What Is privileged identity management (PIM) and how can ThreatLocker help?

Privileged identity management (PIM) offers control and visibility over the data and application resources accessible to privileged or administrative user accounts. Administrative access control is a foundational component of secure identity management, keeping sensitive resources accessible to only those with adequate privilege. Once an account has been granted elevated or administrative privileges, PIM affords organizations control over what those accounts can access, with an inherently Zero Trust approach. Historically, allocating privileged rights was an all-or-nothing endeavor. Once a user was granted certain privileged rights, it wasn't easy to compartmentalize where they could exercise those rights. IT administrators managed by keeping data labels of sensitive resources hygienically aligned to every privileged role within a network boundary or domain. But once cloud hosting became the norm, organizations suddenly had to deal with user identities that now crossed multiple service and network boundaries. As user identities became unified across different hosting platforms and authorization systems, effective privilege management now meant validating identity beyond an account’s name and domain.

PIM broke ground by shifting identity governance from individual accounts onto individual resources. Privileged access is now allocated by servicing user requests for elevated rights over a single resource at the exact moment they’re needed. Security administrators use modern PIM tools to grant elevated privileges that automatically expire, leaving the user account with their usual, basic account rights afterwards.

Attackers love privileged accounts

Privileged account management will remain a preeminent topic of cybersecurity because privileged accounts hold immense power. Accounts with privileged access, let alone administrative access, are invaluable to attackers because:

• Moving laterally between network hosts or data resources is much more likely with a compromised privileged account.
• Sensitive or valuable resources are more likely to be available to privileged accounts.
• A privileged account on a specific application or system can likely grant privileged access to other compromised accounts.
• A privileged account might be able to cover up malicious activity by deleting audit and event logs, depending on the application or system. The capabilities of privileged accounts over basic user accounts are, in part, why credential theft and account abuse dominate today’s common attack paths. In fact, the Verizon 2024 Data Breach Investigations Report found 24% of breaches over the researched date range were initiated by stolen credentials.

A compromised account is an emergency. A compromised privileged account is a security nightmare.

PIM can reduce the massive risk introduced by privileged accounts by letting you control exactly when privileged access is granted for specific resources.

Other risks PIM prevents

• Shadow IT: Because PIM tools provide Just-in-Time access, security teams can see exactly who is trying to perform privileged tasks or access privileged resources. Unknown or suspicious accounts are immediately visible, preventing the installation of unauthorized tools.
• Insider threats: When legitimate users conspire to perform malicious activity, PIM tools can alert against out-of-the-ordinary administrative account behavior.
• Human error: Small mistakes can have devastating consequences when perpetrated with privileged access. A user can’t accidentally run rm –rf if a PIM solution automatically revoked their stale admin rights.

PIM and compliance and regulatory frameworks

Regulatory bodies have noticed that cyberattacks are only becoming more frequent and more advanced. As embattled businesses continue their uphill battle against cyber adversaries, more industries are finding themselves obligated to implement the technical controls outlined by one or more security compliance frameworks. Virtually all compliance frameworks and security standards, including NIST SP 800-53, PCI-DSS, ISO 27001, GPDR, and CMMC v2.0, mandate management of privileged accounts and privileged resource access. Your industry or host country may require you to implement PIM in your security architecture, making it not only a smart business move but an operational necessity.

More organizations are opting to apply Zero Trust principles when implementing compliance and regulatory security control requirements, including PIM. The first paragraph of NIST’s Zero Trust Architecture (ZTA) chapter on architecture basics goes so far as to claim the initial focus of any ZTA is to grant the most minimum of privileges to resources. Consider getting ahead of the curve by developing a Zero Trust strategy for your organization’s PIM solution.

Core PIM concepts and features

Privileged and administrative access have always been at odds with the concept of least privilege. Users cannot always be granted the minimum available access to resources; otherwise, they would never accomplish anything. Likewise, data and application resources do not all require the highest available privileges. Meanwhile, elevated privileges carry immense risk: even when granted for a limited time, they’re applied over an entire user account, exposing other privileged resources to that account unless carefully managed.

Managing different levels of access through data labeling and access control models, like discretionary access control, role-based access control, or mandatory access control helps prescribe and structure how least privilege is maintained but leaves organizations with the burden of figuring out how to implement elevated privileges safely. PIM helps overcome this by:

• Granting users access to each sensitive or privileged resource individually, rather than allocating privileged rights against an entire user or service account
• Applying the concept of Just-in-Time access (JITA), allowlng users to request privileged access the moment they need it and equipping security teams with the mechanisms to approve requests immediately.
• Automatically expiring those approvals and restoring the user’s basic rights without relying on a security administrator to develop a scheduled task or manually manage access.
• Using audit logs to provide visibility into critical events like when approvals were granted, exercised, and automatically revoked.

ThreatLocker PIM capabilities

The ThreatLocker family of Zero Trust products listed below enable PIM capabilities over both data and application resources through configurable policies enforced against individual endpoints by a ThreatLocker agent.

• Allowlisting: Automatically discover every application your users run, approve only what’s needed by the business, and specify which user accounts are allowed to execute them. With the built-in Unified Audit, you can see exactly which applications were executed as an administrator.
• Elevation Control: Decide in the moment who may execute an application with administrative rights and limit their privilege to an automatically expiring time frame. Users are prompted to submit a request for elevated privileges the moment they execute an application.
• Ringfencing^™: Further limit the individual application, network, or data resources permitted applications may access, even if they were executed with administrative rights.
• Storage Control: Limit access to storage interfaces, network paths, and even individual files and file paths to specific user or service accounts and groups with automatically expiring policies.

