In our last blog, we introduced and expanded our analysis of how organizations keep their privileged accounts under control. We exposed the magnitude of the sensitivity of these accounts and the capabilities that may be required by them. Then, we introduced leading practices to get the accounts under control, mainly by executing a sound strategy. Now we will continue the discussion and reveal what the strategy should cover as well as how to manage its success.
So, where do you start your PAM strategy?
A review of policies and associated controls should be at the top of the agenda. Does the strategy meet the expectations from the business and board level and whoever else may be concerned about financial damages and loss of reputation?
At a minimum, policies should address:
- “Least privilege” principle controls
- Data classification controls to create a model
- Non-repudiation to help create clean audit trails
- Authentication mechanisms to commensurate with credential assurance and criticality of assets
- Controls to formulate level of permanent logical access versus temporary logical access
- Rules around “Segregation of Duties” for interactive privileged accounts
You want to clearly identify guidelines and standards that support the access management models rightsized for your organization.
The current state stream of the strategy involves:
- Mapping out the inventory of privileged access
- Mapping out the access relationship of accounts to critical assets and data
- Using a Capability Maturity Model Integration (CMMI) appraisal styled for PAM, assess the current maturity of each capability and process
- Privileged access should be based on the following principles:
- Least privileged
- Data classification
- Level of credential assurance
Once the current state is completed, the target state model needs to be defined. The differences between the current and target state will serve as inputs to the gap analysis, which will drive the content for the strategic roadmap.
For the definition of the target state, the following should be considered:
- Based on the data classification and level of assurance models defined in the current state stream:
- Proceed to a data classification analysis supporting the creation of an inventory for critical applications.
- For each critical application, assess the level of credential assurance for different account types:
- Interactive privileged accounts of administrators
- Power users accessing sensitive functions
- Shared accounts
- Hardcoded accounts
- Application to application accounts
- Based on the inventory of privileged access:
- Evaluate the formula to reduce your permanent accounts and passwords in favor of various capabilities offered by a PAM solution and to understand if single sign-on should be instated
- Analyze critical applications against the segregation of duties rules to identify conflicts
- Finally, based on the application inventory, assess which interventions to sensitive assets should be recorded and the recording method.
The strategy also offers an opportunity to define the advanced state of your privileged access security or privileged access intelligence.
For the roadmap, one of the most crucial exercises is to determine the priority of each use case and the equivalent capabilities. By using set formulas, one can evaluate complexity versus values versus qualitative risks.
Now You’ve Got to Manage it
At this point in the strategy you have defined what you have and what you need to do to ensure your privileged accounts are under control. You now need to make sure that you have solutions in place to support your needs and that you’ve established an effective governance model to manage the program over the long term.
Selecting a PAM: Take the time to create your use cases based on your priorities and perform a bakeoff against selected PAM products. Too often organizations make quick selections which can lead to deception during deployment. Once again, PAM solutions are extremely complex so take your time throughout the process.
PAM Governance: An effective and comprehensive strategy will support the establishment of a solid PMO structure/governance model and will amplify the support from executive management. Organizations that implement an IAM governance structure and model can manage the complexity and reduce or eliminate churn (productivity loss) resulting in economies of scale. As a leading practice, organizations implement a centre of excellence which becomes a core part of the governance structure. An IAM governance model provides a communication vehicle to broadcast strategic messages and reduces the risk of dimensioned support (and budget) in subsequent phases of the program journey by keeping key stakeholders aligned along the way.
Now that the privileged accounts are under control, the next and final instalment of our blog will address the third part of the roadmap and review the advanced capabilities of Privileged Access Management. We will also introduce the term "Privileged Access Intelligence (PAI)" the advanced phase of the privileged accounts strategic roadmap that allows us to watch the watchers.
To continue the conversation about PAM strategies and managing user accounts, feel free to leave a comment below.
To learn more about Online Business Systems’ Risk, Security and Privacy practice click here.
Part Three of this blog is available here.