Part 2: How Mature is Your Privileged Access Management (PAM) Program?

In this two-part series, we look at the factors needed for a Privileged Access Management program to be considered mature. Yesterday, in Part 1, we covered governance and the importance of developing a PAM strategy to work towards program maturity.

What is Privileged Access, and Where Can it be Found?

Discovery

This is really the key question that plagues many organizations today in progressing their PAM roadmaps. Without an understanding of what constitutes privilege, it will be nearly impossible for the owners of the PAM program to work with the organization to discover and protect privileged accounts.  We all know that domain administrators, server administrators and a handful of other defaults should always be considered privileged, but a mature PAM program evaluates access across the entire organization to identify accounts creating high risk.

1. Is the organization able to define privileged access? This should include generic descriptions of what constitutes privileged access and what constitutes a privileged account, but should also provide guidance for specific platforms that are highly-leveraged for your organization.
2. Is the organization able to discover, inventory and protect accounts? Account discovery is a continuous process, and one that is both automated and manual.  PAM providers like CyberArk provide multiple free scanning tools (including DNA, SkyArk, zBang) that can be used to automatically scan on-premise and cloud environments to detect privileged access. In parallel, organizations must mature their processes to require manual identification of new privileged access and accounts in key change management gates and other software development lifecycle processes.

With Privileged Accounts Discovered, Can Credentials be Protected?

Credential Management

IAM and security leaders today know that PAM solutions like CyberArk provide the ability to vault and manage privileged credentials, leveraging automated policy to rotate secrets after usage, certain time durations and so forth. However, PAM includes far more credential management considerations beyond simply vaulting and rotating passwords. For example:

1. Is the front door to privileged accounts locked? Organizations need to enforce strong, multi-factor authentication in front of their PAM solution.
2. Are all touchpoints between the PAM solution and the Identity Governance and Administration (IGA) tool accounted for? Integration of PAM and IGA tools allows for:
   1. Better audit trail and automation around access request and approval
   2. Granular details about privileged access to inform reviewers recertification campaigns
   3. Ability to automatically provision and deprovision privileged access.
3. Is access provisioning and deprovisioning available both to and within the PAM solution? Organizations need to ensure a role-based access model for access in their PAM solutions, and a consistent convention to name and provision access to safes housing privileged accounts, likely dictated by Active Directory groups. Timely, ideally automated, deprovisioning must be accounted for to remove privileged access from terminated users as quickly as possible. With workforces changing so dynamically in today’s world, being able to both add and remove access quickly and without error is critical to reducing privileged access risk.
4. What about the more advanced PAM controls? It is critical to understand and enforce the right controls for the right accounts. For example, CyberArk customers may choose to:
   1. Enforce Privileged Session Manager (PSM) to isolate and record high-risk sessions including usage of domain or virtualization admins and administrative consoles for cloud platforms
   2. Deploy Endpoint Privilege Manager to remove local administrator rights from endpoints
   3. Leverage Alero to control remote third-party access into the environment.

If All These Things are Completed, Is the Work Done?

Monitoring and Resiliency

If all of the above steps have been taken, the organization is off to a solid start to its PAM program, including attention to governance, discovery and credential management. The final key pillar of Protiviti’s PAM framework is monitoring and resiliency. Because cyber attacks are becoming increasingly commonplace and unavoidable, it is critical to start thinking about how to become more resilient and take automated action against privileged account threats. Questions to ask now include:

1. Are PAM solutions integrated with SIEM? While leveraging things like CyberArk’s PSM are great, richer and more data-driven decisions can also be taken to monitor for threats against privilege by integrating with the SIEM solution. By ensuring the right use cases are being alerted for and incident response (IR) plans are defined, the organization can ensure its ability to respond appropriately to privileged account threats.
2. Will the solution be resilient and automatically respond to and mitigate threats against these credentials? Tools like CyberArk Privilege Threat Analytics (PTA) allow organizations to take automated action against privileged account threats. For example, if someone adds a new account to the domain admins group outside of CyberArk, PTA can automatically identify that, vault the account and rotate the password and alert the right teams to investigate further. Protiviti and CyberArk did a PAM Resiliency Webinar on this topic in October 2019.

What’s Next?

While the process to build a well-functioning PAM program can seem daunting, taking methodical steps to understand and document a PAM strategy can help the entire organization get aligned on what needs to be done, how and when. Protiviti can help assess current PAM environments, set strategy and roadmaps and provide design, engineering, implementation and managed services with the entire CyberArk suite of products.

Protiviti can also help balance quick wins of rapid risk reduction and planning and budgeting for longer-term, more strategic efforts, and help build program metrics and interactive dashboards to measure progress and compliance as the strategy is executed.  PAM is not simply one discrete project, but it should also not feel like an insurmountable mountain.  The time is now to get going with a next step. Companies today are dealing with frequent organizational change due to M&A activity, adjustments in staffing models and unforeseen events such as COVID-19, and these drivers are making effective security around privileged access more critical than ever.

Organizations do not need to have every feature rolled out or every account across the whole enterprise protected to realize real value and risk reduction associated to privileged access. Protiviti is here to help clients understand where to start, build a methodical plan for what’s next and help you maximize your current state while planning for a target state that may be several phases away. Too many organizations today are paralyzed by long-term planning and setting a three to five-year roadmap, which then becomes out of date within the first nine to 12 months. Technological advances and organizational needs are shifting faster than ever and strategies need to be adaptable to these changes and next generation capabilities. Whether it’s a first kickstart or the next stage to move to the leading edge, our deep advisory and engineering expertise can help organizations move to the next level of PAM.