Privileged Access

Management
How PAM Can Help Your Broader
Cybersecurity Strategy

JAMES PANETTI

POWERED BY
Privileged Access
Management
By James Panetti

TABLE OF CONTENTS


Introduction: A Pillar of Identity Security 4

What Is Privileged Access Management? 5

Compliance & Auditing Risks 8

A Blueprint for Identity Security Success 10

PAM & the Zero Trust Model 15

JIT Privileged Access 18

CyberArk Privileged Access Manager 21

How To Get Started 25

Copyright © 2023 by Future US LLC

Full 7th Floor, 130 West 42nd Street, New York, NY 10036

All rights reserved. This book or any portion thereof may not be reproduced
or used in any manner whatsoever without the express written permission
of the publisher except for the use of brief quotations in a book review.
Printed in the United States of America.

www.actualtechmedia.com
Publisher’s
Acknowledgements

DIRECTOR OF CONTENT DELIVERY

Wendy Hernandez

CREATIVE DIRECTOR
Olivia Thomson

SENIOR DIRECTOR OF CONTENT

Katie Mohr

WITH SPECIAL CONTRIBUTIONS FROM CYBERARK

Anton Cauduro, Business Lead, PAM
Sam Flaster, Director, Product Marketing
Diana Hwang, Sr. Director, Content Marketing
Ryne Laster, Product Marketing Manager, PAM
Pauline Maillard, Solutions Marketing Director, Privilege
Nick McCrorey, Global Sales Director, PAM
Naomi Ravitz, Director, Product Management, PAM
Brandon Traffanstedt, Sr. Director, Field Technology Office

ABOUT THE AUTHOR

James Panetti is a techie by hobby and profession and loves
writing about it via his company, Panetti Tech Insights. James
has nearly two decades of tech industry experience spanning
tech support, consulting, performance testing, release automa-
tion, cloud technology, and corporate policy writing.

PR I V I L EG E D AC C E S S MANAG EMEN T iii

Introduction: A Pillar of
Identity Security

Privileged Access Management (PAM) is the protection of

the strongest identities in your organization. PAM programs
have long been a key component to securing the many iden-
tities utilized within any organization and is critical to any
identity security strategy.

Identity security is a comprehensive framework for securing

all an organization’s identities. Any colleague anywhere has
the potential to access sensitive data, be they an employee,
contractor, or vendor, regardless of if they work onsite or re-
motely. Identity security therefore ensures that each unique
identity is secured with empathetic and intelligent controls
that appropriately correspond to the level of risk that identi-
ty’s privileges entail.

Today’s privileged access management programs are par-

amount to securing identities and are more complex than
ever, continually evolving in pace with the ever-changing
technological landscape.

PR I V I L EG E D AC C E S S MANAG EMEN T 4
What Is Privileged Access
Management?

The days of the traditional cybersecurity perimeter—all

resources secured behind the walls of a data center—are
long gone. Not only is the technology landscape dramatically
changing, it has dramatically changed. Companies continue
to shift to the cloud, digitally transform, and rely on remote
workers more than ever. The result? Privilege is everywhere
(see Figure 1). Identities are the new perimeter. As these
identities constantly grow in number, they demand founda-
tional security that can keep pace with them.

Let’s first define “privileged access,” then delve into what

privileged access management entails.

Identities are the new perimeter. As

these identities constantly grow in
number, they demand foundational
security that can keep pace with them.

PR I V I L EG E D AC C E S S MANAG EMEN T 5
 On-Prem / Hybrid / Cloud

*NIX Server OT/HMI IT Ops Tools

App Server Database Network IoT

Devices Code

SaaS IaaS/PaaS

Cloud Containers VM’s & Serverless

Native Apps Storage

Code Code

Admin DevOps Apps / Robots 3rd Party Workforce

Vendors

USERS

Office WFH Temporary Mac PC Mobile

Location

WORKPLACES WORKSPACES
Figure 1: Sensitive, regulated data exists in a wide range of IT systems

PRIVILEGED ACCESS
Within the context of an enterprise IT environment, “priv-
ileged access” means any type of special access or ability
granted to a user that’s above and beyond that of standard
users. When implemented well, it allows organizations to

PR I V I L EG E D AC C E S S MANAG EMEN T 6
secure their IT infrastructure and applications to protect
sensitive data and critical infrastructure without hindering
the efficiency of business activities.

