IBM® Privileged Access Management
Manage & Protect Privileged Accounts
Identity & Access Management from IBM®
Preparing your business for takeoff

01

01

A Pressing
Imperative

A Pressing Imperative

3 min read

Privileged credentials are the targets of choice for cyber attackers.

Privileged credentials are the targets of choice for cyber attackers.

It makes sense for privileged accounts to be the most vulnerable because compromised accounts can grant unfettered access to your organization’s IT infrastructure. That’s why many high-profile breaches have resulted from unmanaged and unmonitored privileged accounts. The attackers responsible often gain administrative control through a single endpoint—and always leave substantial damage in their wake.

Locking out threats with Privileged Access Management

Ensuring your enterprise can appropriately protect, manage and monitor privileged rights mitigates the risk of unwelcome guests to your IT infrastructure.

Privileged Access Management (PAM) is a critical element of a broader Identity Governance & Administration strategy. It enables you to secure passwords, protect endpoints and keep privileged accounts safe and out of the hands of would-be impostors.

By 2022, 70% of organizations will have PAM practices for all use cases in the enterprise, reducing overall risk surface.1

By 2022, 70% of organizations will have PAM practices for all use cases in the enterprise, reducing overall risk surface.1

Putting Privileged Access Management into practice

The latest Gartner survey responses suggest that 90% of organizations will recognize that mitigation of privileged access risk is fundamental to security control by 2022.2 However, 70% of organizations would fail an access controls audit today.3 That means while the vast majority of organizations will come to understand the importance and value of PAM in the near future, they currently lack the PAM software, controls and knowledgeable support required to put it into practice.

IBM delivers comprehensive PAM capabilities through enterprise-grade solutions: IBM Security Secret Server and IBM Security Privilege Manager. Backed by expert consultation and 24/7 support, IBM Secret Server and IBM Privilege Manager help you capitalize on everything PAM has to offer, while also integrating with identity governance solutions for complete lifecycle management for users of your privileged accounts.

A key part of securing your organization is ensuring you are integrating identity into the broader security ecosystem to mitigate internal and external threats. Two key parts of that are:

  1. Privileged Access Management – focused on the special requirements for managing powerful accounts within the IT infrastructure of an enterprise.
  2. Privileged Elevation and Delegation Management (PEDM) - which prevents external threats and stops malware and ransomware from exploiting applications by removing local administrative rights from endpoints.

Let's take a look at why both are necessary for your organization.

02

02

IBM Security Secret Server

IBM Security Secret Server

5 min read

Easily discover, control, change and audit privileged accounts.

The first step in managing privileged accounts is finding the accounts you don’t know exist. Manual processes and errors can lead to accounts that are unknown and unmanaged by IT. With IBM Security Secret Server, you can automatically scan your entire IT infrastructure to discover privileged, shared, and service accounts. This sensitive information is then stored in an encrypted centralized vault to ensure proper protection using advanced encryption standards. Passsword policies can be implemented and enforced on every account. You’ll gain full visibility and control over every privileged account in your environment.

Curb privileged access sprawl

When you discover all privileged accounts across your infrastructure using IBM Secret Server, you identify all service, application, administrator and root accounts. This means you gain total visibility and control over privileged credentials that previously went undetected.

Get started with IBM’s free interactive Privileged Account Discovery tool.

Generate, store, rotate and manage SSH Keys

Bring the generation, rotation, control and protection of SSH keys directly into IBM Secret Server. SSH Keys are similar to usernames and passwords, but are used for automated processes and for implementing single sign-on by system administrators. With Role-Based Access Control and permission sets, you can control who has access to which sets of keys, regardless of location or IP address.

Monitor and record privileged sessions

Know every keystroke a user takes. IBM Secret Server enables real-time session monitoring and allows you to terminate a session if risky behavior is detected. It also allows you to record privileged user activity. This provides an audit trail from when the user checks out a secret, to what they did on the system, to when they finally log off. Gain full insight into what’s going on in your most critical accounts.

Change passwords automatically when they expire

Privileged passwords should be changed regularly. IBM Secret Server’s built in password changing and expiration schedules ensure that critical passwords are changed automatically, without manual intervention.

