CybersecuritySecurity

Part 2: How Mature is Your Privileged Access Management (PAM) Program?

Eli Hajjar
May 27, 2020
6 min read

In this two-part series, we look at the factors needed for a Privileged Access Management program to be considered mature. Yesterday, in Part 1, we covered governance and the importance of developing a PAM strategy to work towards program maturity.

What is Privileged Access, and Where Can it be Found?

Discovery

This is really the key question that plagues many organizations today in progressing their PAM roadmaps. Without an understanding of what constitutes privilege, it will be nearly impossible for the owners of the PAM program to work with the organization to discover and protect privileged accounts.  We all know that domain administrators, server administrators and a handful of other defaults should always be considered privileged, but a mature PAM program evaluates access across the entire organization to identify accounts creating high risk.

  1. Is the organization able to define privileged access? This should include generic descriptions of what constitutes privileged access and what constitutes a privileged account, but should also provide guidance for specific platforms that are highly-leveraged for your organization.
  2. Is the organization able to discover, inventory and protect accounts? Account discovery is a continuous process, and one that is both automated and manual.  PAM providers like CyberArk provide multiple free scanning tools (including DNA, SkyArk, zBang) that can be used to automatically scan on-premise and cloud environments to detect privileged access. In parallel, organizations must mature their processes to require manual identification of new privileged access and accounts in key change management gates and other software development lifecycle processes.

With Privileged Accounts Discovered, Can Credentials be Protected?

Credential Management

IAM and security leaders today know that PAM solutions like CyberArk provide the ability to vault and manage privileged credentials, leveraging automated policy to rotate secrets after usage, certain time durations and so forth. However, PAM includes far more credential management considerations beyond simply vaulting and rotating passwords. For example:

  1. Is the front door to privileged accounts locked? Organizations need to enforce strong, multi-factor authentication in front of their PAM solution.
  2. Are all touchpoints between the PAM solution and the Identity Governance and Administration (IGA) tool accounted for? Integration of PAM and IGA tools allows for:
    1. Better audit trail and automation around access request and approval
    2. Granular details about privileged access to inform reviewers recertification campaigns
    3. Ability to automatically provision and deprovision privileged access.
  3. Is access provisioning and deprovisioning available both to and within the PAM solution? Organizations need to ensure a role-based access model for access in their PAM solutions, and a consistent convention to name and provision access to safes housing privileged accounts, likely dictated by Active Directory groups. Timely, ideally automated, deprovisioning must be accounted for to remove privileged access from terminated users as quickly as possible. With workforces changing so dynamically in today’s world, being able to both add and remove access quickly and without error is critical to reducing privileged access risk.
  4. What about the more advanced PAM controls? It is critical to understand and enforce the right controls for the right accounts. For example, CyberArk customers may choose to:
    1. Enforce Privileged Session Manager (PSM) to isolate and record high-risk sessions including usage of domain or virtualization admins and administrative consoles for cloud platforms
    2. Deploy Endpoint Privilege Manager to remove local administrator rights from endpoints
    3. Leverage Alero to control remote third-party access into the environment.

If All These Things are Completed, Is the Work Done?

Monitoring and Resiliency

If all of the above steps have been taken, the organization is off to a solid start to its PAM program, including attention to governance, discovery and credential management. The final key pillar of Protiviti’s PAM framework is monitoring and resiliency. Because cyber attacks are becoming increasingly commonplace and unavoidable, it is critical to start thinking about how to become more resilient and take automated action against privileged account threats. Questions to ask now include:

  1. Are PAM solutions integrated with SIEM? While leveraging things like CyberArk’s PSM are great, richer and more data-driven decisions can also be taken to monitor for threats against privilege by integrating with the SIEM solution. By ensuring the right use cases are being alerted for and incident response (IR) plans are defined, the organization can ensure its ability to respond appropriately to privileged account threats.
  2. Will the solution be resilient and automatically respond to and mitigate threats against these credentials? Tools like CyberArk Privilege Threat Analytics (PTA) allow organizations to take automated action against privileged account threats. For example, if someone adds a new account to the domain admins group outside of CyberArk, PTA can automatically identify that, vault the account and rotate the password and alert the right teams to investigate further. Protiviti and CyberArk did a PAM Resiliency Webinar on this topic in October 2019.

