Combine Technology with Process and People for PAM Program Success
Organizations need comprehensive Privileged Access Management (PAM) programs to prevent malicious insiders and hackers from stealing sensitive data and intellectual property, and impacting systems availability. Sila recognizes the frustrations technology and security specialists experience with the challenges and complexities of PAM implementations including:
- Inability to sufficiently curtail risk
- Mismatches of expectations among stakeholders, auditors, and vendors
- Inadequate prioritization, funding, or strategy
- Excessive rework
- Extensive cost and time over-runs
- Insufficient understanding of logical access paths to systems to know what needs to be protected, guarded, and managed
- Added complexity if old access paths are not retired when PAM processes are operationalized
- Inadvertent production outages
- Significant investments in PAM products that end up as shelfware
The following are Sila’s suggestions and strategies to help make your PAM program a success.
PAM Tools Don't Make a Program
Sila defines privileged access as entry to systems, databases, machines, and devices via all backend logical access paths, non-human/service accounts, and privileged application accounts. PAM includes all the activities necessary to protect and govern privileged access.
PAM tools are just one part of that equation.
“The landscape of available PAM tooling is rapidly improving and maturing,” said Sila PAM Practice Lead Zach Limacher. “While PAM tools are often the biggest, unique technology investment in a PAM program it is important that people don’t think of programs and tools as synonymous.
“PAM program vision should be much wider than implementing tooling. Success should be defined based on a company’s ability to control critical backend and administrative logical access paths – regardless how they are controlled.”
Process, People, and Technology
Organizations that experience unrealized goals or insufficient return on investment on PAM projects usually means there are deficiencies in how the program approaches process, people, and technology.
Like most identity and access management (IAM) initiatives, process must lead the way. It can feel arduous to engage in proper planning activities, but jumping to a technology solution without sufficient risk assessment or goal setting adds significant risk. Pairing a risk-based methodology with a pragmatic action-oriented mentality is a winning combination to keep momentum and ensure you meet your goals. Creating or modifying existing corporate security policies relating to PAM in your governance, risk, and compliance (GRC) technology is another key part of the process. With so much to decide, document, and do, Limacher added that “good business analysts are worth their weight in gold” during a PAM implementation.
Utilizing PAM tooling and processes often requires significant culture change for IT system and application administrators. Whereas identity governance and administration tools mainly modify oversight and request processes, PAM technology often impacts how every single administrator does their job. Companies must respect their administrators by listening to their input and concerns, and make them a critical part of the organization’s overall PAM journey. It is Sila’s experience that companies that attempt to bulldoze their administrators are more likely to fail.
Lead with process, ensure the right team is in place, and then purchase/utilize tooling to meet your goals. Don’t be afraid to maximize investments that are already in-house, such as remediation teams, and existing technology while you decide the best ways to maximize your future spend. “Because your PAM tooling is likely to be a significant investment and be around for a long time, be as strategic as feasible so that you choose tools and partners that are likely to support capabilities you will need in the future,” said Limacher.
Keep in mind that your PAM technology and processes will need to integrate, coordinate, and potentially partner with parts of the PAM landscape. UNIX or Mac directory bridging, configuration management, monitoring/alerting, change management, network segmentation, identity governance, controls management, GRC, analytics, and other technologies are all part of the PAM ecosystem. Neglecting to leverage all the tools at your disposal to meet PAM goals creates an increased potential for failure. It’s vital that organizations take a 360-degree view of IAM opportunities to make sure the entire ecosystem works together.
Deploy, Maintain, Revisit
All PAM projects can be a success with proper remediation at all stages of their lifecycle.
“We all live and learn, and failure is not cut and dry,” said Limacher. “We’ve found that internal transparency and thoughtfulness go a long way, so we recommend being honest and transparent with yourself and your management. Next is repairing relationships, assessing current state, and maximizing good investments you’ve already made.
Partner with technology business people, such as executives and application owners, to understand organizational priorities so that you can request support and funding that is in parity with your company’s needs and goals. Focus on building teams with the right people and take care of them. And lastly, find strategic tooling and services partners you can trust; that are focused on making you successful.
It is also important to remember that an effective PAM implementation is not a one-time fire-and-forget event. Success can slide into failure through inattention to trends and technological obsolescence.
The reality is that you must stay vigilant if you are going to properly protect your company from cybersecurity threats. Processes tend to drift and break down. Key staff members change jobs or move on.
It is important to build documentation, layered controls, and processes into remediation and implementation to ensure critical processes and tools are still running as expected. You want to know about newly introduced gaps as soon as feasible.
“Privileged Access Management needs to be part of the ongoing fabric of your organization,” said Limacher. “It needs care, feeding, and investment so that it continues to evolve with the modern world.”