Cloud Security and Governance – Mind the Security Gap Workloads are migrating to the Cloud with…
Privileged Account Management (PAM)
What does Privileged Access mean?
Privileged access can be defined as administrative or “above normal” access to a system, such as Desktop or Server or Cloud IaaS/ PaaS environment. Organisations will have differing definitions of “privilege”, however the inherent risks with these privileges is often overlooked as a significant risk within organisations (especially in industries that have few regulatory or other compliance requirements).
Mis-managed privileged access can expose organisation to security breaches, from both external and potential internal sources.
Managing such privileges and asset access is termed Privileged Access Management or Privileged Account Management. This is certainly a topic that cannot be evaluated in a single web page, but let’s take a look at the basics and what a PAM project may entail at a very high level!
According to Gartner Research* “More than 65% of organizations allow unrestricted, unmonitored and shared use of privileged accounts, which severely limits auditability and personal accountability.”
What is Privileged Account Management?
Privileged Account Management is the management of accounts, passwords, keys, files and other secrets that provide any type of privileged access to a system within an organisation’s infrastructure or across the cloud. Although the concept of management is straightforward, the organisational environment(s), business and security requirements rarely are.
Why a PAM tool assists?
PAM tools assist organisations provide secure access to critical assets and meet specific compliance requirements by managing and monitoring privileged accounts and access to systems.
However, a toolset alone will not provide a successful outcome to a PAM project. In addition to the technology toolset (as a core), for a PAM project to be successful, it is equally reliant upon people and processes. Years of poor technology practice cannot be changed overnight! There can be significant change management within an organisation when the PAM processes and solutions are deployed. PAM projects require continued stakeholder support and sponsorship to ensure a successful journey.
PAM is a program of works, not a project!
In our experience, successful PAM projects are a journey that the entire organisation must embrace. They should be seen as an ongoing program of works, rather than an initial project and tool (set and forget!). PAM will permeate an organisation, affecting a number of business units and quite often-external partners and technology vendors.
As the digital transformation initiatives change an organisation (cloud, new in-house workloads etc.), so to do the requirement for the PAM implementation.
On an ongoing basis, the effectiveness of the processes as they relate to PAM should be revisited to ensure that the overall program continues to deliver on the originally agreed outcomes for the business.
PAM Maturity Levels
When evaluating a privilege program it can be considered against a PAM maturity scale.
- Level 0 : Unmanaged Accounts – Perhaps processes in place to store privileged account passwords within the organisation
- Level 1 : Vaulting – Replacing a Password Database such as KeePass or LastPass etc;
- Level 2 : Credentials Management – Obfuscating Passwords from users and Rotating Passwords across an organisation
- Level 3 : Session Management – Provide Audit and Recording of privileged sessions for training and breach purposes;
- Level 4 : Least Privilege and removal of hard coded credentials – Introduction of least privilege controls within an organisation and removing hardcoded credentials from applications and machine to machine engagements
Secure-ISS provide a number of services across the PAM spectrum, from complete turnkey managed services, PAM implementation services (design and initial delivery works) or PAM consulting. If your PAM program has stalled, you would like to increase your PAM maturity levels or if you would like some further guidance around getting your PAM programme started, our PAM team are ready to discuss.
* Source: Best Practices for Privileged Access Management – Gartner 2017