Privileged access is not exclusive to IT admin-

istrators. Any user (human or non-human) granted
high-risk access to an organization’s resources has
privileged access, such as third-party vendors or
service accounts.

People may, for example, be granted privileged access via

many powerful identities including domain administrator,
local endpoint/server administrator, root on Linux, or
other emergency accounts. Users may also have privileged
access to leverage accounts/secrets in the cloud, such
as Azure Active Directory (AAD) global administrators,
Amazon Web Service (AWS) administrators, AWS Identity
and Access Management (IAM) administrators, or Google
Cloud Platform (GCP) keys. Many of these users may in-
clude privileged business users who are not IT staff but
nonetheless have access to sensitive systems. Non-human
accounts with privileged access may include application or
service accounts.

These accounts have access to the organization’s “secrets,”

an umbrella term used by development and operations
(DevOps) teams to refer to the various types of credentials

PR I V I L EG E D AC C E S S MANAG EMEN T 7
required to gain privileged access, such as secure shell
(SSH) and application program interface (API) keys.

PRIVILEGED ACCESS MANAGEMENT

High-risk access to infrastructure and data inevitably intro-
duces dangerous threats. Heightened privileges can be easily
misused and even hijacked to steal confidential information,
such as otherwise secured credentials.

Privileged access management (PAM) is a comprehensive

cybersecurity strategy that directly addresses these threats.
A sound PAM program is not just an IT solution, but is
comprised of a studious balance of people, processes, and
technology to discover, control, secure, monitor, and audit
all identities across an organization’s IT environments.

Compliance & Auditing Risks

Regardless of what industry an organization belongs to,

some form of global or regional regulations will inevitably
apply, including various IT security regulations that require
compliance with specific best practices. Though cybersecu-
rity attacks are profoundly costly on their own merit, any
failure in compliance they reveal can prove catastrophic.

PAM solutions help ensure an organization is fully compli-

ant by managing access to the various sensitive resources
these regulations extend to, reducing an organization’s

PR I V I L EG E D AC C E S S MANAG EMEN T 8
 Corporate executives can be individually
fined up to $5 million and sentenced up to 20
years in prison for violating rules in the Sarbanes-
Oxley (SOX) Act. As another case in point, a leading
United States bank was at one point fined $80 million
after a security breach.

attack surface from malicious insiders or external cyber

criminals, thus preventing costly data breaches.

EXAMPLES
There are many global and regional regulations to be aware
of, depending on the industry in question. Many apply uni-
versally to all industries, such as SOX, the U.S. Department
of Commerce’s National Institute of Standards and
Technology’s (NIST) various standards, the European Union
(EU) Network and Information Security Directive (NIS 2), the

A sound PAM program is not just an IT

solution, but is comprised of a studious
balance of people, processes, and
technology to discover, control, secure,
monitor, and audit all identities across
an organization’s IT environments.

PR I V I L EG E D AC C E S S MANAG EMEN T 9
EU’s General Data Protection Regulation (GDPR), and the
Payment Card Industry Data Security Standard (PCI DSS).

Specific industries are bound by additional standards.

Financial institutions must comply with Swift Standards, the
EU’s Digital Operational Resilience Act (DORA), the Monetary
Authority of Singapore’s technology risk (MAS-TRM) guide-
lines, and regulations governed by New York’s Department of
Financial Services (NYDFS). Healthcare organizations are gov-
erned by the Health Insurance Portability and Accountability
Act of 1996 (HIPAA) while organizations responsible for crit-
ical infrastructure must comply with the U.S. Department of
Defense’s Cybersecurity Maturity Model Certification (CMMC)
and the EU Agency for Cybersecurity’s (ENISA) regulations.

A PAM solution can help ensure an organization is compliant

with all of these and more.

A Blueprint for Identity

Security Success

CyberArk recommends implementing your PAM program

based on its Blueprint for Identity Security Success, which
offers simple but prescriptive guidance. Its three principles
grant a foundational understanding of a privilege-based
attack chain (Figure 2) and how to counter it.

