Implementing Privileged Access Management (PAM)
Starting with PAM software deployment may seem the quickest way to make progress, but overlooking the right preparation steps may slam on the brakes at the critical point of trying to get privileged access protection in place.
You could be left wondering; “How do I do it?”
Don’t rush to stand up a PAM platform without first considering:
These 3 critical questions are often addressed belatedly, at the point of bringing credentials under management, when timescales have been set and senior stakeholders are expectant, causing delivery compromises that favour speed rather than getting it right (and secure).
To prepare well, the following steps provide a solid foundation for making PAM platform choice and building a product-based deployment strategy.
1. Define your Strategic Outcomes
Defining what you want to achieve may seem blindingly obvious, however, there are wider considerations that need to be agreed at the beginning. For Example; do you want your privileged accounts to conform to the principle of least privilege? Or, do you have expected usage patterns for high-value accounts and what level of monitoring do you want in place to alert on unusual behaviour.
This is a time for decision making to explain what PAM should deliver and to ensure that your business mandate and budget, support your strategic outcomes.
2. Map your Privileged Landscape
Defining privileged access for your organisation, including the account types and credentials you consider to be privileged, will be the first activity in scoping your PAM delivery. The second is using that definition to map out where in your business privileged access exists today.
This identifies the scope of your PAM deployment.
3. Develop a Risk-Based Approach
“I want to protect all my privileged access” is a common starting point for many organisation’s PAM programmes. It's also a quick path to project bloat, where the struggle to try and do too much in a condensed time frame is inevitable.
Assessing where and how you might be vulnerable to a targeted attack and building a risk-based, phased delivery approach, is a better place from which to bring your privileged access under management.
Rooting out bad practice, such as;
...will alert you to the vulnerabilities that attackers will seek to discover during reconnaissance, and then exploit to traverse through your IT infrastructure.
Assigning a level of risk to each vulnerability will allow you to prioritise the PAM features you need to protect your business-critical systems.
4. Think Product and start to plan your PAM capability
Your PAM capability should be considered a product, not simply a system to be deployed as a one-off project. Most PAM platforms present a vast wealth of functionality to solve a wide range of PAM security challenges. Building a roadmap of PAM capability, from the risk profile mapped out, invokes an approach of achieving an initial security baseline followed by a process of refinement that continually improves the maturity of your solution.
PAM doesn’t end when the project ends, it will require continuous care and attention.
5. Create your Target Operating Model
Possibly the most critical aspect of preparing for PAM is defining how the capability will operate within your business. Successful PAM delivery is a business transformation, not a technology project, so a Target Operating Model (TOM) is the centrepiece of business process that makes PAM operational. Accounting for;
The TOM becomes the operational blueprint upon which PAM architectural design and configuration is based.
Savanti has developed a successful PAM Delivery Framework, to help guide customers through the decision making and implementation steps necessary to ensure they get early benefits from their investment.
We'd be happy to support you on your journey, please get in touch info@savanti.co.uk or visit the chat function on our website: www.savanti.co.uk, especially if you’d like us to send you details of our successful PAM Delivery Framework.