What is Privileged Account and Session Management (PASM)?

Privileged Account and Session Management (PASM) combines two solution toolsets—privileged password management (also called privileged credential management or enterprise password management) and privileged session management.

Let’s briefly breakdown the two primary components of PASM:

Privileged password management: Centralizes the discovery, onboarding, and management of privileged accounts and credentials from within a tamper-proof password vault or safe. These solutions may secure everything from traditional privileged user passwords to SSH keys, to machine and application passwords, to DevOps secrets, and more.

Privileged session management facilitates the management, monitoring, and auditing of all sessions for users, systems, applications, and services that involve elevated access and permissions. It allows for advanced oversight and control to better protect the environment against insider threats or potential external attacks. Privileged session management also provides essential capabilities for maintaining critical forensic information required for audits, and regulatory and compliance mandates.

Why is PASM important?

PASM is essential for enabling the proper control, hygiene, and management of privileged identities. In doing so, PASM solutions serve as a critical defense against unauthorized access, insider misuse, and potential breaches.

For instance, the privileged password management component of PASM helps reduce the risks associated with privileged credential compromise by safeguarding access to privileged account passwords, secrets, and SSH Keys. This often includes features such as:

  • Enforcing strong password policies
  • Leveraging secure credential storage mechanisms in a tamper-proof vault, and/or generating dynamic secrets
  • Injecting privileged credentials directly into the session, keeping the password obfuscated and never revealed to the end user
  • Rotating privileged credentials regularly, especially after the use of highly sensitive accounts.

In addition, PASM solutions overlay continuous monitoring and recording of privileged accounts and sessions. They capture detailed session data for real-time or post-session review, and collect data required for regulatory compliance, when it comes time for audits.

PASM and PAM

Together, PASM and Privileged Elevation and Delegation Management (PEDM) (also called Endpoint Privilege Management) comprise the two most traditional sub-disciplines of Privileged Access Management (PAM). PASM and PEDM complement each other, and it is generally recommended to deploy both PASM and PEDM tools concurrently within the same network.

In recent years, independent analyst research firm has also two other tool areas under PAM, Secrets Management and Cloud infrastructure entitlement management (CIEM).

Below are brief descriptions of each of these four distinct, but complementary, tooling areas within PAM.

  1. Privilege Account and Session Management (PASM) onboards and manages privileged accounts and their credentials for human and non-human / machine identities. Session management is integrated to provide oversight of all privilege activities. In recent years, privileged remote access for employees and third-parties, and for infrastructure and OT, has also become a core PASM use case.
  2. Privilege Elevation and Delegation Management (PEDM) implements least privilege access, such as by removing admin. These tools typically elevate access for the needed applications or systems without giving the end users themselves elevated privileges. PEDM tools also provide host-based command control (filtering) and privilege elevation for servers, and can offer file integrity monitoring (FIM) capabilities. Enterprise endpoint privilege management solutions typically also include application control capabilities, including allowlisting and blocklisting.
  3. Secrets Management: Focuses on specific uses cases, in DevOps environments and CI/CD workflows, such as IaaS (Infrastructure as a service), PaaS (Platform as a service), or container management platforms. Secrets management tools are also frequently offered standalone for a specific set of tools, though broader solutions are available. These toolsets can manage and store credentials such as passwords through APIs and software development kits (SDKs), as well as provide application-to-application password management (AAPM). API keys, tokens, certificates, JSON files, XML files, are some common examples of managed secrets.
  4. Cloud infrastructure entitlement management (CIEM): refers to a framework and set of cloud-native tools designed to manage, monitor, and control the permissions and access rights of users and services within and across cloud environments. While once primarily offered standalone, these solutions are increasingly subsumed within PAM or other technologies.

Some modern PASM solutions have a comprehensive approach to managing all types of privileged access. Such holistic PASM offerings blend session management and monitoring with secure management of a broad range of credentials, including traditional privileged user credentials, SSH keys, certificates, DevOps secrets, and potentially even workforce passwords (application passwords for users across the enterprise), and more.

