4 essential elements of ongoing privileged access management -- Why they are important and how to get them right
Privileged access management (PAM) delivers the greatest benefits when it is implemented as a mission rather than to satisfy a limited, one-time mandate. Achieving more complete and proactive protection for privileged accounts requires an ongoing program to add more platforms and accounts and to share more security data with other systems over time. It also requires paying as much, if not more, attention to how PAM affects people and processes as to technology issues.
Without proper ongoing governance, a PAM program can give an organization a false sense of security regardless of their investment in their initial PAM rollout. Here are the essential elements of ongoing PAM governance, why they are important, and how to get them right.
Don’t think of onboarding as something that happens only in your initial PAM implementation. To deliver the maximum benefit, onboarding should be a continuing process that expands the PAM footprint with additional existing systems as well as new platforms as they are acquired by the organization.
The more platforms and accounts you’ve onboarded to your PAM system, the more privileged access you can manage. You can also collect and act on far better information about who is using what accounts, identify your most significant security risks, reduce those risks, and demonstrate your progress to your audit and compliance team.
Organizations often feel they can easily identify their most urgent PAM onboarding needs. These include systems that support large parts of the business or are most critical for compliance. Identifying the next set of priorities is often more complex because of competing organizational priorities and other factors like imminent upgrades. Despite these challenges, organizations benefit from ongoing prioritization and onboarding efforts, which keep PAM programs aligned with current business needs.
Determining which platforms and accounts to onboard, and when, should include the likelihood of an attack, the business risk from such an attack, and whether the platform is nearing the end of its life and thus might deserve less attention.
Beyond obvious weak points such as systems that are mandated to be remediated, look for those where administrators have failed to close unneeded accounts, were unaware of open accounts, or where audits have shown access requests were not properly reviewed.
(2) Training and Change Management
As your PAM implementation matures, more administrators will use the PAM tool to access more systems. They will require ongoing training to ensure they adhere to proper PAM processes while being as productive as possible. We recommend that companies create and maintain training materials and processes to assure scalable, repeatable training programs.
Because the administrators who will use PAM are usually very technical, they rarely require basic training in a tool. Their training should instead focus on making sure they are comfortable with the new PAM processes so that using a PAM tool becomes an essential and routine part of the organization’s security practices and culture.
Identifying and educating all the required stakeholders about the benefits of PAM is an essential part of a successful PAM program and helps strengthen the organization’s security culture. It is essential to understand the needs of users, how PAM affects how their jobs, and to make reasonable concessions to spur their adoption.
PAM deployments also need the same level of support as any large application rollout: they require familiarity with the business so support staff can identify and educate the right stakeholders, as well as skills in scripting, debugging, support, and upgrades. Your existing operational staff are a valuable resource and likely already familiar with how your organization supports application rollouts. Train your operational staff on the specifics of your PAM tool and help them build the skills required to maintain your PAM deployment long-term.
Achieving true enterprise-wide, ongoing visibility into what your privileged accounts are doing requires integrating your PAM tool with other security tools and processes. These include, among others, security information and event management (SIEM) tools, your security operations center (SOC), and Identity Governance and Administration (IGA) programs. For example, a PAM tool can help the SOC identify which of the flood of alerts it receives each day are most important. Based on input from the IGA platform, suspicious access can be blocked, potentially identifying and mitigating an insider threat.
In particular, the integration of PAM with IGA provides:
- Increased enterprise-wide clarity, visibility, and control over access managed through PAM tool
- Easier targeting of privileged accounts for more robust access management
- Reduced operational burden through increased automation of lifecycle events and access requests
- Increased compliance with regulatory requirements through programmatic IGA policies such as Separation of Duties (SOD)
Integration with IGA combined with analytics (described below) allows an enterprise not only to identify suspicious action on a privileged account, but it can also identify other accounts to which an administrator has access. This can provide clues about whether an administrator is acting maliciously, or if their account is under attack from the outside. It can also close an all too common security vulnerability -- stale PAM access for users who no longer need it or have left the organization.
Performing advanced analytics on the data from mature and well-governed PAM, IGA, and other systems can provide the most proactive, complete, and cost-effective defense against threats as they evolve. While companies should first implement PAM basics such as password rotation and secure password vaulting, they should also plan for scalable, automated analysis of the increasing amounts of usage data they will gather over time. Strong analytics allow you to correlate data from multiple sources to focus attention on the most significant risks. Analytics help you identify critical situations and take swift, targeted remediation in cases such as:
- Accounts outside the control of IGA and/or PAM tools
- Overprovisioned accounts
- Tracking account expiration
- High numbers of privilege escalation attempts (such as in brute force attacks)
- Large-volume downloads of sensitive data
- Logins to critical systems at unusual times or from unexpected locations
Your Next Steps
Threats from hackers and malicious or careless insiders will not end, nor will demands from regulators and auditors for more thorough and consistent privileged access management. With such high stakes, and the high cost of remediation efforts, a PAM program that meets only point-in-time mandates can increase, rather than reduce, your financial and security risks. Invest in a broader, ongoing PAM mission to achieve the most security at the lowest long-term cost for the most applications and users.
Cathy Hall is a cybersecurity leader at Sila with 18 years of experience providing IT services to Fortune 500 companies and government agencies, specializing in Identity and Access Management, Privileged Access Management, Information Security, Enterprise Applications, and Business Process Management. Cathy brings a unique mix of Federal and Commercial cybersecurity experience and uses her deep knowledge of NIST and other industry frameworks to drive security architectures.