I would have thought that by now, PAM (Privileged Access Management) had been implemented in every organisation, or is at least in the process of being implemented. Having said that, I suspect there are still people who don’t want to touch PAM with a barge pole, for what they feel are very good reasons.
Those reasons won’t stand up when arguing with the company’s IT Auditors, although the people trying to break into your network every day will be very happy about them. Let’s be honest, we all tend to have some inconsistent views on security matters between how things should be done and what we do ourselves. There is no way out of it though – an IT environment, be it on-prem, hybrid, or fully cloud, will not be secure without a PAM solution involved somewhere.
There’s no denying there will be some tricky waters to navigate during a PAM project, but most will relate to business process and making sure people are onboard with the necessary changes to their working practices, rather than truly justifiable objections or insurmountable technical reasons.
Expect to hit roadblocks - “I’ve known the root/admin password for the last 20 years. I can log in immediately to any of our machines and get problems fixed without having to mess around for hours trying to get hold of it. Are you saying you don’t trust me, and you want to slow me down ?”. Expect to have some of your enthusiasm for the project sucked out by the attitude of some 3rd party service providers and internal users.
It’s vital for a PAM implementation that you have clear priorities for each stage of the project (for instance, what’s the MAIN driver – if it’s to control vendor access, make sure you sort that out first rather than trying to do a bit of everything). Within each stage, try to approach the paths of least resistance first – you’ll probably encounter obstructive vendors with remote access who’ll say “it’s not in our contract to log in like this, we’ve used a VPN for the last donkeys years and RDP from our desktops”. You will probably be able to guess (or find out from others) who will cause the roadblocks, so avoid driving straight into them and take them on when the project is established and progressing well.
It’s vital to get people onboard and ensure early users of the solution become advocates of PAM to the rest of the business, rather than having them block your progress with difficult behaviour. Get your sponsors and senior management truly onboard by frequently reporting good progress and successes, especially in the early days of the project. THEY will then become powerful advocates for your project and the protection it will ultimately bring to the environment. Swing the odds in your favour. There’s nothing like early, quick wins to give a project some decent momentum. Move forward in bite-size chunks rather than trying to boil the ocean.
When searching for a PAM vendor, you need to make sure that the vendor’s approach matches your organisations way of doing things or that you are genuinely prepared to change and have management backing to do so. For example, perhaps the vendor has a cloud-only solution, and your credentials would be held in the Cloud. If you don’t think that’s acceptable, should you re-examine why you think that ? Is there some inconsistency in your thinking that maybe you’d be perfectly happy to use a cloud-based personal password vault or keychain, but don’t think a similar approach is acceptable for a PAM solution ? If your thinking is valid for your environment, that’s fine, but make sure to challenge yourself and make sure any biases are reasonable. In my experience it usually turns out for the “cloud vs. on-prem” debate that what customers really want is the ability to effectively switch off the vault if something bad happened, and have on-premises capability if their link to the PAM provider (or the PAM provider themselves) went down. They weren’t anti-cloud as such, but did want something entirely under their own control, be it HSM, KMS, on-premises server or something in their own private cloud. PAM providers are under no illusions that their solution needs to be available 24x7 and are quite possibly more experienced than your own company in providing very high levels of service.
It may sound daft, but don’t forget that software isn’t magic. For example, most, if not all, PAM solutions have discovery capabilities. They are best at discovering credentials that exist on systems which they have already been given valid credentials for, rather than hunting out individual systems and credentials completely from scratch. For instance, it’s fairly easy to discover all the systems in Active Directory, because the PAM tool will probably have enough access to simply read a list of computer objects, and may also already be able to read the machines’ local accounts databases. On the other hand, discovering accounts on an as-yet unknown, standalone Linux machine on the far side of a firewall is a different kettle of fish. Incidentally, be careful starting a discovery process without talking to the Network team first, because they’ll probably block your machine very quickly, or won’t let you start in the first place. They should already have most of the information you need anyway.
Accept that the PAM project will probably be the fall-guy for problems arising from implementing best practice that should have been done years before, but no-one wanted to take the risk. A typical example of this would be a non-specific (generic/service) account that has been used by someone or something since time began - no-one wanted to take the risk of changing its password and of course the PAM project does so as part of onboarding the account, breaks things and gets the blame.
You need to decide how far you plan to go with the PAM implementation, be realistic about where you are today and to what extent you can hope to reach a point of zero standing privilege, access approvals (especially out-of-hours) and everything else offered by full-featured PAM products.
Fear not ! It’s not all bad – a well-executed PAM project, especially given the maturity of many PAM products and vendors today, will enhance the business’s security posture and in many cases improve the privileged users experience whilst also providing all the necessary controls.
Comments