Enhancing Access Control by Combining IGA and PAM

Written by Alex Vakulov.

Some companies adopt IGA (Identity Governance & Administration) systems to protect against cyber threats by controlling user access. Others focus on PAM (Privileged Access Management) to secure accounts with extended rights. What would happen if these technologies were integrated to work in tandem? Let's explore the advantages of such a synergy, which could offer enhanced control and protection for the enterprise.

Plenty of significant information security breaches stem from misusing user credentials and unauthorized access to information resources. These threats might arise from external attacks. However, they can also originate from within an organization, often involving an internal employee engaging in unlawful activities. This might occur through the misuse of their extensive access rights in information systems or by unauthorized use of someone else's accounts.

Unfortunately, it is not always possible to detect these issues immediately. They can be like a time bomb, remaining hidden until it is nearly impossible to pinpoint their origins. To mitigate such risks, organizations turn to specialized IdM solutions or more advanced access control systems like IGA. Additionally, PAM tools monitor users with extended rights and privileges across various IT infrastructure components, including information systems, applications, databases, and servers. To strengthen the protection of company resources and bring order to access control processes, it is necessary to understand how such solutions, working side by side, can complement each other.

What Benefits Does IdM/IGA Offer?

A centralized access control system aligns all identification and authorization data spread across an organization's various systems and applications. For example, in a large financial firm, an operations department employee might require access to over twenty information systems and applications, half of which are used daily. Manually managing access for a new employee in such a department is a complex task. If the employee transfers from a related department, updating their privileges in information systems becomes a challenging quest that is nearly impossible to handle without errors. A company could have hundreds or even thousands of such employees, making the need for a streamlined system like IdM/IGA crucial.

Consequently, the company opted to implement an automated identity management system. This choice significantly streamlined the process of creating accounts and granting appropriate rights to new employees. When someone changes positions, an automated process updates their privileges to reflect their new role. In cases of termination, accounts get blocked, and rights are revoked.

Automation eliminated the errors associated with the human factor that were prevalent in manual access control. The company now finds it easier to regularly recertify rights, handle requests for additional access following established protocols, conduct comprehensive analyses, and develop risk models for threat prevention. Access management has been centralized through a single portal, enabling more effective oversight and control of all parameters.

Why Is PAM Also Important?

Every company has roles and processes that are out of the ordinary. There are those who need to grant rights in information systems, set up network parameters or specific resources like applications and databases, update systems and applications, and oversee their functioning. These are the superusers, or "privileged users."

The access these users have must be tightly controlled because they have the power to do much more without restrictions. Their credentials need strong protection to prevent attackers from gaining access. Attackers commonly target privileged accounts through regular user accounts, employing tactics like phishing emails with malware, buying credentials on the dark web, hacking partners or suppliers, etc. Such attacks can wreak havoc on a company.

Let's not overlook the insider threat. In major data breaches, internal investigations sometimes reveal that the culprits are employees with high-level administrative rights who misuse their access.

To manage the complex task of controlling privileged users, there is a specific class of systems: Privileged Access Management. PAM systems effectively manage access to critical systems for accounts with extended privileges and keep a close watch on the activities of privileged users. They help answer who is accessing the system with extended rights, when, and what they do there.

Today, employees can gain and use privileged access remotely, not just from the office. System and application maintenance, as well as software support, are often outsourced to external companies – integrators and suppliers – who also get broad access to organizational resources. Controlling remote users who are not working for your organization is not a trivial task.

A single account might be shared by several individuals – these are "shared accounts" – making it challenging to pinpoint who used it at a given time. For example, in a manufacturing company, an Administrator account might be used by five different shift workers.

Besides, there are accounts used not by people but by machines, like technology service accounts. These might run regular tasks, like generating reports, or be used by IoT devices, CI/CD tools, bots, network video recorders, and other devices.