Deployment prerequisites and use cases

ThreatLocker agents don’t need much to keep endpoints secure. Even when connectivity is disrupted, request prompts for privilege elevation remain enforced. To fully take advantage of ThreatLocker PIM capabilities, ensure MFA is enforced atop regular user authentication to prevent compromised user accounts from logging into your devices and sending elevation requests.

Build JIT workflows with elevated ThreatLocker Allowlisting policies

Applications will only execute if you’ve permitted them through an Allowlisting policy. Add ThreatLocker Elevation Control to these policies to prompt users with a Just-in-Time administrative access request form whenever they need it.

Contain admin tools with Ringfencing

When you permit a powerful admin tool like PowerShell to run with administrative privileges, you can apply ThreatLocker Ringfencing to its associated Allowlisting policy to restrict it to executing or accessing only the specific resources you choose.

Logging and SIEM forwarding for audits

Review captured events in the Unified Audit to identify and disrupt suspicious administrative access requests. Additionally, forward syslog and Big-IP events from other network devices to build a complete picture of privileged account use.

Avoid privileged account pitfalls with ThreatLocker

Automatically revoke administrative access by applying a default expiration time frame to approved requests for elevated privileges. Adjust this time frame on the fly for any individual request.

Use Elevation Control’s visibility into a device’s user accounts to remove stale administrator accounts before they’re abused. Go a step further and set up policies to automatically remove any unauthorized administrator accounts that might be added by well-meaning users or malicious actors.

FAQ

What’s the difference between PAM and PIM?

Privileged access management (PAM) can be thought of as how you delegate which user accounts have privileged access. PIM is how you manage the data and application resources accessible to those privileged accounts.

PAM was first available in the early 2000s as simple secure credential storage (known as vaulting) with password rotation. More advanced capabilities, like credential expiry, session monitoring, and logging were offered as security threats evolved. Today, some PAM solutions offer PIM capabilities.

PIM is a newer concept within the practice of identity and access management (IAM). It emerged as cloud-hosting, and the granularity of identity governance offered within cloud platforms, outgrew traditional account-centric focus and shifted towards managing permissions of individual resources. PIM adoption continued to accelerate as Zero Trust became the predominant security mindset.

Do I still need a PAM solution or a password vault if I deploy PIM?

Yes, but this depends on the total provided features and capabilities of any individual IAM tool or solution. Some PAM solutions or password vaults may also be able to broker privileged account rights in a Just-in-Time capacity, giving them PIM functionality. Likewise, some PIM solutions may offer secure credential storage and rotation, giving them PAM functionality. Regardless of the tools or identity architecture deployed, ensure your security team can affirmatively answer both of the following questions:

• Is our organization securely storing, rotating, and logging our administrative account credentials (PAM)?
• Is our organization dictating the data and application resources accessible by those accounts in a Just-in-Time capacity (PIM)?

Aren’t admin rights and privileged access the same thing?

Not necessarily. Privileged access is any set of access rules granted to a user or service account that enables access to data or application resources otherwise inaccessible to users with basic rights. Administrative access rights are a subset of privileged access: an account with admin rights is the most privileged of accounts and, typically, can access most or all privileged resources on a single system. This blanket allocation of access is what makes administrative rights so dangerous and, likewise, what makes PIM so valuable.

Is ThreatLocker a PIM or PAM tool?

ThreatLocker delivers PIM capabilities through its Allowlisting, Ringfencing, Elevation Control, and Storage Control product modules. Additionally, Elevation Control policies may be configured to automatically remove unknown administrative user accounts from connected endpoint devices. You can read more about how these products bring your organization closer to compliance with identity management requirements at our Knowledge Base.

What are “break glass” admin accounts and how should we manage them?

Break glass accounts are named for the use case they illustrate: in a crisis, use this account to overcome any account authentication hurdles between you and resolving an emerging incident. A break glass account enables emergency, privileged access in a crisis when typical processes and security protocols cannot be followed. For instance, if an on-call technician becomes unexpectedly unavailable during a security incident, you might deploy a break glass account to access the privileged systems they would normally access to begin containing and remediating the threat.

Break glass accounts are inherently risky and should be secured with controls commensurate with their power. They should be configured as their own entity, separate from any other user or service account, so accountability of their use is easily auditable. Use an encrypted PAM vault, secured with MFA, with logging and alerts configured against access attempts to the account. Conversely, configure PIM solutions to exclude break glass accounts from Just-In-Time access workflows. While PIM is otherwise vital for preventing abuse of privileged accounts, the workflow involved in granting resource access to those accounts may inadvertently impede legitimate emergency access attempts.

Use PIM to achieve a Zero Trust architecture

PIM is a Zero Trust solution for the evolved identity governance landscape. By managing when privileged accounts can access the individual data and application resources in your network, abuse of privileged accounts can be prevented even when an account is maliciously compromised. ThreatLocker can introduce Just-in-Time access capabilities to any network through easily deployable, lightweight endpoint device agents. Book a demo with one of our solutions engineers and see it in action today.

‍

‍