Comprehensive software reviews to make better IT decisions
Privileged Access Management (PAM) Misconceptions: Starting the Journey
Approved access to systems has always been a basic security foundation since the dawn of computing technology. Identity and access management (IAM) strategies address the large attack surface, whereas privileged access management (PAM) strategies address the smaller but higher risk attack surface. Privileged credentials allow access to critical information and controls – the ultimate hacker prize. Every cybersecurity professional knows that basic access is good, but privileged access is gold. The vast majority of cyberattacks use compromised privileged credentials to gain access to systems; PAM solutions are a critical layer of defense.
Organizations that attempt to implement a PAM solution often have misconceptions and engage a vendor prematurely, looking at only the technical aspects without understanding the foundations and justifications required to be successful.
There are some fallacies surrounding the implementation and operationalization of PAM that organizations need to better understand as they modernize and secure their infrastructure to reduce risk and improve operational efficiency. These fallacies include:
- PAM is too complex to implement
- PAM tools are overwhelming for administrators.
- IAM tools already address privileged access needs.
- PAM tools impact productivity.
- It’s challenging to justify PAM ROI.
Our Take
The average user has always been a vulnerability for an organization’s overall security, but an organization’s privileged accounts are even more of a target because of their heightened level of access to sensitive data. Vulnerabilities surrounding privileged access can be accidentally, or even maliciously exploited. Privileged access management is not only necessary to achieving increased security, but also saves money. Additionally, if an organization has any compliance requirements, PAM can be leveraged to address compliance needs such as SOX, PCI-DSS, etc.
A few things to consider when starting the PAM journey:
- Map where privileged credentials exists today and tomorrow (e.g. internal, cloud, hybrid) to reduce the PAM implementation complexity going forward.
- Map current privileged access admin processes with the objective of eliminating the need to manually search for and manage associated credentials. All PAM tools today are designed to reduce administering and managing privileged access.
- IAM systems provide administrators with the ability to create, modify accounts, and enforce policies, but they are inadequate when it comes to managing a large amount of privileged accounts. PAM secures access to key business and technical system accounts and provides privileged access control visibility.
- PAM can be as straightforward or as complicated as organizations need it to be, whether it’s a small or large organization. PAM tools will automate time-consuming tasks for IT and security resources and free up time for higher-value projects.
- Justifying PAM ROI has two core fundamental components. First is the operational savings if a PAM solution was implemented. Second is the potential losses caused by downtime, reputational damage, and theft of intellectual property.
Info-Tech’s suggestions for strategic PAM implementation are that organizations should choose a solution that is minimally intrusive and disruptive to users and works with them. Acknowledging this process may take time: start by obtaining the support of admins by letting them know it will make their lives easier through automated process. Next, let stakeholders know the organization’s overall security will improve and the business will save money in the process. Keep the implementation smooth by not overcomplicating the solution.
Many mainstream PAM vendors, like BeyondTrust, Thycotic, and Cyberark, offer robust PAM solutions that address internal, cloud, and hybrid environments.
Want to Know More?
PAM vs. IAM Confusion Is Leading Organizations to Miss Out on Vital PAM Capabilities