Privilege Elevation and Delegation Management (PEDM)
What is Privilege Elevation and Delegation Management?
More about PEDM:
Privilege Elevation and Delegation Management (PEDM) describes a category of Privileged Access Management (PAM) focused on providing more granular access controls than typically offered by Privileged Account and Session Management (PASM) tools.
Privilege elevation refers to the practice where IT departments temporarily enhance a user's access rights, permitting them to engage with particular resources beyond their standard privileges. This approach, distinct from granting perpetual access, is time-constrained. While it can be efficient, it also poses risks, as these elevated rights might become targets for exploits if not vigilantly overseen.
PEDM helps reduce the risks posed by overprivileged users by providing more specific controls. Password vaulting is the most common method for securing access with Privileged Account and Session Management (PASM) solutions offering only the most basic control on an all-or-nothing basis. Human users and machines gain access by checking out an administrator account that either has full access privileges or none.
PEDM solutions address this issue by providing host-based command control filtering and privilege elevation capabilities that allow specific commands to run with a higher level of privileges. Thus, PEDM enables companies to improve their cyber security posture by only granting admin rights associated with specific tasks, applications, or scripts on a limited basis. This finely-grained control enables organizations to deploy and enforce the principle of least privilege, providing employees and other users with just the right level of access to accomplish their jobs.
How does PEDM work?
PEDM empowers IT and security teams with the ability to provide permissions based on defined roles, with built-in limitations—such as allowing an employee access to a specific server while limiting access to business hours or for another specified time.
Try Our Free IT Tools
Once a session ends, the PEDM capability revokes access rights to secure the account. If the credentials involved are compromised for any reason, attackers could not maintain persistence. Combining PEDM with PASM, IT security can significantly reduce the number of administrator accounts throughout the organization. Because privileged accounts usually possess powerful access capabilities, they can pose a serious risk if and when compromised by an attacker. Organizations reduce the risk of abuse from external threats and malicious insiders by eliminating or limiting the total number of privileged accounts.
PEDM solutions also allow administrators to systematically request new roles to get the rights they need to perform specific tasks. This self-service capability allows companies to assign privileges and roles according to a flexible, Just-in-Time approach. PEDM tools also help meet compliance requirements since they typically include monitoring (at host-level) and reporting capabilities.