Delegate access to all privileged accounts

Maintain accountability and provide better context to approvers, so they know exactly why a user needs access. You can also set up role-based access control (RBAC) and an approval workflow that enables transparent access, time restrictions and other parameters of that access and password approval for third parties.

With IBM Secret Server you’ll gain full visibility and control over every privileged account.

With IBM Secret Server you’ll gain full visibility and control over every privileged account.

You’ll know if someone adds backdoor access or makes an unauthorized configuration change.

You can identify who accesses a system, review the actions they take and react accordingly. Session monitoring and recording also gives you a complete audit trail.

Enhanced auditing and reporting

Utilize dozens of out-of-the-box reports for better insight into system health and compliance. You can generate full reports on password vault activity and create custom reports from database queries as needed.

Integrate IBM Secret Server for enhanced security

IBM Secret Server integrates seamlessly with critical IBM Security solutions, including IBM Cloud Identity, QRadar®, Guardium® Data Protection and IBM Security Identity Governance & Intelligence.

03

03

Privileged Access Management and Identity Governance

Privileged Access Management and Identity Governance

5 min read

Integrate with identity governance capabilities for continuous user lifecycle management and compliance.

IBM Security Identity Governance and Intelligence (IGI) integrates with IBM Secret Server for automated lifecycle management. Implementing PAM can’t be treated as a standalone project. It requires automated identity governance capabilities to prevent issues that would otherwise emerge over time: entitlement aggregation; users with an ever-expanding collection of access to privileged accounts as they change roles, jobs and departments; limited visibility into shared passwords; and so on. Integrating IBM Secret Server and IBM IGI helps prevent toxic combinations of access through a holistic view across both privileged credentials and normal business user accounts. IBM Secret Server securely stores and monitors privileged credentials in an encrypted vault, while IBM IGI ensures that users’ access levels are compliant with regulations and free of SoD violations.

Avoid access combinations that lead to risk

While PAM solutions give you a simple way to know who can access and use privileged accounts, you still need visibility and insight into the unique combination of privileged access each user has. A user with a “toxic” combination of access presents a risk to your organization.

Imagine that one of your users has access to an application that uses a database to store its data. What if that user—unknown to you—also had access to the privileged account necessary to manage the database? They would have the ability to edit the database, thereby circumventing the business and authorization controls of the application. And if the user had privileged credentials to manage the OS, then the auditable trail could be cleared.

Automate recertification campaigns

IBM IGI lets you run certifications to automatically trigger access reviews and gives managers business friendly information to help with the attestation processes, free from cryptic IT jargon that could otherwise result in bulk approvals.

Integrating IBM IGI with IBM Secret Server extends certification controls to include privileged users as well as non-privileged business users. You can replace error-prone manual processes with an automated recertification process that makes it easy for approvers to better understand what it is they’re actually approving.

Recertification campaigns will help you prove compliance while maintaining clean, healthy and appropriate access to privileged and non-privileged applications.

The benefits of integration

When you integrate IBM Secret Server with IBM IGI, you:

  • Avoid entitlement aggregation and ensure continuous access management
  • Easily prove compliance through recertification campaigns
  • Avoid risks and toxic access combinations through SoD controls across privileged and non-privileged users

04

04

IBM Security Privilege Manager

IBM Security Privilege Manager

5 min read

Remove excess privileges from endpoints and use policy-based controls to block malware attacks.

Remove excess privileges from endpoints and use policy-based controls to block malware attacks.

Least Privilege Policy

Security regulations call for a least privilege policy, which means limiting access to reduce your attack surface. Least privilege requires that every user, application and system account have the minimum access to resources needed to do their job. Many customers, users or applications have admin or root privileges with access to sensitive data/operating systems. Under a least privilege model, administrative accounts with elevated privileges are given only to people who really need them. All others operate as standard users with an appropriate set of privileges.

Regulations like PCI DSS, HIPAA, SOX, and NIST and CIS security controls recommend or require implementing a least privilege model as part of a compliance solution. During an audit, you may have to demonstrate how the principle of least privilege is applied and enforced in your organization to control administrative accounts.

