Privileged Access Management (PAM) protects the keys to the kingdom – access to the privileged administrative accounts that control your organization’s critical servers, databases, and networks.
A hacker, malicious insider, or negligent user who can access these administrative accounts can go on to compromise or corrupt anything from customer data to financial systems. A strong PAM program helps prevent, detect, and mitigate such abuse of privileged access and works in concert with other security and identity and access management (IAM) systems at your organization. The goals of a PAM program should include:
- Protecting your critical data and ensuring the availability of essential business systems
- Reducing the likelihood that administrator credentials will be compromised or misused
- Reducing the impact if compromise or misuse does occur
- Pinpointing which user is responsible for actions taken by a shared account
Your organization may be ready to begin building a long-term, broad-based PAM program from the start; however, if your organization may begin considering a PAM program to meet an immediate, urgent need. For example, it might be a CISO looking to ensure passwords for SOX-relevant systems are accessed through a secure vault or to respond to an audit finding on security processes around specific sensitive assets.
But just satisfying a mandate to protect a limited number of accounts or applications is a narrow goal: it doesn’t make the most of your PAM investment and could make your organization less secure overall. The point where you’ve satisfied your PAM mandate shouldn’t be the end of the road, but the beginning of a mission to protect all of your critical privileged access. This mission-based approach delivers the highest return on investment (ROI) by making an increasing number of your accounts and systems more secure over time.
The Need for PAM
PAM is becoming more important by the day. The attack surface of applications and platforms through which hackers can compromise administrative accounts is expanding, the sophistication of attackers is growing, and the risks of successful attacks, including regulatory fines and brand reputation damage, are mounting. And these concerns are only going to continue to increase.
In a January 2019 report, market researcher Gartner estimated that “by 2022, 70% of organizations will implement (PAM) practices for all use cases in the enterprise, which is a significant increase from 40% today.” It also predicted that “by 2022, 90% of organizations will recognize that mitigation of PAM risk is a fundamental security control, which is an increase from 70% today.”1
Your organization probably has a method to protect privileged accounts. But it might rely on manual, less secure methods to track access to accounts and manage credentials. You may also have different PAM methodologies of varying quality and effectiveness across your business units and locations. This not only increases the chance of inconsistencies that can be exploited and manual errors but makes it significantly harder to identify and mitigate risks.
PAM as Mandate
A successful attack or stern note from an auditor or regulator can provide a valuable kickstart because it identifies a real problem and begins to educate business stakeholders to the importance of PAM. However, not moving beyond such a mandate approach has real limitations, especially if it:
- Solves the vulnerabilities an auditor or regulator cares about but not those which may be most critical to your business
- Makes routine administrative access so difficult that users seek to find ways around your PAM system via means you cannot track or manage
- Fails to remove non-authorized methods to get to privileged access that has been vaulted
- Provides a false sense of security based on a small number of protected accounts and systems, with no plan to identify and protect other assets that are or may become important to your business
- Views PAM as a standalone system rather than an integrated part of your organization’s overall security, IAM, and analytics ecosystem
For all these reasons, staying too long with a mandate approach can limit the number and importance of risks PAM can reduce as well as user adoption. Getting the greatest benefit from your PAM program investment requires a broader vision.
PAM as Mission
Here are four points on how embracing PAM as a mission improves upon the mandate approach.
- Identifies the biggest risks to your business: A proper PAM implementation begins with an in-depth assessment of which systems and accounts are most critical to your business, how you are managing them, and which risks require the most urgent attention. This includes asking for, and listening to, different definitions of privileged access from different stakeholders.
- Encourages user adoption: A mission approach requires building partnerships with your administrators. Acknowledge that PAM will introduce changes to how your administrators carry out their daily tasks, design the solution so it is as easy to use as possible, and explain why PAM is good for the business and the users in the long run.
- Protects the right accounts and platforms: A dedicated PAM management and governance team can assess which new accounts and platforms to protect over time, and how. It also makes sure you’re doing enough and the right kind of training, and that you are integrating your PAM platform with other security functions to give you the most timely and proactive view of your risks.
- Examines broader technical issues that can leave you vulnerable: Proper design of your PAM infrastructure helps ensure its availability and resiliency, which is essential because (if done right) PAM will become mission-critical. Hardening the PAM solution and its infrastructure can also identify other security needs, such as multifactor authentication on your password vault or unnecessary open ports on your servers.
Bottom Line Benefits
A mission approach to PAM is worth the investment and delivers far more to your organization than a mandate approach can, including higher overall ROI and benefits over a longer period of time through a more comprehensive and risk-based security approach. Mission-based PAM helps organizations be more secure and compliant through detailed, automated account usage tracking and mitigates threats more quickly and accurately through data sharing across security platforms. Finally, it helps to foster increased user adoption and acceptance as part of the organization’s security culture, a powerful benefit which shouldn’t be underestimated.
1 Gartner, Inc., Best Practices for Privileged Access Management Through the Four Pillars of PAM. January 2019.
This Sila content was first published on GCN.
About the Author
Tapan Shah is a Managing Director at Sila and heads the National Consulting Practice. He brings over 25 years of experience and industry eminence in cybersecurity and risk with contributions to multiple publications, conferences, and advisory boards. His career has been dedicated to working with senior executives of Fortune 500 companies, helping them apply governance, process, and technology to improve their cybersecurity and risk posture.
Learn more about mission-based PAM readiness, implementation, and governance in our PAM Toolkit. It contains a blend of articles and worksheets to help you define actionable steps toward an effective PAM program that aligns with your organization’s business goals to deliver maximum value and long-term success.