Security Program Controls/Technologies, Identity

The New Role of Privilege Management

Author: Martin Kuppinger
Author: Martin Kuppinger

Privilege Management or PxM, also referred to by some vendors as Privileged Account Management, Privileged User Management, Privileged Identity Management, or a number of other terms, is changing rapidly, in two areas:

  1. Privilege Management is not only an IAM (Identity & Access Management) topic anymore, but as well a part of Cyber Defense.
  2. The focus of Privilege Management is shifting from session access to session runtime control.

Thus, the requirements for vendors as well as the starting point of product selection is at least getting broader, and sometimes even changing drastically. While password vaults have been at the center of attention for many years, right now session management capabilities such as monitoring, recording, and real-time threat analytics are considered to be the highest priority.

Regarding the first change, you might argue that Privilege Management has always been not only an IAM topic, but more an IT Security issue. This is partially true, particularly in the early days, when the focus was securing administrative access to shared administrative accounts. These initiatives, which existed way before the term "IAM" came up, were driven by IT Security people. However, Privilege Management (protecting accounts and access) over time became an essential element of IAM.

Nowadays, with ever-increasing cyber-attacks, Privilege Management is becoming an increasingly important element of Cyber Defense. While back in the old days internal fraud was the main risk addressed by Privilege Management, it is now about hijacked accounts. The main goal of targeted external attacks is gaining control of privileged accounts. Privilege Management helps in protecting these accounts, analyzing their usage, and detecting anomalies. Thus, Privilege Management is no longer just a part of the IAM domain (where it remains important), but also a vital element of every Cyber Defense strategy and Cyber Defense Center (CDC). While this might be a challenge, when it comes to defining organizational responsibility, it also is an opportunity: Cyber Defense budgets tend to be significantly bigger than IAM budgets.

The second area of change is tightly related to the first one. It is no longer sufficient to just limit access to shared privileged accounts. There are also individual highly privileged accounts – and not even at the IT administrator and operator level, but also business accounts. Thus, it is no surprise seeing the adoption of session management tools in call centers (to protect PII) and other business areas. Furthermore, identifying anomalies and detecting attacks is not done during the authentication to a privileged account, but must happen during runtime.

That does not mean that Shared Account Password Management is no longer relevant. But it is only one of the essential building blocks, with the entire area of session monitoring and anomaly detection massively gaining momentum. Privilege Management strategies and the tool choice decisions must take this change into account.

Martin Kuppinger is founder and principal analyst at KuppingerCole. Read more KuppingerCole blogs here.