Consider the following when starting your Privileged Access Management (PAM) projects.
Privileged access management (PAM) is a critical component of any comprehensive cyber security strategy. Ensuring privileged credentials are protected from unauthorised access and misuse, is essential for preventing data breaches and other security incidents. However, before embarking on a PAM project, there are some key considerations for ensuring its success.
A previous Savanti blog: When Building a PAM Capability - think product and prepare well, details the key points for building a PAM strategy.
In this blog, we summarise a few key considerations for a successful project:
1. Establish goals and objectives
First, think about what you hope to achieve with the implementation of a PAM solution. Perhaps you want to reduce the risk of data breaches and cyber-attacks, improve compliance, or increase efficiency and productivity.
Document the PAM strategy to gain buy-in from stakeholders, including end-users who may resist a PAM solution due to anticipated friction and change. To alleviate concerns, create a comprehensive vision for how the PAM system works which includes how it operates during outages and incidents so end-users have confidence they can continue supporting their systems. Show end-users you have considered their perspective, rather than just a security mandate approach.
2. Determine the boundaries and scope for the project phase
Identifying priorities after the initial discovery exercise is crucial to prevent misunderstandings during the project phase. This should align to business priorities and often seeks to reduce risk rapidly. Organisations must agree on a common understanding of what 'privileged' means and what needs protection. Documenting this understanding can drive all plans and controls aimed at reducing privileges and managing them where removal is not possible.
3. Ongoing Reporting and KPIs
You can’t protect what you aren’t aware of as highlighted in our Data Discovery blog. The same can be said for privileged credentials. A notable challenge for PAM projects is dependency on asset management data, which is often incomplete or in separate asset repositories, hindering the identification of privileged access.
Develop dynamic reporting to enable regular progress updates and adjustments to the project plan as your understanding of the IT environment evolves. Recognise that project priorities may change as you gain a clearer view of your IT estate and their associated risks.
The PAM service should provide KPI reporting and telemetry which show the health of the PAM service itself and the privileged access ‘health’ in the wider estate as privileged use-cases are discovered and managed. Ongoing reporting and KPIs provides assurance the PAM project aligns with security strategy and wider organisational goals.
4. Identify technical capabilities
What PAM capabilities and technical features do you need, now and further along your roadmap? Examples include just-in-time provisioning, access for third parties, endpoint privilege management or integration with other security systems. Identifying and managing privileges in cloud environments requires a new and different set of capabilities which should not be overlooked. Capture user requirements that are easily understood by the development team and can be thoroughly tested.
5. Develop an implementation plan
Delivering a PAM solution is a complex and time-consuming process requiring careful planning and coordination. It is important to develop a comprehensive implementation plan that includes timelines, milestones and roles & responsibilities for all stakeholders involved in the project. The plan should consider audit points and other committed deadlines and include detailed testing and validation phases to verify the PAM solution is working as intended. Regularly reassess to ensure the PAM service is being designed to meet business and IT needs.
6. Provide training and support for end-users
Provide end-user training and support for effective use of the implemented PAM solution. End-users should be educated on the importance of PAM and given ongoing support through live training sessions, documentation, FAQs and online training. Self-help resources can allow end-users to resolve issues independently, and user feedback channels help identify any friction points to aid in the continual improvement of the service.
In summary, some key points to consider for a successful PAM project:
- Establish a shared vision and purpose and address concerns about changes in ways of working.
- Define scope and priorities for each project phase. E.g. reduce risk, improve operational efficiency or address a compliance requirement.
- Report on project progress, risk reduction and service health to give confidence in the PAM service and its value to the business.
- Select tools based on control needs rather than vendor offerings. Don't overlook cloud environments which may need a different technical approach.
- Develop a comprehensive implementation plan, but regularly reassess and be prepared to adapt to changing business needs.
- Support users by promoting self-service resources, seek and respond to their feedback to make the user experience 'low friction' whilst remaining secure.
PAM is a programme, not just a project – it’s never really ‘finished’. And PAM controls can be used beyond IT infrastructure use-cases: they are increasingly used to protect other high-value privileged activities where sensitive data or financial transactions are at risk.
Savanti’s successful PAM delivery framework allows us to guide customers through decision-making from initial assessment through to solution deployment and then into operations – and beyond with continual improvement and service management.
We'd be happy to support you on your journey, please get in touch firstname.lastname@example.org or visit the chat function on our website: www.savanti.co.uk. Connect with us to see how our proven delivery framework can accelerate your privileged access management journey.