Common Threats Mitigated by PASM

PASM solutions provide critical security controls for defending against external and insider attacks, and can disrupt multiple steps in the cyberattack chain. Here are some common threats privileged account and session management solutions help defend against:

  • Phishing: Mitigates phishing threats by rotating privileged credentials, or generating dynamic secrets or one-time passwords (OTPs), etc. to protect privileged accounts. This reduces the risk of attackers gaining unauthorized access through compromised login credentials obtained via deceptive phishing schemes and other techniques.
  • Malware: Through continuous monitoring and session management, PASM helps detect and prevent the infiltration of malware that targets password compromise.
  • Reused and Shared Passwords: Addresses the risk of password reuse by implementing automated privileged credential rotation, or dynamic secrets generation, and enforcing strong password policies.
  • Account Hijacking: Enhances account security by enforcing strong password management hygiene and by monitoring and controlling privileged sessions in real-time. By preventing the misuse of authentication tokens or cookies, PASM reduces the likelihood of account hijacking and unauthorized access.
  • Brute-force Attacks: Defends against brute-force attacks by implementing dynamic policies, just-in-time access controls, and session monitoring.
  • Unauthorized Access: Prevents unauthorized individuals or entities from gaining access to privileged accounts via enforcement of strong privileged identity management policies, reducing the risk of security breaches.
  • Insider Threats: By continuously monitoring and recording privileged sessions, PASM helps identify and mitigate potential insider threats, as well as misuse of elevated access by authorized users.
  • Credential Compromise: Safeguards against the compromise of privileged credentials by enforcing strong password policies, secure credential storage, and regular rotation of sensitive account information.
  • External Attacks: Enhances security against external attacks by controlling and monitoring privileged account access, limiting the potential impact of cyber threats that target critical systems or assets.
  • Lateral Movement: Enforces strict access controls and segmentation to limit lateral movement within the network, minimizing the ability of attackers to navigate freely across an organization's infrastructure.

Can PASM help advance a Zero Trust Architecture?

Yes, privileged account and session management (PASM) is important for the advancement of a zero-trust architecture (ZTA). Zero trust is a cybersecurity framework that gained popularity as a response to the dissolving of the traditional network perimeter—these shifting network trends include remote work, mobile adoption, bring your own device (BYOD) policies, and cloud-based assets that are no longer located within a network boundary.

Some ways in which PASM can help advance zero trust principles:

  • Enables implementation of a zero gateway enclave by establishing a granular, segmented perimeter with assets accessible only through a gated and monitored network path.
  • Implements segmentation and microsegmentation to broadly isolate assets and access.
  • Enforces adaptive access and continuous authentication to ensure all devices, users, accounts, and identities have a high confidence in their actual identity. Vault credentials for management and injects them directly to initiate a session, never being exposed to the end user.
  • Eliminates embedded passwords in IoT / OT and other devices, applications, scripts, and DevOps tools, replacing them with secure API calls or dynamic secrets.
  • Provides real-time session management and monitoring to ensure continuous oversight of privileged activity with the ability to pause or terminate potentially risk or unwanted activity.

For more in-depth understanding of the role of PASM and PAM in enabling zero trust architectures and principles, check out this guide: Advancing Zero Trust with Privileged Access Management (PAM).

Common Capabilities of PASM Solutions

Essential features and capabilities of Privileged Account and Session Management (PASM) solutions typically should include:

  • Auto-discovers and onboards privileged identities, accounts, and credentials for humans, machines, employees, contractors, vendors, etc.
  • Manages privileged account passwords, SSH keys, and DevOps secrets for people, machines, employees, and vendors.
  • Injects credentials (obfuscated from the end user) to start a session, whether on-premises or remote
  • Enables secure, least-privilege access for any identity to anything.
  • Enables a just-in-time (JIT) access model by implementing triggers based on contextual factors to limit access to only what is needed, and only for the duration needed.
  • Monitors, audits, and manages all privileged sessions to ensure oversight and control over all privileged activity, including the ability to pause and terminate sessions.
  • Keeps a detailed record of activities performed during all privileged sessions, with the ability to playback recordings. This helps in auditing, forensic analysis, and identifying any suspicious or unauthorized activities.

Securing Privileged Access with PASM

Privileged Account and Session Management provides essential capabilities for organizations seeking strong protection against unauthorized access and insider threats. By integrating privileged password and session management, PASM offers a comprehensive solution that not only safeguards critical credentials, but also ensures meticulous monitoring and compliance. With its potential to also advance a zero-trust and meet a growing demand of emerging use cases, PASM is an instrumental technology set for a modern security architecture.

Learn about BeyondTrust’s Total PASM solution, which combines the most expansive, integrated set of privileged credential management and privileged session management capabilities, for an industry-best value.

Want to learn why over 20,000 customers chose BeyondTrust?
Prefers reduced motion setting detected. Animations will now be reduced as a result.