Mission-Based PAM: Are You Ready?

5 questions to ask to determine your organization’s readiness for mission-based PAM

Organizations often begin their privileged access management (PAM) initiative with a mandate—for example, responding to a specific audit finding or regulatory requirement, such as a failure to properly rotate credentials or lock down passwords in a secure digital vault. Ideally, over time they migrate to a “mission” approach, which has a broader goal of strengthening and modernizing the organization’s overall security strategy and aligning with industry best practices.

DevOps Connect:DevSecOps @ RSAC 2022

Staying the course with a mandate approach delivers less value over time because it is designed to meet only a limited set of security requirements. It may increase your risk by forcing users to work around the PAM solution to do their jobs efficiently. Following a mission-based approach, whether from the start or shifting toward one over time, makes the most of your PAM investment by protecting more of your systems, maximizing user adoption and sharing data among security systems for a deeper, contextual understanding of risk and how to manage it.

Below are five questions that will help determine whether your organization is ready to move toward a mission-focused approach to PAM.

Do you have the backing for a mission-driven approach? Mandates can be relatively easy to get support and funding for because they often have a powerful sponsor, such as an auditor, regulator or chief information security officer (CISO). Mandates can also be easier to adopt: Business units may see compliance as a one-time exercise and believe they can then get on with carrying out their “real” work using the same tools and methods as before. Mission-driven PAM takes a broader, long-term view toward improving organizational security; it may take more funding and effort to initially build, but the multi-year return on investment is better. Helping your organization to understand that the long-term benefits of a mission-driven approach are worth the additional initial investment requires sponsorship from senior executives and other key stakeholders.

You can build the case for a PAM mission by describing how much the organization is spending to “check the box” to meet a mandate, and how a PAM mission can deliver far more visibility into user sessions and enable it to stop suspicious activities. You can also explain how a limited PAM program can increase risk by forcing users into unmonitored access you cannot track, much less stop, providing a prime target for malicious actors seeking to control sensitive assets.

Have you defined what privileged access means to you? If not, you won’t be able to focus your time, money and effort on the most critical areas. Accurately defining privileged access requires identifying and forging a relationship with everyone who has a stake in the program, such as the CISO, infrastructure team, managers of your security operations center and managers of identity and access management (IAM) programs. Have you educated them on your definition of privilege and asked them for theirs? Have you asked for their feedback on your PAM implementation plan? Doing so will increase their cooperation and provide valuable insights into what you need to protect, how to protect it and how to share data with other systems and processes to maximize your security and return on investment.

Along with creating partnerships with managers, are you willing and able to treat your admins—the users of your system—like partners? Creating trusted partnerships at all levels is a critical part of ensuring a successful PAM journey. Work closely with your administrators as well as your managers and senior leaders: Listen first to understand their current processes and pain points and then show them the improved security and lower stress that PAM processes can provide not only for the organization at large but for their particular areas of concern.

Are you willing to make the partnership real by doing the hard work of organizational change management? In the short run, PAM will require changes to how administrators do their jobs. Invest time and resources to minimize disruptions, rather than forcing them to use the new system as quickly as possible without taking change management steps to ensure a positive, efficient user experience.

Seeing your admins as partners and taking the time to understand their existing processes (and shortcuts) lets the PAM team understand what more efficient options and features they should consider prioritizing as you roll out your PAM system.

Do you have a plan to continually onboard new platforms and processes as your business needs change, more users become used to the platform, and you start seeing the benefits of enterprisewide deployment? You need to create a team whose sole job is to monitor, manage and expand your PAM implementation over time. Without such ongoing oversight, your PAM solution only represents a point in time and will become increasingly stale and ineffective as new privileged accounts are created outside of the controlled PAM process. Focusing exclusively on vaulting or securing today’s privileged access can cause you to lose sight of your needs as your business grows and changes.

Begin your planning by understanding which systems are most critical to you. For a financial institution, it might be a trading system where downtime or a breach could cost hundreds of millions of dollars. For a pharmaceutical company, it might be the platforms that store the latest research compounds or patient trials. For a social media company, it might be the systems that store user profile data. Realize every owner will say their system is most important, but don’t let them spend too much time debating. Get a good feel for which systems and accounts are most critical and validate those priorities with more senior managers. You’ll also want to avoid a heavy PAM investment in a platform that’s due for upgrade or replacement.

The common thread across these questions is the need to start your PAM implementation not with technology, but with people, processes and culture. This focus will provide the best route to faster adoption, higher security and the maximum benefit from your PAM investment.

Cathy Hall

Featured eBook
7 Must-Read eBooks for Security Professionals

7 Must-Read eBooks for Security Professionals

From AppSec to SecOps, Security Boulevard eBooks deliver in-depth insights into hot topics that matter to the Cybersecurity and DevSecOps professionals. Our staff of writers are the best in the business, with decades of practical and award-winning experience and credentials. We are excited to share our 2019 favorites. Take a look and download some of ... Read More
Security Boulevard

Cathy Hall

Cathy Hall is a cybersecurity leader at Sila with 18 years of experience providing IT services to Fortune 500 companies and government agencies, specializing in Identity and Access Management, Privileged Access Management, Information Security, Enterprise Applications, and Business Process Management. Cathy brings a unique mix of Federal and Commercial cybersecurity experience and uses her deep knowledge of NIST and other industry frameworks to drive security architectures.

cathy-hall has 1 posts and counting.See all posts by cathy-hall