Privileged Access Management (PAM)
On this page:
Privileged accounts
A privileged account is a user account with more permissions than a standard user account. Privileged accounts can access sensitive data and make significant changes to systems.
Because privileged accounts have these additional permissions, they are especially attractive to attackers, as these accounts allow quick, broad access to data assets in the enterprise, often resulting in rapid and significant impacts.
Privileged Access Management (PAM)
Privileged Access Management (PAM) follows the cybersecurity principle of least privilege, which means users should have only the necessary permissions required to perform their job duties. Think of PAM as a security system that protects the most important keys in a building. While regular keys open office doors, privileged keys unlock critical areas like server rooms or financial records. If the wrong person gets access to these keys, it could lead to security breaches.
PAM ensures that only authorized individuals have access to privileged accounts. This helps keep your computer and university systems safe while allowing you to do your work without unnecessary disruptions.
As such, implementing PAM provides:
- increases security by reducing the risk of unauthorized access to sensitive systems
- more flexibility, allows users to perform certain administrative tasks without requiring full administrative access
PAM is a key cybersecurity initiative in the Technology with Purpose strategy, developed in response to the Cybersecurity Audit requested by the Board of Governors. Its implementation is an essential step in strengthening the university’s cybersecurity.
Implementation
PAM is being introduced on administrative Windows computers primarily used by support staff for administrative functions.
To assist in implementing PAM, the university has selected the BeyondTrust Endpoint Privilege Management (EPM). This tool allows users to:
- install commonly used low-risk, business software (e.g. Adobe Acrobat) without needing additional permissions
- manage specific system settings they previously could not modify (e.g. adding local printers).
What to expect
For most users, the impact of PAM implementation will be minimal. You can expect your applications, browsers and the internet to function as usual.
There will be no changes to how you access folders, files and drives. Most software installations remain unchanged.
In some cases, when installing software, you may see a message requesting administrator credentials. If this occurs, please submit a General IT Inquiry ticket through the U of A Service Portal.
Information sessions
To learn more about the Privileged Access Management (PAM) initiative, members of the U of A community can attend an upcoming online information session. During these sessions, participants will learn how PAM enhances individual and institutional security and have an opportunity to ask questions about the implementation.
Frequently asked questions
What is the current scope of the PAM initiative?
For the initial phase of this initiative, the PAM BeyondTrust Endpoint Privilege Management (EPM) tool will be rolled out to users on the STS domain with Windows operating systems primarily used by support staff for administrative functions. Each client (faculty/department) will have implementation support to help address their needs during the PAM EPM tool rollout.
What is the STS domain, and how do I know if I am on it?
STS is a term that refers to computers that are centrally managed by IST. To check if you are part of the STS domain:
- Click "Start" on your Windows computer
- Select your username
- View the address following your CCID
When will PAM be implemented at the University of Alberta?
The initial phase of PAM implementation is scheduled from March 2025 to June 2025.
Is my administrator account on my computer considered a privileged account?
Yes. An administrator account can access sensitive data and make significant changes to systems. An administrator account is considered a privileged account.
Will I lose my current administrator account?
The first phase of the rollout is to deploy the EPM tool which will add enhanced ability to manage user access. Existing user accounts are not being changed in this phase. During the project's next phase, local administrator accounts will be evaluated and replaced by standard user accounts with enhanced privileges.
How can I do what I need to do without administrator access?
The EPM tool allows the deployment of standard user accounts with enhanced privileges that provide the access levels required to do your work while mitigating the risk of system-wide administrator access.
I need an administrator account. What’s the exception process?
If the EPM tool doesn’t work for your needs, the Information Security team will review exception requests and grant them as required with appropriate compensating controls. Exception requests can be made by submitting a General IT Inquiry ticket through the U of A Service Portal.
Who do I contact for questions and information on the PAM EPM tool?
If you have any questions or require further information, please submit a General IT Inquiry ticket through the U of A Service Portal. For security-related information, visit the IST Information Security page.