No matter how good the features and functionalities of a privileged access management (PAM) tool are, they can never replace the need for a comprehensive PAM vision. Security and risk management (SRM) leaders responsible for identity and access management (IAM) need a mature PAM practice that focuses on people and processes before making any technology purchasing decisions.
“When good processes and practices are enforced by an effective tool, organizations begin to achieve their PAM goals,” says Michael Kelley, Senior Director Analyst, Gartner. “A mature PAM practice will build on the foundation of your information security program.”
The four pillars of PAM demonstrate how security and business value can be captured by defining, then creating, a PAM practice that enables SRM and IAM leaders to take greater control.
Pillar No. 1: Track and secure every privileged account
The discovery of privileged accounts is fundamentally important because the existence of any unaccounted privileged access, for even a short time, carries significant risk. Discovery processes must be continuous because change is constant.
Information collection will be needed to develop governance for privileged access and will also provide action-oriented data that will enable administrators to target and remove inappropriate privileged access.
Pillar No. 2: Govern and control access
There are two keys to achieving privileged access governance and control. First, establish effective life cycle processes to ensure that all changes in accounts with privileged access are known; and second, establish proper tracking to account for every privileged account and what the account can access.
Just-in-time access is the recommended method for privileged access because it is based on the principle that access is granted only for a short period and then removed, leaving no standing privileged access.
Ultimately, this is about ensuring that the appropriate access is given so that you are driving PAM (and not allowing PAM to drive you). By having a solid understanding of current PAM use, it is easier to determine how PAM will function in an environment.
Pillar No. 3: Record and audit privileged activity
An effective PAM program requires visibility into what privileged users do and changes that have been made. A combination of tools (whenever possible and feasible) establishes visibility.
Privileged session recording can provide visualizations of privileged activity, and should be a critical part of a PAM toolkit. Expending a great deal of time reviewing session recordings can be a mind-numbing and ineffective exercise. Look for vendors that differentiate their products by providing users with tools that more easily find unusual activity in logs and recordings.
Pillar No. 4: Operationalize privileged tasks
Automation initiatives can be overlooked when building a PAM practice. Good targets for automation are predictable and repeatable tasks, such as simple configuration changes, software installations, service restarts, log management, startup and shutdown.
Effective automation should increase reliability and security by removing the “human” element, thus increasing efficiency and ultimately helping the business reach its strategic objectives. Supporting new DevOps or robotic process automation (RPA) initiatives, or delegating privileged access for third parties, for example, should not go unrecognized when implementing PAM tools.
This is also where interaction with other PAM tools provides value. Use change control management tools for just-in-time PAM access, manage PAM account life cycle management with an identity, governance and administration (IGA) tool, or use single sign-on and multifactor authentication to access the PAM tool.