What’s Next?

While the process to build a well-functioning PAM program can seem daunting, taking methodical steps to understand and document a PAM strategy can help the entire organization get aligned on what needs to be done, how and when. Protiviti can help assess current PAM environments, set strategy and roadmaps and provide design, engineering, implementation and managed services with the entire CyberArk suite of products.

Protiviti can also help balance quick wins of rapid risk reduction and planning and budgeting for longer-term, more strategic efforts, and help build program metrics and interactive dashboards to measure progress and compliance as the strategy is executed.  PAM is not simply one discrete project, but it should also not feel like an insurmountable mountain.  The time is now to get going with a next step. Companies today are dealing with frequent organizational change due to M&A activity, adjustments in staffing models and unforeseen events such as COVID-19, and these drivers are making effective security around privileged access more critical than ever.

Organizations do not need to have every feature rolled out or every account across the whole enterprise protected to realize real value and risk reduction associated to privileged access. Protiviti is here to help clients understand where to start, build a methodical plan for what’s next and help you maximize your current state while planning for a target state that may be several phases away. Too many organizations today are paralyzed by long-term planning and setting a three to five-year roadmap, which then becomes out of date within the first nine to 12 months. Technological advances and organizational needs are shifting faster than ever and strategies need to be adaptable to these changes and next generation capabilities. Whether it’s a first kickstart or the next stage to move to the leading edge, our deep advisory and engineering expertise can help organizations move to the next level of PAM.

Eli Hajjar

Director
Security and Privacy

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
13h

Protiviti's Chris Daniel will join the Analytics Study Breakfast panel to discuss the just-released 2024 CGT Analytics Study on Friday, May 3 during the #AnalyticsUnite2024 Summit. Register today! https://ow.ly/oVou50Rpfrn #ProtivitiTech

Reply on Twitter 1784946420555862405 Retweet on Twitter 1784946420555862405 Like on Twitter 1784946420555862405 Twitter 1784946420555862405
protivititech Protiviti Technology @protivititech ·
26 Apr

RSA Conference 2024 is quickly approaching! Stop by Microsoft's Booth #6044N - Moscone North on May 8 at 3 pm to see Protiviti's demo presentation! https://ow.ly/hk3350RmwaS #RSAC #Microsoft

Reply on Twitter 1783934284492943722 Retweet on Twitter 1783934284492943722 Like on Twitter 1783934284492943722 Twitter 1783934284492943722
protivititech Protiviti Technology @protivititech ·
26 Apr

Protiviti is a proud sponsor of #AnalyticsUnite2024. The summit provides retail and consumer goods executives with the unprecedented opportunity to learn from and network with the industry’s global leading analytic experts. https://ow.ly/5uNR50RpfcM #ProtivitiTech

Reply on Twitter 1783904458948133260 Retweet on Twitter 1783904458948133260 Like on Twitter 1783904458948133260 Twitter 1783904458948133260
protivititech Protiviti Technology @protivititech ·
25 Apr

Whether you need assistance in finance transformation, data & analytics, security & privacy, regulatory compliance, or business consulting, we have you covered. Read the April issue of #SAP Insights now! https://ow.ly/5qtO50RmFBs #ProtivitiTech

Reply on Twitter 1783556978268045479 Retweet on Twitter 1783556978268045479 Like on Twitter 1783556978268045479 Twitter 1783556978268045479
protivititech Protiviti Technology @protivititech ·
25 Apr

Protiviti leveraged #Microsoft Azure AI portfolio to create an intelligence information retrieval system for a client needing to comply with new EPA regulations. The AI-enabled solution sifted through terabytes of data, saving the company time and money. https://ow.ly/pYvm50Rmx3X

Reply on Twitter 1783481606822314257 Retweet on Twitter 1783481606822314257 Like on Twitter 1783481606822314257 Twitter 1783481606822314257
Load More