Without automated tools, information security teams must spend excessive time managing access for privileged users. PAM systems mitigate the risk of privileged access misuse and streamline the management of user accounts with extended rights. So, what exactly can these systems do?

Accounting and Cataloging of Privileged Accounts

Identify all privileged accounts, including those used by applications and services on all types of hardware and software.

Granular Access Control

Personalize all access to privileged accounts. Store the credentials of privileged users in a special protected storage in encrypted form. Hide them even from the users, using automatic substitution during identification and authentication. Change passwords on a schedule. Provide minimally sufficient access rights only to certain resources and for a certain time based on approved rules and policies.

Monitoring All Activities

Monitor in real time all actions of admins, super users, external suppliers and contractors, database operators, etc. Timely detect suspicious activity or work from non-standard locations, interrupt illegitimate work sessions, and send alerts to responsible persons.

Recording, Analytics, and Reporting

Record all traffic of privileged users in a special log and archive it. All records are indexed, allowing you to find the desired part quickly. Provide an opportunity to view all user actions during a privileged session in video format. This may be necessary when identifying the cause of an incident. Log all parameters with detailed information for later study: which user worked, when he logged into the system, how much time he spent in it, and what actions he performed. Finally, a comprehensive reporting system allows you to obtain statistics and build graphs to identify security policy violations at an early stage.

Synergy of IGA and PAM

The lines between physical workspaces are naturally fading due to the rise of hybrid work, where employees operate both from the office and home, utilizing various devices, including personal ones, to access corporate resources. At the same time, the distinctions in data storage and processing are becoming less clear with the growing prevalence of cloud systems. The concept of a user extends beyond an individual, evolving into a broader entity, with AI systems becoming integral to our daily work.

Privileged users are crucial in safeguarding the enterprise and its information resources. However, they also become prime targets for cyberattacks due to their extensive rights. Therefore, stringent control over identification, authentication, and authorization becomes paramount. Protecting privileged access requires measures like multi-factor authentication, and credentials should be securely stored in specialized storage. Continuous monitoring of privileged user sessions, along with the application of dynamic authorization capabilities, is essential. This heightened control can be achieved by using a dedicated PAM solution in addition to the IGA system.

The combined use of IGA and PAM solutions enables the creation of consistent access control policies for all users, streamlining the process through automation tools. This integrated approach centralizes access requests, including those for privileged users, at a single decision-making point - the IGA system. It becomes easy to monitor every stage of access acquisition, confirmation, and utilization for both privileged and regular users.

This approach automatically resolves the issue of orphaned accounts, ensuring that rights are adjusted automatically in response to events like hiring, dismissal, or role changes. Consequently, all access becomes transparent and easily manageable.

From a combined IGA and PAM system, the organization can enjoy several advantages:

• Centralized Automated Account Management: Streamlining all accounts, including technical ones, through a single automated management point.
• Enforcement of Access Control Policies: Implementing general access control policies based on role models while addressing separation of duties (SoD) conflicts.
• Efficient Auditing and Anomaly Identification: Conducting convenient and effective auditing to identify anomalies in access rights using a unified system connected to HR sources and critical information resources.
• Optimization and Control of Secure Connections: Optimizing and controlling secure connections to company resources, managing disconnections for all users, both internal and external, including those with extended rights.
• Continuous Monitoring of Privileged Users: Providing continuous and detailed monitoring of privileged user activities with comprehensive event logging.

Final Thoughts

Implementing automated access control solutions may be full of challenges. Securing funding for such projects can be a hurdle, as these systems may not directly contribute to profit or business development. Nevertheless, the lack of sufficient access control poses substantial risks to compliance, leaving organizations vulnerable to severe threats from both external and internal information security issues. This is a crucial factor that must be considered when developing an effective defense strategy.

About the Author

Alex Vakulov is a cybersecurity researcher with over 20 years of experience in virus analysis. Alex has strong malware removal skills. He is writing for numerous security-related publications sharing his security experience.