PR I V I L EG E D AC C E S S MANAG EMEN T 10
 1
MALICIOUS ACTORS
Bad actors can exist either internally or
externally to the organization. External
actors use a wide variety of techniques to
Internal External
Attacker Attacker gain entry, while internal actors tend to
leverage existing knowledge and access.

2 3
CREDENTIAL THEFT LATERAL & VERTICAL
Actors use techniques such as social MOVEMENT
engineering, keystroke logging, Actors will leverage that access to
credential repository scraping, and navigate across an organization's
more to harvest passwords, hashes, resources, whether it be laterally from
SSH Keys, or hard-coded credentials. within a risk tier (e.g. workstation to
workstation) or crossing vertically
into another risk tier or environment
(e.g. workstation to cloud or
workstation to DevOps tool).
Developer Robot

Application Remote Vendor On-Prem DevOps Tools

IT Admin Business User IaaS/PaaS SaaS

4 5
PRIVILEGE ESCALATION ACTIONS ON OBJECTIVES
& ABUSE Those malicious actions are typically
Once a bad actor has discovered the predefined objectives such as data,
access they desire, they will elevate theft, ransomware distribution,
their privileges to then carry out service disruption, supply chain
malicious actions against the spread, brand damage, and more.
organization.

Data Establish
Exfiltration Backdoors

Deploy Service
Ransomware Disruption

Figure 2: The common progression of an identity-centric attack

PR I V I L EG E D AC C E S S MANAG EMEN T 11
3 KEY PRINCIPLES
The first principle is to prevent credential theft by bad actors,
be they external or internal. External attackers have many
tricks to deploy to gain entry and internal actors are already
inside your perimeter with insider knowledge.

CyberArk recommends implementing

your PAM program based on its Blueprint
for Identity Security Success, which
offers simple but prescriptive guidance.

The second principle is to prevent a bad actor in possession

of a user account from traversing resources either laterally
(such as from one workstation to another) or vertically (from
a lower-risk tier into a higher tier, such as from a worksta-
tion to a cloud).

The third principle adds a final layer that directly addresses

most attackers’ final goal: The escalation and abuse of ac-
count privileges with which they may perform various mali-
cious actions to cause the most damage and havoc.

The Blueprint’s best practices serve to safeguard against

these threats and reduce the attack surface.

PR I V I L EG E D AC C E S S MANAG EMEN T 12
BEST PRACTICES
The CyberArk Blueprint organizes best practices into a
phased implementation plan (Figure 3) designed to protect
any organization’s environment, whether infrastructure is
on-premises, in the cloud, or both.

CyberArk Blueprint Stage Overview

Risk Reduction

Critical Major Moderate

Prevent Credential Stop Lateral & Limit Privilege

Theft Vertical Movement Escalation & Abuse

STAGE 1: RAPID RISK MITIGATION STAGE 2: CORE SECURITY

Secure highest privilege identities that have the Focus on locking down the most
potential to control an entire environment. universal technology platforms.

STAGE 3: ENTERPRISE PROGRAM

Build Identity Security into the fabric of
enterprise strategy and application pipelines.

STAGE 4: MATURE STAGE 5: ADVANCED

THE PROGRAM SECURITY
Mature existing controls and expand into Look for new opportunities to shore up
advanced privileged access security. privileged access across the enterprise.

Figure 3: The best practices of CyberArk’s phased implementation

PR I V I L EG E D AC C E S S MANAG EMEN T 13
The Blueprint first emphasizes rapid risk mitigation by se-
curing the highest-privileged (and thus highest-risk) iden-
tities, particularly those which can control entire environ-
ments, such as cloud or domain administrators. It leverages
adaptive multi-factor authentication (MFA) and single sign-
on (SSO), privileged session isolation, continually rotating
passwords, and intelligent privileged activity monitoring and
analysis. Risks associated with privileged non-human users
can be mitigated via third-party security tools, replacing
hard-coded credentials with API calls and reducing permis-
sions granted embedded operating system services.

Note that though the topics of Zero

Trust (a model) and MFA (a technology)
are key elements of any discussion on
identity management (a comprehensive
solution), the three are not synonymous.

The second phase focuses on core security, locking down the

most universally deployed platforms. MFA, SSO, and session
protection are again instrumental to securing privileged
access to cloud platforms. Each workstation’s and server’s
administrators are secured. Hard-coded credentials are re-
moved for all third-party tools and application servers.

