine these two approaches for managing privileged access in your organization.
Ekran System can help you make the most of these two privilege management approaches. By deploying the Ekran System platform, you can:
- Monitor privileged users with a NIST-recognized PAM solution
- Monitor and manage privileged sessions with PASM functionality
- Minimize cybersecurity risks with just-in-time PAM capabilities
- Granularly control access permissions
- Verify user identities with an identity management system and MFA tool
- Add visibility to the activity of shared accounts with secondary authentication
- Use default alerts or set custom alerts for detecting abnormal behavior of privileged users
- Audit the activity of users with privileged access and get comprehensive reports
- Ensure IT compliance
Moreover, you can integrate Ekran System with your SIEM and ticketing system for additional access control and granularity.
Privileged access management and privileged user management are two complementary approaches that can smoothly work together to help you manage access to sensitive data, applications, and systems. When comparing PUM vs PAM, it’s important to note that:
- PUM focuses on specific accounts that are usually built into the system or application, are shared, and are limited in number.
- PAM focuses on regular users that request a temporary privilege elevation to complete a specific task.
By using PUM and PAM together, organizations can benefit from a higher level of access flexibility and enhanced protection of sensitive data. And if you integrate them with identity and access management solutions, you can rest assured knowing that your organization’s sensitive data is maximally protected from within.
Request Ekran System trial to see how it can improve your organization’s security.