What is the defining characteristic…?
I’ve been thinking for a while about what, exactly, is the defining characteristic of a privileged access management system?
Some people seem to think that it’s password management. Some even go so far as to call this product category a “password vault.”
But what about granting someone temporary access to elevated access rights in some other way? What about temporary group membership, or temporary SSH trust relationships, for example?
A few years ago, we renamed our software in this cateogry from “Privileged Password Manager” to “Privileged Access Manager” for just this reason — because there were mechanisms at play which have nothing to do with passwords.
I’m still thinking about what it is that really defines this product category, however, and I think I’ve hit on the *one* *key* feature. That feature is granting temporary access — i.e., adding a temporal element to an access grant. If you can control *when* someone gets access to something, then you create a much more interesting audit trail and have an opportunity to generate forensic data, such as screen captures and kelogging (among many others). The key, though, is *time*. You can run these commands as root/Administrator/whatever for the next 2 hours. You can do that either because you were pre-authorized or because someone approved your workflow request, but it’s bounded in time and space.
So that’s my thought for the day. Privileged Access Management is fundamentally a problem in the time domain.