The third phase incorporates into the overall enterprise

security strategy and includes all application pipelines.
MFA and SSO protect mission-critical web applications,

PR I V I L EG E D AC C E S S MANAG EMEN T 14
hard-coded secrets are removed from dynamic applications
(e.g., containerized applications and microservices), and any
remaining administrator access is secured.

The fourth stage matures the program. It adopts advanced

controls, extends the reach of MFA and SSO to core web
applications, and removes hard-coded credentials from
static applications (e.g., legacy client/server applications).
Identity security controls are extended to any remaining
infrastructure.

The final stage implements advanced security and shores up

whatever vulnerabilities may yet remain.

PAM & the Zero Trust Model

PAM is grounded in the Zero Trust model with particular

emphasis on the principle of least privilege.

ZERO TRUST
Zero Trust is a cybersecurity model based on the simple
principle of “never trust, always verify.” The model takes
a realist, practical view of the security landscape with the
assumption that one day, eventually, an attack will happen.
No security measure is perfect, and threats are ever evolving,
therefore an organization would be naive to think “it will
never happen here.” Adopt an “Assume Breach” mindset by
assuming it will.

PR I V I L EG E D AC C E S S MANAG EMEN T 15
The Assume Breach paradigm is the backbone of Zero Trust
and drives at least five key behaviors: Employ consistent,
continual, and adaptive MFA to verify all identities. Automate
the identity provisioning process, gate it with thorough
approval steps, and carefully manage its life cycle. Secure
all credentials and authentication, including authentication
tokens and credential caches, and take extra caution in man-
aging local endpoint administrator credentials. Eliminate
all unnecessary privileges with both a “least privilege” and
“JIT” approach (more on both concepts below). Finally,
continuously monitor, record, and audit all identity security
related events to ensure compliance requirements are met.

United States federal agencies must adhere

to NIST’s definition of the Zero Trust model as
decreed by executive order.

Note that though the topics of Zero Trust (a model) and MFA
(a technology) are key elements of any discussion on identity
management (a comprehensive solution), the three are not
synonymous. Zero Trust is neither a solution nor technology,
but rather an approach to cybersecurity. It ensures every
identity is verified, every device is validated, and privileged
access is intelligently restricted.

The challenges highlighted by this model are solved by com-

prehensive enforcement of the principle of least privilege,
authentication mechanisms, and additional controls for
defense-in-depth.

PR I V I L EG E D AC C E S S MANAG EMEN T 16
THE PRINCIPLE OF LEAST PRIVILEGE
The principle of least privilege is foundational to the Zero
Trust model and is as practical as it is simple. Each user
should have only the bare minimum privileges required to
perform daily duties. No more, no less, no exceptions. An
accounting department user can only access accounting
records, a marketing user can only access marketing applica-
tions, a database admin’s privileges end at the database, and
so on. The principle likewise applies to non-human assets.
For example, an automation tool’s user account should like-
wise only have the minimum privileges needed to execute its
own processes.

When an attack inevitably happens, tightly managed access

restrictions ensure that whichever user is the victim, their
lack of privileges will naturally isolate and contain the dam-
age, preventing the attack’s spread.

HOW PAM FITS

The best first measure to enforce the principle of least priv-
ilege is to restrict the use of the most privileged accounts via
a PAM solution.

Zero Trust is exercised via the strict governance of privileged

accounts. A PAM program can reduce credential theft via
solutions that automatically discover and onboard privileged
accounts and vault their credentials. It reduces the use and
frequency of privileged access, contains privileged activities
within recorded, isolated sessions, and ensures access is
strictly authenticated and managed with intelligent controls.

PR I V I L EG E D AC C E S S MANAG EMEN T 17
It meanwhile improves threat detection via threat analytics
functionality to help Security Operations Center (SOC) teams
identify and intercept malicious activity.

JIT Privileged Access

“Just In Time” (JIT) is a popular concept with many ap-

plications in IT. Within the context of privileged access,
JIT is one way the principle of least privilege is enforced
and may be summarized simply: ensure the right users
have access to the right resources at the right time for the
right reasons.

