What is Privileged Access Governance (PAG)

The term ‘privileged access’ or ‘privileged account’ is a hot topic lately. It seems that nearly every day there is news of another data breach that is inevitably tied to the misuse of poorly protected privileged account credentials. Exploiting privileged access makes it relatively easy for bad actors to gain access or steal sensitive data. Unfortunately, it often takes months, or even years to detect and investigate these incidents, by which time the thief and data are long gone.

The issue many organizations face when attempting to protect privileged accounts is that it’s challenging to determine which accounts have privileged access, and even trickier to track who has access to those accounts. The access control of these privileged accounts has long been fulfilled by Privilege Account Management (PAM) technologies. However, traditional PAM solutions are often standalone and lack integration with identity governance and administration (IGA) technologies. As a result, they significantly hinder the control, visibility and governance of users and their access to privileged resources.

When deploying an IGA solution, you aim to address your identity lifecycle management and governance challenges for the entire organization, including certification, attestation and segregation of duties. IGA solutions excel at fulfilling these requirements, while privileged account governance extends the governance, risk, and compliance capabilities of an IGA solution to encompass the PAM system. While most IGA platforms primarily assess risk based on user accounts and their roles and group memberships, Privileged Access Governance also takes into account the "root" credential obtained from the PAM environment, taking this vital piece of information as part of implementing identity governance rules and determining risk across the entire organization.

Many organizations treat their IGA and PAM environments separately, thus managing access in silos in two different systems. The IGA system contains information about identity and its organizational context (such as department, role, position, location and cost center), along with the accounts held by that identity in various systems and applications throughout the organization (such as the AD domain account, email, SharePoint, SAP, Salesforce and other business applications).

The PAM system is different. Although the identity still exists in the PAM system, it lacks the level of organizational and contextual data possessed by the IGA systems. The PAM system grants access to systems or applications by providing the necessary keys or credentials for the target platform's account. The IGA and PAM systems differ in how they store identities, manage identity lifecycles, and facilitate access to systems and applications. However, both systems play a crucial role in combating cyber threats and risks, including insider threats. They contribute to enforcing least privileged access from an IGA perspective and securing credentials while recording sessions on systems and applications.

Privileged Access Governance key functionalities include:

• Granting privileges to users
• Managing one-off privileged access needed to complete a specific task
• Controlling access to privileged passwords
• Tracking all privileged activity for reporting and audits of privileged access