Like many new concepts, Privileged Activity Monitoring does not have a clear and perfect definition.
Many vendors have introduced new terminology for this concept in an attempt to be first to define the market with mixed results.
They are trying to use different naming conventions but similar acronyms: PUM, PAM, PAAM, etc. ‘Privileged User Monitoring‘, ‘Privileged Activity Monitoring’, ‘Privileged Account Activity Management’ and all the variants of these expressions can be found on Google.
In fact, even major IT analyst firms do not have a generally accepted definition, which illustrates how new this concept is.
Perhaps the following definition can provide the most accurate description, according to which PAM tools aim to address the following requirements:
- Controlling the users’ access to privileged accounts (authenticating the users, restricting access based on time policies)
- Managing and controlling privileged sessions (for example, restricting administrative access to the servers)
- Monitoring use of shared and superuser accounts (for example, root or Administrator)
- Collecting audit information for forensics situations, compliance reports, and so on.
Privileged Activity Monitoring is still a niche market, with a small but growing number of IT security vendors in the field. Vendors approach this market from different directions and with various core competencies, such as password management, identity and access management, or network forensics.
Typically, they market their technologies as essential parts of larger solutions. However, all of these products are trying to meet the same challenge: control and monitor the access of privileged users to critical IT assets.
Since there are a number of different ways to approach the problem, let’s review the technologies they use.
Jump hosts (Hop gateways)
Jump hosts provide a web-based interface for accessing servers: the users access the jump host from their browser, and connect to the target server using a web-based client application that is running on the jump host. In the meantime, the jump host records the actions or logs of the application. As jump-hosts are non-transparent solutions, they make integration into an existing infrastructure difficult.
Also, the users must use the applications provided by the jump hosts, which may have compatibility issues with their server applications.
Auditing of graphical protocols (for example, Remote Desktop Protocol, or Citrix ICA) is rarely supported, and even if it is, it can become a performance issue. Transferring files between the server and the client can also be problematic, or not supported at all.
Network sniffers are based on switch port mirroring; they receive the network traffic going to the servers and try to extract useful information from it. These solutions are easy to integrate and are non-invasive by nature.
They also have no effect on the way users do their work. However, all this also means that they are very limited in monitoring encrypted traffic, for example, SSH or RDP. Being passive solutions also limits the capabilities of these devices, so they cannot authenticate users, control protocol channels, or terminate unwanted connections to a server.
Agent-based solutions install small applications (agents) on the monitored servers that collect information about the user activities. They can provide detailed monitoring capabilities, but have some general disadvantages:
- Agents must be installed and maintained on each server.
- Monitoring is limited to the platforms supported by the agent. Typically, they run only on the most common operating systems, leaving other systems and devices (for example, network devices) unmonitored.
- They do not have any control over the connection used to access the server, thus cannot limit their use (for example, they cannot restrict file transfers or port-forwarding in SSH, or file redirection on Windows)
- There is no separation between the monitoring system and the monitored system, so the agents can be manipulated by the monitored superusers. This is essentially the same problem as using the system logs of the monitored system to check the actions of the superuser, who can influence the system log
Proxy gateways are the most mature solutions in terms of control granularity and auditing quality. Proxy-based technologies operate as network gateways: they are placed between the client and the server, and inspect the traffic on the application level. Since these proxies have full access to the inspected traffic, they have full control over protocol features.
For example, you can selectively permit or deny access to certain protocol-specific channels: you can enable terminal sessions in SSH, but disable port-forwarding and file transfers, or enable desktop access for the Remote Desktop Protocol, but disable file and printer sharing.