SYSTEM VS. OPERATIONAL ACCOUNTS

One must first understand the difference between system
and operational accounts. Within the context of privileged
access, a system account is built directly into an operating
system and always possesses persistent (standing) privileges.
Conversely, operational accounts are identities that require
temporary, day-to-day access to resources. Ephemeral cloud
environments provide a good example of the latter, for which
resource access is only needed for the current activity at hand.

To comprehensively secure privileged

access, one must first understand
the difference between system and
operational accounts.

PR I V I L EG E D AC C E S S MANAG EMEN T 18
Privileged accounts of both varieties are often granted
“always on” access despite many only needing access for
a specific amount of time. This excessive access does not
meet the bar set by Zero Trust’s principle of least privilege,
but a JIT approach can resolve this.

JIT APPLIED TO PAM

JIT privileged access elevates operational privileges on a
just-in-time basis to reduce the amount of credentials that
can possibly be compromised, further reducing the at-
tack surface.

This approach may be illustrated simply: A user requests priv-

ileged access to perform a specific function. PAM validates the
request and grants privileges. The user performs their func-
tion, then PAM terminates privileges (Figure 4). These steps
repeat every time the user needs to perform their activity.

Right User. Right Access. Right Resource.

Right Time. Right Reason.

Interactive

APPROVAL

No Standing Privilege Access

Automated
Access Elevated Removed

Figure 4: The flow of JIT privileged access management

PR I V I L EG E D AC C E S S MANAG EMEN T 19
Cloud strategies differ from those of on-premises envi-
ronments, of course. Cloud Infrastructure Entitlements
Management (CIEM) solutions manage identities and priv-
ileges in cloud and multi-cloud environments and apply JIT
privileged access to cloud infrastructure and services.

Access certification campaigns may further enhance a

JIT approach by facilitating regular reviews of users’ ac-
cess privileges. A third party must certify that the access
previously granted to a user may continue to be granted
for a specific period. For example, consider an employee
who moves from one role in the company to another.
Certification reviews ensure the old role’s obsolete privi-
leges are not carried over to the new role.

Though JIT should be included in any PAM

strategy, it’s hardly a silver bullet. Take care to
think through security and operational consider-
ations when analyzing any attempt to eliminate
standing access. Identify use cases, platforms,
and groups to secure before deciding where a JIT
approach is appropriate.

When organizations combine least privilege access and JIT

controls, they can progress toward an ideal state of Zero
Standing Privileges. This concept aims to both reduce the
likelihood of account takeover and reduce the potential
damage of an attack, embracing a true Zero Trust mindset.

PR I V I L EG E D AC C E S S MANAG EMEN T 20
CyberArk Privileged
Access Manager

CyberArk Privileged Access Manager provides all the features

and functionality discussed thus far.

MANAGE BOTH STANDING AND JIT

PRIVILEGED ACCESS
CyberArk Privileged Access Manager can help discover vari-
ous privileged users and properly onboard them and their re-
spective credentials, such as passwords and SSH and API keys.
It will enforce organization policies via credential complexity
requirements while automatically rotating credentials.

CyberArk’s JIT Privileged Access

reduces the risk of credential theft by
removing all standing access rights,
ensuring all privileged sessions are both
isolated and fully audited.

It enforces the principle of least privilege with a variety of

controls that apply to both human and non-human user
accounts and includes out-of-the-box integrations with
many leading IT service management (ITSM) and identity
governance and administration (IGA) solutions.

PR I V I L EG E D AC C E S S MANAG EMEN T 21
 CyberArk’s Identity Security Platform goes even further,
provisioning JIT privileged access for operational accounts
in both hybrid and multi-cloud infrastructures (Figure 5).

Meanwhile, CyberArk’s JIT Privileged Access reduces the

risk of credential theft by removing all standing access
rights, ensuring all privileged sessions are both isolated
and fully audited. It can provision JIT access to workloads,
whether within on-premises servers or virtual machines
in the cloud, and broker ephemeral sessions restricted by
attribute-based access control policies.

