All journeys begin somewhere. Where and how you start can determine where you end up - safely at your destination or stranded on the wayside. After all, without an established plan or course of action, your journey could lead you astray.
It’s like the great sage Yogi Berra once said, “If you don't know where you’re going, you'll end up someplace else.”
For those embarking on the pathway to privileged access management (PAM) maturity, the course can seem harrowing. But like other excursions, proper planning and navigation can make all the difference.
Even better is when you can follow the path of those who’ve blazed the trail before you. So, what better way to ensure your PAM project doesn’t divert from its proper course, than to follow the path our customers already trod?
During the recent Gartner Identity and Access Management (IAM) Summit, BeyondTrust hosted a panel of customers who’ve been down the PAM path. Our customers – Mike Freeman of Sentara Healthcare, Tyler Mullican of AHS, and Edward Panzeter of Universal Health Services - joined us for the session CISO Perspectives on the PAM Journey.
With each customer at diverse points of their PAM journeys – from early implementation, to late stage implementation, to two years in – the panel provided takeaways (both triumphs and pitfalls) to light your path to PAM deployment success.
Through a wide-ranging conversation, our panelists touched on these key milestones you’d be wise to follow as you push to mature your privileged access security controls:
1. Identify the driver. For every new odyssey, there’s a reason it begins. What’s yours? Did you fail a regulatory compliance audit? Do too many of your admins and contractors have excessive privileged access, and with too little oversight? Are your admins sharing the same privileged credentials with each another, and perhaps other people you don’t even know about?
Determine why you need to go down this path and you’re ready to take the next step.
2. Establish the plan. Your map on this endeavor is your project management plan. As with any complex enterprise project it should be tackled in stages. Perhaps you first need to identify your privileged accounts and secure their passwords. Then you may need to move on to least privilege. From there you may want to integrate it all into your SIEM system to identify privileged access anomalies. Regardless, knowing the steps beforehand can keep you on track.
As Mr. Mullican recommended, “identify milestones and break it out into digestible parts. Manage and track to those milestones.”
And be sure to set expectations up front. As Mr. Freeman advised, “bring the business owners in, understand what processes they use and how to work with them. Understand what management and executives expect. The privileged password management part of the project is a great place to start. It’s a big win. It gets your foot in the door to expand the security discussion.”
Then, plan to move to your next biggest need like, perhaps, privilege escalation.
3. Name the leader. Someone needs to oversee the expedition. Who are your experts who can guide your organization through the implementation process? Identify the owners, whether it’s for the overall project, the technical lead, or other. You need established people with extensive experience who can dedicate time to the project.
“Involving a seasoned staff member who understands the process and has rapport with the team is huge,” Mr. Freeman stressed.
4. Minimize disruption. Ever been on a long car trip with the family? If so, you know that such treks go better when disturbances are avoided. As with any enterprise project, your PAM implementation should proceed with as little disruption to the business as possible.
“When you’re going in and telling business owners we need to change what you’re doing,” Mr. Mullican explained, “it’s hard for some people. An organization can only take so much change. Make sure the change is very focused.“
It all ties back to having a good project plan in place from the start. “Take it on a group by group basis,” Mr. Mullican recommends. “Get the small wins under your belt and build momentum” to get through the entire project.
5. Create a security culture. If some amount of change is the inevitable result of your journey, why not use those changes to your advantage? Take the opportunity of your PAM project to instill a culture of security at your organization.
“Privileged account management, in itself, isn’t necessarily disruptive to your users,” Mr. Panzeter said. “But organizationally, it can create a whole new way of thinking. It can create a security focused mindset from people who may not traditionally think that way.”
“We were able to move forward by starting with identifying privileged accounts, managing their passwords,” he continued. “Even the most technophobic executive can understand that, if some accounts have rights to a lot of data, and you’re changing the passwords for those accounts every 12 hours or every day, that’s a good thing. It helps him feel comfortable that his data is protected.”
“Recognize how much change you’re pushing into the organization,” Mr. Freeman noted. “Use that to your advantage. By approaching the PAM project in a very structured, systematic way you can further the security culture.”
6. Communicate progress. As you navigate the course of your PAM journey, be sure to communicate progress to everyone you’re taking along for the ride. Keep educating your stakeholders about the overall security initiative and which stage of the project you’re in.
Mr. Panzeter suggests explaining to each group in your organization why you’re taking the company on this PAM odyssey. “Why are we doing this? Regulatory compliance, security, protecting information, protecting the company, protecting employees. And then explain how you are going to do it. We stressed that we weren’t taking anything away from them, just making their workflows more secure.”
And don’t forget to report on your successes and the goals you meet. For Mr. Mullican, this meant keeping executives in the loop. “Identify the correct reports [in the product] and present them to executive leadership. Every report is an opportunity to help executives understand the space we’re in and why PAM is important.”
7. Choose the Right PAM Vendor
Finally, if you are thinking about embarking on your own PAM journey, be sure you select the right vendor. We’ll let the experts on the panel speak to the benefits of BeyondTrust.
“We’ve had success because BeyondTrust took the lead if we had problems,” Mr. Panzeter explained. “Our account manager or our engineer were on top of it. We get a quick response to support tickets. That keeps us going back and asking - what more can we get out of our solution?”
“BeyondTrust was recommended to us by another one of your customers,” Mr. Freeman said. “All the BeyondTrust customers we spoke to complimented the support and ease of use of the product.”
Ready to take the next step to maturing your privileged access management program? Here are some resources that can help:
2018 Gartner Magic Quadrant for Privileged Access Management (independent vendor/industry analysis)
What is Privilege Management and Where Do You Start? (a vendor-agnostic primer on PAM)
Seven Steps to Complete Privileged Access Management (white paper)
Four Tactics for Protecting Privileged Passwords & Accounts (expert guide)
10 Steps to Better Windows Privileged Access Management (on-demand webinar)
BeyondTrust PAM solutions (web page)