The path of least resistance to Privileged Access Management
Privileged Access Management (PAM) has been around for more than 20 years taking critical accounts and putting them into a vault to ensure only select individuals could access them securely. Since then, PAM has evolved and now focuses on controlling the access itself which means preventing broad access to specific data and providing insight into who has access and when an account has been accessed. Privileged accounts have traditionally been given to administrators to access critical data and applications. However, changing business practices, agile software development, and digital transformation have meant that privileged accounts have become more numerous and widespread. To reduce the risk of privileged accounts being hijacked or fraudulently used, and to uphold stringent regulatory compliance within an organization, an adequate PAM solution is essential. Overall, PAM aims to provide a privileged identity-centric approach to controlling access as part of the bigger identity ecosystem. PAM, which has typically focused on human access, has branched out to include both privileged accounts and nonhuman accounts to manage the credentials, elevation and delegation of access along with log tracks record deeds, policies and more, and as such, PAM puts controls in place that are critical to Identity Security.
The benefits of PAM are significant as it prevents access to anything considered privileged thereby increasing data security and reducing risk particularly in the case of a compromised account as it limits the blast radius to a controlled environment. This occurs by controlling administrative access on the endpoint, segmenting accounts, and monitoring the access to accounts. While this helps to improve the security posture of an organization, it does come with challenges too.
Obstacles to PAM implementation
While PAM allows organizations to segment accounts, providing a barrier between the user's standard access and needed privileged access and restricting access to information that is not needed, it also adds a layer of internal and organizational complexity. This is because of the impression it removes user's access to files and accounts that they have typically had the right to use, and they do not always understand why. It can bring changes to their established processes. They don't see the security benefit and often resist the approach, seeing it as an obstacle to doing their jobs and causing frustration amongst teams. As such, PAM is perceived to be difficult to introduce because of this friction.
To overcome this, companies must start the process with an organizational change management program that sufficiently prepares users for the implementation of PAM, unpacking how it will remove direct privileged access to data while improving efficiencies, consistencies, and automation, and benefits them and the organization in the long term. If companies neglect to do this, they are likely to experience resistance.
To minimize this, PAM vendors are combining convenience and security to deliver a seamless PAM solution to organizations. They are also moving everything to the cloud as it makes it easier to deploy and provides more efficient and seamless cybersecurity coverage with better security outcomes. This is, however, a concern for many organizations who worry about putting their crown jewels in the cloud. While this is a broader issue than PAM, it does raise major concerns and causes some friction and resistance from organizations. To overcome this, it is important to understand the overarching value of PAM, the use cases, the types of systems, and how users will benefit from it, including proper contingency plans.
Getting stuck in the onboarding process
Implementing PAM projects starts with account discovery and account onboarding which can cause companies to get stuck in the implementation and not reap the benefits of advanced PAM features. Unfortunately, many companies do not move beyond this point because they start the process with the idea that PAM is about putting credentials into a vault and rotating credentials and do not realize there are more functions and features that PAM offers which range from account direction, account vaulting through to cloud privileged account management lifecycle, privileged user behavior analytics and more. However, they often don't appreciate the wider benefits and tend not to move beyond the initial onboarding process to access the opportunities.
A significant gap in the PAM implementation process lies in the lack of comprehensive awareness among administrators. They often do not have a complete inventory of all accounts, the associated access levels, their purposes, ownership, or the extent of the security issues they face. Although PAM solutions possess the capability for scanning and discovering privileged accounts, these solutions are limited by the scope of the instructions they receive, thus providing only partial visibility into system access and usage.
Consider a scenario where a company has a privileged Windows account with access to 100 servers. If PAM is instructed to discover the scope of this Windows account, it might only identify the servers that have been accessed previously by the account, without revealing the full extent of its access or the actions performed. For instance, if the account has logged into ten servers, PAM will detect access to these ten servers but may entirely overlook the remaining 90 servers until the account interacts with them. This results in a disparity between known and potential access, as well as a lack of insight into the actual activities conducted using the access.
This challenge can be mitigated through various strategies, but it remains a dynamic issue that complicates the onboarding process for PAM solutions. Companies often fall into the trap of striving to resolve this problem entirely before advancing to subsequent implementation phases. However, achieving a "good enough" state and progressing to future PAM features can enable organizations to backfill and address these gaps later. The focus should be on moving forward with the implementation, understanding that refinements and improvements can be made as the PAM system matures.
Successfully embarking on the PAM journey
PAM forms part of the larger Identity Access and Management (IAM) journey. As you move along the path, there is an opportunity to opt for PAM or other IAM solutions such as Cloud infrastructure entitlement management (CIEM) or Identity Governance and Administration (IGA). Overall, it is typically best to select one path to start and begin to mature, then start the next path, all leading to a mature IAM program. It is also important to adopt a strategic approach to PAM, knowing where the journey starts based on your use cases, requirements, and challenges. Then once a plan is in place, kicking off the account discovery process and marching through it rather than getting stuck and letting inertia creep in.
To achieve this, it is beneficial to partner with an experienced services provider that can guide and manage the process with an understanding of where the organization is, where it wants to be and can help mature the ecosystem of the identity fabric, which will help it to achieve this objective. In doing this, companies could see the initial benefits of PAM within the first year and reach operational maturity within the following phases. However, it is important to note that PAM can only successfully reduce risk and add efficiency with minimal disruption to the business if there is a solid plan and strategy. It is also important to have a thorough understanding of the various accounts and their accesses within an organization, from non-human to service, bot, application accounts and more.
Additionally, an experienced services provider can provide methodologies, frameworks, and processes to help get around the perceived challenges associated with PAM. This provider should build a roadmap and strategy that unpacks how it will tackle the accounts and take the company along the implementation journey.