External
Vendors
ADMINS

Administrators
Secure, Privileged Dynamic
Remote Access Access Privileged
Manager Access
Developers
Vaulted Just-in-Time
Credentials (JIT) vault-less
Credential access
Management Brokered,
Monitored
Monitored
Sessions Sessions
Ephemeral
Access

Standing Access JIT access

Figure 5: How CyberArk solutions secure use of both operational and

system accounts

PR I V I L EG E D AC C E S S MANAG EMEN T 22
ENSURE COMPLIANCE
Privileged Access Manager can help avoid the costly pit-
falls of failing to comply with regulatory requirements via
controls that safeguard and audit privileged access across
on-premises, cloud, and hybrid infrastructure. It manages
privileged credentials with efficient, documented processes
and proactively monitors all privileged access activities. It
even logs which users have access to shared accounts and
captures all activity conducted through them. Various addi-
tional features help ensure compliance with both global and
regional regulations.

Privileged Access Manager can also help meet cyber insur-

ance requirements by discovering and onboarding privileged
accounts, securing those accounts by supporting features
such as MFA, and auditing all privileged activity.

PAM FOR THIRD-PARTY VENDORS

96% of organizations allow third-party access. Though third
parties may require access to perform their functions, their
access is a steppingstone for attackers hoping they’ll be the
weakest link.

As of February 2022, 15% of the data breaches

investigated by the U.S. Department of Health and
Human Services involved “Business Associates” with
access to protected health information (PHI).

PR I V I L EG E D AC C E S S MANAG EMEN T 23
Any remote access granted to a third party will be inherently
secure with a JIT approach aligned with Zero Trust’s princi-
ple of least privilege and features such as biometric MFA. Its
simplified remote access provisioning process will reduce the
burden on IT staff, and it will record and audit all third-party
user activity to ensure compliance.

Third parties vary greatly by industry, but

CyberArk PAM can cover a wide variety of use cases,
such as SCADA and HMI systems in manufacturing
environments.

Strong security and compliance controls should also apply

to the Identity Security (or PAM) solutions that you deploy.
CyberArk’s Cloud offering is both SOC 2 Type 2 Compliant and
SOC 3 certified, as well as protected by its own PAM controls
in addition to other strong security and availability policies to
ensure that its service is available, secure, and compliant.

Though third parties may require access

to perform their functions, their access
is a steppingstone for attackers hoping
they’ll be the weakest link.

PR I V I L EG E D AC C E S S MANAG EMEN T 24
In fact, these are only a couple of the many ways CyberArk
ensures reliable protection and why organizations of many
shapes and sizes trust CyberArk to guard the keys to their
kingdoms.

How To Get Started

Implementing a privileged access management program re-

quires much more than simply installing a software solution;
it demands a comprehensive strategy that fully considers not
just technology, but people and business processes as well.

CyberArk is here to help with the PAM Rapid Risk

Reduction Jump Start service, which follows the CyberArk
Blueprint for phased planning and deployment. Jump
Start services are also available for SaaS and Self-Hosted
PAM programs.

You can request a demo of Privileged Access Manager today

and try it for yourself.

PR I V I L EG E D AC C E S S MANAG EMEN T 25
About CyberArk Privileged
Access Management

CyberArk is the global leader in Identity Security. Centered on

privileged access management, CyberArk provides the most
comprehensive security offering for any identity—human or
machine—across business applications, distributed work-
forces, hybrid cloud workloads and throughout the DevOps
lifecycle. The world’s leading organizations trust CyberArk
to help secure their most critical assets. CyberArk PAM
solutions holistically secure both standing and just-in-time
privileged access across the IT estate. With industry-leading
capabilities for credential management, session isola-tion
and monitoring, and detection of privileged access mis-use,
organizations can leverage CyberArk PAM to rapidly achieve
their risk reduction, audit and compliance objectives.

PR I V I L EG E D AC C E S S MANAG EMEN T 26
About ActualTech Media

ActualTech Media, a Future company, is a B2B tech mar-

keting company that connects enterprise IT vendors with
IT buyers through innovative lead generation programs and
compelling custom content services.

ActualTech Media’s team speaks to the enterprise IT audi-

ence because we’ve been the enterprise IT audience.

Our leadership team is stacked with former CIOs, IT manag-

ers, architects, subject matter experts and marketing profes-
sionals that help our clients spend less time explaining what
their technology does and more time creating strategies that
drive results.

If you’re an IT marketer and you’d like your own

custom Gorilla Guide® title for your company,
please visit https://www.gorilla.guide/
custom-solutions/

PR I V I L EG E D AC C E S S MANAG EMEN T 27