How do I select a PAM solution for my business?

In order for organizations to prevent becoming the next victim of a breach due to unauthorized third-party user access, as has happened in prominent recent breaches, a strong security posture built around privileged access management (PAM) and identity governance and administration (IGA) is critical.

Many companies struggle to implement some of the most basic PAM and IAM practices when managing third-party users, such as immediately deprovisioning users and ensuring rules for managing access (such as not sharing accounts and credentials) are being followed.

To select a suitable PAM solution for your business, you need to think about a variety of factors. We’ve talked to several industry professionals to get their insight on the topic.

Leigh Dastey, CTO, My1Login

PAM is a key component in an organization’s security strategy and protects accounts that, should they be compromised, can inflict the most damage. Here are four considerations when selecting a PAM solution:

Ease of implementation and speed of deployment: There are a litany of examples of technology solutions failing to deliver anticipated benefits because they were not fully implemented, so your chosen PAM solution should easily integrate with the existing technology stack and enable rapid roll-out. SaaS or hybrid PAM solutions can expedite roll-out and time-to-value.

Ease of use: The PAM solution will only deliver ROI if it’s adopted. Difficulty and complexity in use risk the solution being ignored or circumvented. Choose a solution that ensures low friction for privileged users and potentially one that can run in the background.

Ease of integration: The PAM solution should be compatible with all application types, from on-premise Windows desktop to cloud apps. It must integrate and be interoperable with third-party solutions, such as your Access Management and SIEM solution, to maximise your security investments.

Privileged account discovery: The PAM solution should be capable of auto-discovering privileged accounts, ensuring none fly below the radar and present an attack vector.

Ease of implementation, integration, and use, combined with auto-discovery, provide the best opportunity to realise the benefits of your security investment.

David Higgins, technical director, CyberArk

Before choosing a PAM solution for their business, the first question a CISO should ask themselves is what it is that they aim to protect? Adopting PAM is as much about mindset and approach as it is about technology.

Thousands of PAM programme engagements with the world’s largest organizations have cemented our view that the best way to protect the business is first to identify critical data and assets, then assess the paths that an attacker might take to compromise them. This sounds obvious but it is not yet the common practise that it should be.

Privileges identities, credentials, secrets and accounts are found throughout IT infrastructure, whether this be on-premises, multi-cloud or a mix thereof. The ones that allow access to your critical data and assets are what the initial focus should be on. Once these are determined, there are a number of essential features that apply:

• Ease of implementation, ease of use, and ease of integration. The latter is essential. Look for integrations with your existing vendor stack.
• Cloud readiness is key. You are likely going to be moving applications into the cloud. Their privileged access needs to be secured.
• Session management and recording.
• Credential management for humans, applications, servers and machines.
• Audit and reporting features.
• Privileged threat alerting.

Ben King, CSO EMEA, Okta

PAM is a way of governing and controlling users and accounts with elevated access privileges. This is done to protect an organization’s most critical systems and resources, from external and internal threats, by reducing their attack surface.

Like so much organizational change, choosing a PAM solution requires considerable analysis of requirements and definition of why this is important for the organization and what the end goal is.

Three considerations key to the selection process are:

• Know which requirements fall above and below the line. Most customers only use a very small subset of PAM functionality, so leverage the 80/20 rule. Identify the primary use cases for your organization which will deliver the bulk of the value, and hold off on the rest so you don’t try to do too much. Are the requirements compliance driven? Or use case/value driven? How is success measured?
• Ensure resources are in place not just for deployment, but ongoing management. Many PAM deployments fail due to complexity and a lack of internal resourcing to operate a system and required processes after going live.
• PAM is one component of a successful identity and access strategy, so consider integration and consolidation. Does your organization need a discrete PAM solution because it has specialised or complex requirements? Or does consolidation with the identity layer make sense?

David Pignolet, CEO, SecZetta

While being a perimeter-less organization might be advantageous from a business perspective, it increases the complexity of safeguarding an organization from cyber threats.

It’s important for businesses to consider how their PAM solution will work with their employees, but it’s just as important to consider how a chosen PAM solution can apply to workers outside of the organization as well. Especially now, as the number of non-employee workers – from vendors and contractors to non-human entities like bots, IoT devices and RPAs – oftentimes outnumbers the actual, full-time employees within an organization.

Whereas an employee is given certain privileges and access upon employment and has said privileges and accesses altered as he or she advances in his or her position and revoked upon termination of employment, non-employee workers – and moreover non-human workers – will typically have their accounts deactivated upon completion or termination of work.

However, that non-human account’s access privileges are either ignored or left intact. This opens up the organization to potential cyber risks and gives cybercriminals the ability to exploit the orphaned accounts for unauthorized access privileges. Given how different the life cycles of employee and non-employee workers are, organizations will want to ensure that their PAM solutions align with the monitoring and management of those lifecycles.

Yash Prakash, COO, Saviynt

I recommend enterprises take a two-pronged approach to selecting their next PAM solution.

First, buyers should be thinking with the future in mind. We’re seeing rapid changes to IT infrastructure and application portfolios as companies complete digital transformations. Any new solution an organization considers must provide the agility to adapt and cover ongoing enterprise and PAM needs.

Buyers should also keep in mind that critical applications are no longer on-premise, and sensitive data is now in the cloud. So, their next solution needs to focus on privileged access for those cloud applications and take a “no asset left behind” approach towards identity, whether users are human or silicon identities.

Second, buyers should be seeking more value through improved security. The changes to enterprise infrastructure mean they should consider modern ways to secure privileged access — such as breaking away from traditional PAM approaches, including jump boxes and accounts with standing privileges. Instead, they should look towards a cloud-based solution to increase flexibility and deliver higher ROI by reducing infrastructure overhead and upgrade costs.

Modern converged identity solutions that bring IGA and PAM under one roof can provide excellent value while simultaneously improving security across the IT ecosystem.