Privileged Access Management & Identity Access Management Integration – A Missed Opportunity
February 2nd, 2016
Most organizations that implement Privileged Access Management (PAM) and Identity and Access Management (IAM) have done them independently but are missing some key values that could come from their integration. Getting control over user access, permissions and rights to address a security, compliance or IT efficiency challenge tends to be the driver in adopting an IAM solution. But IAM solutions only go so far. PAM solutions take security and compliance a step further by helping IT teams get control over privileged users and accounts, and provide granular visibility on how identities are actually being used.
The combination of IAM and PAM solutions can help IT teams achieve true visibility, knowledge, access, and control. Find out how and request a demo now.
Where Identity and Access Management Falls Short
Although a fully implemented IAM solution is a foundational and necessary security control, it is still not sufficient and is missing some capabilities to fully know who has access to what assets. For example:
- Shared accounts are used by many organizations to minimize the administrative burden of privilege account creation and management. Unfortunately, by the inherent design of shared accounts, IAM solutions lack the visibility into who has access to these systems and what occurs when those accounts are invoked.
- IAM systems are great at establishing and removing the access to accounts but they lack the visibility and reporting when privileged access is performed on applications and databases.
- Since IAM systems manage the access to a large variety of different classes of systems, they are limited into how detailed they can define access permissions to an application or even an individual command. This creates a security risk of granting too broad of permissions for a system administrator just to access an asset, application, script, or database.
- IAM systems are not designed to actually monitor or control activities against accounts. The ability to audit and monitor the actions of system administrators is a critical security capability required by regulations and reviewed periodically by auditors.
- Due to compliance requirements, many organizations are required to produce complete attestation certificates for both privileged and non-privileged access. Given the lack of visibility into shared privileged accounts, IAM systems cannot actually produce these required complete certificates. The ability to know who has access to what assets and to be able to complete an attestation process is a necessary security and compliance requirement.
What IAM and PAM Can Do Better
When either technology is used standalone, there are also some capabilities that are lacking in both IAM and PAM implementations:
- The account setup for an IAM implementation can be long, expensive and complex. The use of automation can significantly reduce issues. Account setup automation is one of the key benefits of being able to integrate a PAM and an IAM solution.
- Similarly, the on-going management of changes to privileged accounts is both tedious, time consuming and can create a security and compliance issue due to change control. These life-cycle changes (join, move, leave) should be automated by integrating user and role changes from the IAM system into the PAM system.
- IAM systems maintain policies that formally define permissions for users and groups. When these policies are changed for users or groups that have access to privileged accounts, it is important that these changes are automatically implemented in the PAM solution to ensure policy changes are actually enforced. When tool is used standalone, only have the process is automated and the other half is generally manual.
How to Do PAM and IAM Right
Organizations can realize the full value of IAM and PAM implementations and improve security and compliance requirements by selecting solutions that provide a strong level of integration capabilities.
The integration capability should provide the following:
- Simplifies IAM setup and on-going management
- Complete visibility of access for both non-privileged and privileged access using PAM
- Full compliance attestation certificates of access regardless of account type
- Consistency of privilege access and elevation with policies in a repeatable automated approach
What to Look for in Your PAM and IAM Solution Providers
As organizations plan to implement IAM and PAM solutions, the following are some recommendations that should be considered:
- Ensure the PAM solution provides at least basic integration capabilities with your IAM solution and vice versa.
- Ensure the PAM vendor published roadmap provides improvements in IAM integration and manages the latest platforms from Unix and Linux to Windows and OS X.
- Leverage the integration of PAM and IAM to:
- Provide a seamless approach to provisioning and privileged access
- Ensure consistent implementation of access policies
- Reduce risk
- Improve compliance and reporting
How does your PAM and IAM deployment stack up? To learn more about how to integrate PAM and IAM deployments, check out this on-demand webinar. “The Road to Privileged Access Begins with Identity.”