5 min read time

How Privileged Account Manager Provides Least Privileged Access and Just-in-Time Access

by in Cybersecurity

Privileged account credentials are a necessary evil. They are necessary to allow system administrators and application owners control their systems, data and applications to best meet the needs of the organization. But privileged credentials are dangerous when they end up in the wrong hands; which happens more often than you might think. Due to the inherent risks related to privileged credentials, strong controls, storage facilities and processes are needed to ensure equally strong security and adherence to compliance standards and company policies. Two of the most crucial techniques for controlling privileged credentials are the concepts of Least Privileged Access and Just-in-Time Access.


What is Least Privileged Access?

Least Privileged Access refers to being able to grant a user the least amount of privilege that they need to perform a task. Many times, the functionality that can be performed for a certain right falls within a tier or range of capabilities; many of which are not needed for the needed job to be accomplished. “What’s the harm in that? Give them more than they need, I say.” That may be good for some things, however when it comes to privileged access rights, that’s a terrible idea. As you’ve probably heard many times before, it’s estimated that about 80% of security breaches occur while the attacker gains access to privileged credentials. Rights need to be granted at a level of “just enough” for the needed job to be done.

How Privileged Account Manager Provides Least Privileged Access.pngFor NetIQ Privileged Account Manager (PAM), we have also taken Least Privileged into account. There are a few ways that PAM provides this:

First, much of the control over least privileged access for PAM comes through the use of the command control policies. Command Control allows the PAM administrator to define who can access what, how, when and to what degree. Part of the policies created include the ability to dictate what the user can or can’t do while in a privileged session. Most of the time, a privileged credential allows much more capabilities than a specific user requires for the tasks at hand. What this functionality allows is to specify specific commands or functions a user can perform over and above what the privileged credentials granted for the session allows. It’s worth noting that these capabilities of Command Control vary based on how the PAM components are deployed and how the user is accessing the end system. Please check the PAM Administration Guide for more details.

So, as you can see, PAM offers great features to help deliver Least Privileged Access in how it manages privileged sessions. Plus, even when privileged credentials are granted and are in use, PAM monitors the session and records all activities via keystroke logging and video/screenshot captures. PAM also provides command allowing/disallowing to further refine exactly what capabilities the user has for that particular session.

What is Just-in-Time (JIT) Access?

Least Privileged Access described what can be done when it comes to granularity of capabilities that are allowed to an individual. Just-in-time access (JIT) refers to when those rights are granted and for how long. Are the users assigned these rights permanently (either as the result of a direct assignment or through group membership) regardless whether they’re using them or not? JIT specifies that the rights, however limited in scope, should only be granted only at the very time that they are needed and for a specified amount of time.

Why is this important? If we want to actively prevent and detect security breaches we want to limit the time credentials are available and ensure single use whenever possible. If a user’s credentials are always assigned privileged rights, then anyone who gains access to those credentials can use them whenever they want.

The primary purpose of PAM is to limit privileged rights assigned directly to a user, or administrative rights assigned through group membership. The goal is that the users have “birthright privileges” as a standard user, and any privileged rights will be assigned by PAM only when needed, for a specific session; with another goal being that the user will never have personal access to the actual privileged credentials.

PAM enforces JIT access in a few ways. First of all, when using direct and indirect (proxy) privileged access methods into a system, service or application, PAM will temporarily elevate the user’s rights for a single session only; and only after matching that requested session with the corresponding policies. If direct access was used, then the startup shell will work with the PAM agent to perform the elevation. If a proxy was used, then the proxy will opaquely log them in with the credentials needed (the user will never see the credentials) and will monitor their activities according to the policy, and identify any risky behaviors.

Also, for both Linux/UNIX and Windows systems, PAM allows single command privileged access elevation. This allows for a user to be kept in non-privileged mode for as long as possible. And, only if the need arises for the brief use of a single command, is that user elevated. For this method, the user’s capabilities are also controlled and monitored through Command Control policies of which commands or applications can be used. But in the end, the user is only granted privileged access when the PAM policy is verified against all criteria specified and oversight is provided by recording session activity and keystrokes.


In conclusion, NetIQ Privileged Access Manager supports both least privileged access and just-in-time access which allows flexibility to access systems and perform privileged activities using the methods that are best suited for your enterprise. But it also controls the actual credentials in a way that a user is granted rights only when needed, for as long as needed, and only for the exact capabilities needed for that particular user.

Organizations need to strengthen their cyber resilience to protect their valuable assets and prevent (or at least limit) the potential for a data breach by putting guard rails around HOW bad actors gain access to the organization.


More Information:

Have technical questions about NetIQ Privileged Account Manager? Visit the Privileged Account Manager User Discussion Forum. Keep up with the latest Tips & Info about Privileged Account Manager. Do you have an Idea or Product Enhancement Request about Privileged Account Manager? Submit it in the Privileged Account Manager Idea Exchange. We’d love to hear your thoughts on this blog. Comment below.


Identity & Access Mgmt