The path of least resistance to Privileged Access Management 

The path of least resistance to Privileged Access Management 

David Morimanno, Thought Leader, Xalient, on the now essential nature of a PAM solution. 

Privileged Access Management (PAM) has evolved to over 20 years to focus on controlling the access itself – which means preventing broad access to specific data and providing insight into who has access and when an account has been accessed.  

Privileged accounts have traditionally been given to administrators to access critical data and applications. However, changing business practices, agile software development and digital transformation have meant that privileged accounts have become more numerous and widespread. To reduce the risk of privileged accounts being hijacked or fraudulently used and to uphold stringent regulatory compliance within an organization, an adequate PAM solution is essential.  

Overall, PAM aims to provide a privileged identity-centric approach to controlling access as part of the bigger identity ecosystem.  PAM, which has typically focused on human access, has branched out to include both privileged accounts and nonhuman accounts to manage the credentials, elevation and delegation of access along with log tracks record deeds, policies and more, and as such, PAM puts controls in place that are critical to Identity Security. 

The benefits of PAM are significant as it prevents access to anything considered privileged thereby increasing data security and reducing risk, particularly in the case of a compromised account as it limits the blast radius to a controlled environment. This occurs by controlling administrative access on the endpoint, segmenting accounts, and monitoring access to accounts. While this helps to improve the security posture of an organization, it does come with challenges too. 

While PAM allows organizations to segment accounts, providing a barrier between the user’s standard access and needed privileged access and restricting access to information that is not needed, it also adds a layer of internal and organizational complexity.  

This is because of the impression it removes user’s access to files and accounts that they have typically had the right to use and they do not always understand why. It can bring changes to their established processes. They don’t see the security benefit and often resist the approach, seeing it as an obstacle to doing their jobs and causing frustration amongst teams. As such, PAM is perceived to be difficult to introduce because of this friction. 

To overcome this, companies must start the process with an organizational change management program that sufficiently prepares users for the implementation of PAM, unpacking how it will remove direct privileged access to data while improving efficiencies, consistencies and automation. 

PAM vendors are combining convenience and security to deliver a seamless PAM solution to organizations. They are also moving everything to the cloud as it makes it easier to deploy and provides more efficient and seamless cybersecurity coverage with better security outcomes.   

This is, however, a concern for many organizations who worry about putting their ‘crown jewels’ in the cloud.  

While this is a broader issue than PAM, it does raise major concerns and causes some friction and resistance from organizations. To overcome this, it is important to understand the overarching value of PAM, the use cases, the types of systems and how users will benefit from it – including proper contingency plans. 

Implementing PAM projects starts with account discovery and account onboarding which can cause companies to get stuck in the implementation and not reap the benefits of advanced PAM features.  

Unfortunately, many companies do not move beyond this point because they start the process with the idea that PAM is about putting credentials into a vault and rotating credentials and do not realize there are more functions and features that PAM offers. 

A significant gap in the PAM implementation process lies in the lack of comprehensive awareness among administrators. They often do not have a complete inventory of all accounts, the associated access levels, their purposes, ownership, or the extent of the security issues they face.  

Although PAM solutions possess the capability for scanning and discovering privileged accounts, these solutions are limited by the scope of the instructions they receive, thus providing only partial visibility into system access and usage. 

This challenge can be mitigated through various strategies, but it remains a dynamic issue that complicates the onboarding process for PAM solutions.  

Companies often fall into the trap of striving to resolve this problem entirely before advancing to subsequent implementation phases. However, achieving a “good enough” state and progressing to future PAM features can enable organizations to backfill and address these gaps later. The focus should be on moving forward with the implementation, understanding that refinements and improvements can be made as the PAM system matures. 

PAM forms part of the larger Identity Access and Management (IAM) journey. As you move along the path, there is an opportunity to opt for PAM or other IAM solutions such as Cloud infrastructure entitlement management (CIEM) or Identity Governance and Administration (IGA). Overall, it is typically best to select one path to start and begin to mature, then start the next path, all leading to a mature IAM program. It is also important to adopt a strategic approach to PAM, knowing where the journey starts based on your use cases, requirements, and challenges. Then once a plan is in place, kicking off the account discovery process and marching through it rather than getting stuck and letting inertia creep in. 

To achieve this, it is beneficial to partner with an experienced services provider that can guide and manage the process with an understanding of where the organization is, where it wants to be and can help mature the ecosystem of the identity fabric, which will help it to achieve this objective.  

An experienced services provider can provide methodologies, frameworks and processes to help get around the perceived challenges associated with PAM. This provider should build a roadmap and strategy that unpacks how it will tackle the accounts and take the company along the implementation journey. 

Browse our latest issue

Intelligent CISO

View Magazine Archive