Successful Privileged Access Management (PAM) implementations are difficult due to the complexity of the technology and the amount of business change required.
Our latest blog explores the five principles we have applied in the past when helping Clients successfully transform their approach to PAM.
Our five simple principles to help PAM succeed are:
- Principle One: Understand the real issues affecting PAM– Technology alone will not solve all PAM issues.
- Principle Two: Change starts at the top – Senior Management buy-in is critical.
- Principle Three: Define “privileged” – The scope of privileged accounts needs to be defined, understood, and agreed.
- Principle Four: Start small and use an iterative implementation process – Don’t do too much too soon.
- Principle Five: Deliver a service, not a widget – Don’t forget about service design and transition; there needs to be a plan to transfer the project to operational teams.
The ever-changing threat landscape makes it difficult to gauge where you should focus your security efforts and budget. But what remains constant is how important it is to control your organisation’s privileged accounts, especially those accounts that might give a malicious actor the ‘keys to the kingdom’.
As IT risk and information security transformation specialists, we have worked on many projects that have helped to deliver or improve PAM. Through our work, we have identified key principles that we feel helped us deliver sustainable change to our Clients.
Principle One: Understand the real issues affecting PAM
Privileged access issues can’t be solved by simply implementing a PAM tool alone. Rather than diving straight into purchasing technology, spend time upfront to identify high-risk issues, which may not always just be with existing technology.
Consider any wider issues that may exist with governance, people, and processes, such as the lack of recertification processes, or poor standard operating procedures designed to reduce concerns around the hygiene of access data.
Principle Two: Change starts at the top
Senior Management buy-in, is an age-old critical success factor for any important project. However, this is particularly important in a successful PAM project because there is likely to be significant resistance from systems administrators and privileged users.
These users may have become accustomed to using their privileged credentials with minimal control, and over time this will have been embedded in the culture of their teams. Changing this culture will be impossible without Senior Management buy-in and clear top-down messaging will go a long way to ensuring the project has the right level of support.
Principle Three: Define “privileged”
There can be numerous ways do define both “privileged access”, and critical information assets, (AKA “Crown Jewels”). Further, we have seen frequent internal disagreements about which specific accounts and entitlements qualify as privileged. This can result in either over-scoping or under-scoping of the PAM project, making it too complex to deliver, or failing to meet the intended business requirements.
Therefore, it is important to start by clearly articulating and defining which access roles or entitlements are considered “privileged” within the scope of the project. This will help reduce complexity, saving time and resources.