Related Post
Report
2024 Identity and Security Trends
Report
Saviynt a Gartner Peer® Insights Customers Choice for IGA
Solution Guide
IGA Buyer's Guide
Solution Guide
PAM Buyers Guide
Whitepaper
Focus on patient care, not complex identity management.
Use our partner finder to discover your perfect business match.
When I implemented my first Privileged Access Management (PAM) tool in 2001, the enterprise I was working with had 10,000 servers and the root credential on every single one was the same. We put in a bit of technology to randomize one default password and voila, a resounding success.
22 years later, times have changed. PAM has expanded from protecting non-internet-facing resources to cloud apps, processes, roles, IoT bots, third-party contractors, and more. While the traditional approach of rotating passwords and centralizing high-risk accounts in a vault might control some access, the reality is every single system, every single app, and every single user retains an element of privilege.
As security leaders take an “assume breach” posture and move toward a Zero Standing Privilege (ZSP) model (where all privileged accounts are removed except those needed for break-glass purposes), it’s important to keep in mind that no company can achieve a Nirvana ZSP state. However, there are important steps organizations can take to get as close as possible and keep risks very low. This is precisely why 75% of cyber-insurance providers are expected to mandate Just-In-Time (JIT) PAM by 2025.
The identity space is filled with a lot of confusing jargon and acronyms, but when it comes to privileged access, there are two key factors that we can control: scope and time.
ZSP is enabled by a JIT approach to privilege elevation.
Even under optimal conditions, the implementation of PAM tools is hard, and it can be made even harder if users don’t want to use it — or if there are technical problems that need to be solved. This can lead to the implementation taking longer than planned, stalling out after reaching a baseline functionality (such as administrator account vaulting), or not happening at all.
So as you begin building support for your JIT PAM initiatives, getting buy-in from every department is critical. PAM programs affect different teams in different ways, so it’s helpful to understand the different roles, their relationship to risk, and the approach you should take to build consensus.
While they may be the most resistant to change, user buy-in is the most critical. To them, access may equal status, and many of them have had very high levels of privilege for long periods of time. They’re also busy people who are suspicious of anything that’s going to create additional friction in their workday. If they don’t like a tool, they will always find a backdoor around it.
Approach: Step one is understanding how they do their jobs. What apps and systems do they connect to and how do they access them? What tasks do they do when they are working in the environment? Try providing early access to the PAM tool to increase their comfort with the new processes. Technology shouldn’t be a barrier. It should be an enabler. The closer we can get our technology to fit normal user behavior, the better.
Management is in charge of keeping the organization secure against threats, so they’re going to understand different drivers for embarking on a PAM program. They know the stakes: data breaches cost businesses an average of $4.35M, and privileged access abuse acccounts for 80% of attacks. PAM tools help them stay ahead of these risks, so they’re the people that can help craft that all-important top down messaging,
Approach: It’s important to provide context on the business risks of NOT having a mature PAM program that supports just-in-time capabilities. Executive support can be helpful if projects get stuck.
These folks are tasked with getting ahead of risks and minimizing the attack surface. Their responsibilities include aligning to best practice frameworks, cyber insurance, and other mandates.They own the identity stack – including PAM, IAM, MFA, and SSO – and the rest of the security portfolio.
Approach: Since orgs have an average of 76 security tools to manage, they’re interested in tools that can help them cut out the clutter and consolidate vendors.
These teams are tasked with reporting on past or present-day risks. Above all, they need to know who has access to what — and what they’re doing with that access.
Approach: To them, intuitive reporting is key. If a PAM tool can help them automate the collection and analysis of data, it’s going to win hearts.
A thorough inventory of privileged access in your organization will require you to:
Stay on top of stakeholders and urge them to make decisions. Talk about the potential impact of managing and rotating accounts and what it means for apps. Show the teams that the tool is an enabler to do the job in a more secure manner.
Once you’ve documented the privileged accounts, what they access, and their accountable owners, you can build your implementation roadmap. Watch our JIT PAM webinar for insights on creating a risk vs. impact matrix. This can help you categorize accounts by the amount of risk they carry and the effort level involved in JIT PAM implementation. Any account that carries high risk –- but has a low level of effort to implement — would be a quick win.
Here are a few examples:
Report
Report
Solution Guide
Solution Guide
Whitepaper