Top five tips to implement a successful privileged access management capability
The ever-shifting sands of technology makes it difficult to gauge where you should focus your security efforts and budget. But what seems to remain constant is how important it is to control your organisation’s privileged accounts and access, especially those accounts that might give a malicious actor the ‘keys to the kingdom’. According to Verizon 2021 Data Breach Investigation Report, “61% of breaches involved credentials”.
Privileged Access Management (PAM) should be a critical part of your cybersecurity strategy. Here are our top five tips to ensure a successful PAM initiative.
Tip 1: Understand where the key issues are
Privileged access issues cannot be solved by installing a privileged access management tool alone. Rather than diving straight into purchasing a piece of technology, spend some time upfront to first identify where your high-risk issues are, which may not always be just at the technology level. Consider issues that your organisation may have with governance, people, process, and then technology. More regulators are now expecting to see that privileged access management is considered as an integral part of operational processes (particularly within IT) rather than viewed as a separate security function.
Tip 2: Ensure you secure senior management buy-in
This is an age-old critical success factor for any project. Yet this is particularly important in a privileged access management initiative. This is because you are likely to receive resistance from systems administrators and privileged users. These users may have become accustomed to using their privileged credentials with no or minimal control. Senior management buy-in and clear top-down messaging will go a long way to ensuring your initiative has the right level of support.
Tip 3: Define “privileged”?
At first glance, this question seems to have an obvious answer. But every organisation has a different definition of what “privileged access” means to them. Take the time to define which access roles or entitlements are considered “privileged access”. This will form the basis of the size and scope of your privileged access initiative.
Tip 4: Start small and take an iteractive approach
If your organisation is ready to buy a PAM solution to help control privileged access, it’s tempting to think that this will solve all your problems. Don’t underestimate the organisational impact that will have. Start small by onboarding an initial, limited, set of your highest-privileged accounts. Take any learnings from this first iteration and apply these in your next set of in-scope accounts. Create, and share, your onboarding roadmap to help prepare teams.
Tip 5: Don’t forget about service design and transition
Ensure your initiative includes effort and budget for service design and transition. This includes identifying an appropriate team that will own the PAM solution. Make sure they have the appropriate training and focus as part of the job roles, to maintain and grow the capability. For further tips on implementing sustainable capabilities, have a look at our article here.
Service design and transition must involve impacted teams – in most cases this will be IT teams where there may already be friction with security. Strong security culture and governance combined with clear service management documentation, will help smooth the introduction of privileged access processes.
At 324 Consultancy, we have worked with clients and helped them assess and implement their privileged access management capabilities. Based on our experience, building these five tips into your privileged access management initiative will give you the best chance of success.