Have you found privileged access management more difficult than identity access management?

Identity & Access Management (IAM)Risk Management

Much more difficult2%

Somewhat more difficult42%

Slightly more difficult22%

No difference15%

Slightly less difficult13%

Somewhat less difficult1%

Much less difficult

Unsure

350 PARTICIPANTS
2.8k viewscircle icon3 Comments
Sort by:
Group Director of Information Security in Bankinga year ago

Previlged Access Management (PAM) builds over Identity & Access Management (IAM). Without a functional IAM, PAM deployment will be full of gaps and risks when a previleged user changes roles or leaves the organisation. Your query about which is more difficult than the other needs contextualisation. I tend to agree with 50% respondents who says PAM is 'slightly more difficult' because establishing AD/LDAP integrations with all applications and their underlying stack (OS/DBs etc) and tightening it all up with SSO to establish a dependable and robust IAM foundation is though a difficult job, but exists in most mature organisations.
Next step is PAM. Discovering all previleged access accounts, including service accounts and sudos for *nix, onboarding them into PAM, closing direct access ports directly to servers from admin workstations except through jump server and finally creating break-glass process is indeed 'more difficult'.

2 Replies
no titlea year ago

Thanks for the detailed response Faheem. Do you use also a 3rd parties for the assessment of what did?

no titlea year ago

Hi Fabrizio<br>As a security governance function, we do sometimes use 3rd parties to establish compliance with the policies and standards we have laid down for security operations teams to adhere to. Usually, once the PAM project complete and operationalised, we do once in a 2 year review of the whole 'identity and access management' policy, either though the OEM (usually they do this as a paid/free service, be it CyberArk, Delinea or Beyondtrust) or we do it ourselves based upon evidences against each of the policy and standard's control objectives.<br>Hope that helps.

Content you might like

I’ve been digging into ways to strengthen Zero Trust on IBM i systems, especially as more orgs shift toward hybrid cloud. I’m curious, how are others approaching threat detection around shadow AI use and supplier exposure in these environments?

Our organization is in the process of re-engineering a recruitment system and would like to know gaps, risks and vulnerabilities in development of languages and databases: the following were identified 1. PHP 8.x-Microsoft SQL through ODBC 2. ASP.NET-Microsoft SQL 3. Java-Microsoft SQL

What channels do you use for your security awareness campaigns? Select all that apply.

Targeted emails44%

Org-wide newsletters61%

Lunch & learn sessions49%

Posters, desktop screen-savers/wallpapers37%

Security champions across all lines of business19%

Other (please specify)1%

View Results

Do you have preselected incident response partners in place?

Yes44%

We are currently establishing incident response partners.41%

No, but I expect that may change.11%

No, and I don’t expect that to change.3%

View Results

Apart from applying the patches just released, what other mitigation tactics are you using to address the zero-day SharePoint vulnerabilities impacting on-premises servers?