To successfully comply with a least privilege policy, you must know which privileges you need to manage. That means finding out which endpoints and local users have admin or root credentials, identify which apps are in use and if they require admin rights to run and understand your risk level for service accounts and apps with an elevated set of privileges.

Imagine how much damage and risk you will take away if you remove your business users from local admin groups, yet provide them with a way to install approved applications. IBM Privilege Manager helps with just that.

Get started with IBM’s free endpoint application and least privilege discovery tools.

To successfully comply with a least privilege policy, you must know which privileges you need to manage. Find out which endpoints and local users have admin or root credentials, identify which apps are in use and if they require admin rights to run and understand your risk level for service accounts and apps with an elevated set of privileges.

Can you imagine how much damage and risk you will take away if you can remove your business users from local admin groups – yet provide them with a way to install approved applications? IBM Privilege Manager helps with just that.

Secure your largest attack surface with a single agent

IBM Privilege Manager can communicate with hundreds of thousands of machines at once. You can check policies and execute 24/7 control across every device and application under your purview through a single, streamlined dashboard.

You can discover which users and endpoints have local administrative rights, including hidden or hardcoded privileges across domain and non-domain machines, and automatically remove these rights as needed. This helps you control the exact membership of all local groups and users to reduce the risk of backdoor accounts.

Define flexible policies that ensure a frictionless user experience

IBM Privilege Manager automatically elevates the applications and data that users across your organization need—without requiring credentials or forcing users to request IT support. It provides granular policy-based controls that determine and maintain access to trusted applications and processes.

Through advanced real-time threat intelligence, the solution whitelists, blacklists or graylists your applications according to flexible policies you define.

  • Whitelisting - Trusted applications are whitelisted and elevated, so users can easily access them without IT support.
  • Blacklisting - Blacklisted applications are blacklisted based on real-time threat intelligence and are blocked from running.
  • Graylisting - Potential threats are graylisted, meaning they’re moved to an isolated sandbox environment for further testing.

Additionally, any application can be quarantine and “sandboxed” at any time, as you deem necessary, regardless of its list designation. A quarantined application can be safely executed and tested without risk of exposing system folders or underlying OS configurations.

Easily manage and remove local administrative rights

Determine which accounts are members of any local group, including system administrators. If necessary, you can quickly reset all endpoints to a “clean slate” by removing all local administrative privileges at once.

Boost productivity for users and support staff

Since policy-based controls are enacted on the application level, users can access the trusted applications, systems and data they need without local administrative rights or the hassle of submitting tickets to IT support.

Achieve audit compliance through transparency

Share an easy-to-understand auditable trail of all application policies, administration credentials and privilege elevation activities with auditors. You’ll provide a clear picture of your compliance levels and what actions, if any, should be taken.

05

05

Why IBM for Privileged Access Management

Why IBM for Privileged Access Management

3 min read

Get scalable, enterprise-grade security solutions, backed by unmatched service and support.

Get scalable, enterprise-grade security solutions, backed by unmatched service and support.

When you deploy IBM Security Secret Server and IBM Security Privilege Manager across your organization, you unlock the full potential of PAM with solutions that are:

Partner with IBM for incredible service and benefits

  • 24/7 access to IBM support
  • Unlimited feature set within IBM Secret Server
  • Simple pricing and packaging options
  • Quick time-to-value—install in minutes and see value immediately
  • Supports large-scale distributed environments from on-premise to cloud environments
  • Integration with the IBM Security portfolio including IBM Cloud Identity, QRadar®, Guardium® Data Protection, and IBM Security Identity Governance & Intelligence.
  • Access to IBM Security PAM Professional Services
  • Access to IBM Security Expert Labs for deployment and configuration

1 Source: The Forrester Wave: Privileged Identity Management, Q4 2018 by Andras Cser, November 14, 2018

2 Source: Best Practices for Privileged Access Managed Through the Four Pillars of PAM, Gartner, January 28, 2019.

3 Source: Comply or Die: 2018 Global State of Privileged Access Management (PAM) Risk & Compliance, Thycotic.

Protect privileged accounts to reduce your attack surface. Sign up for a free trial of IBM Security Secret Server now.

Start Your Free Trial