Most organizations that implement Privileged Access Management (PAM) and Identity and Access Management (IAM) have done them independently but are missing some key values that could come from their integration. Getting control over user access, permissions and rights to address a security, compliance or IT efficiency challenge tends to be the driver in adopting an IAM solution. But IAM solutions only go so far. PAM solutions take security and compliance a step further by helping IT teams get control over privileged users and accounts, and provide granular visibility on how identities are actually being used.
The combination of IAM and PAM solutions can help IT teams achieve true visibility, knowledge, access, and control. Find out how and request a demo now.
Where Identity and Access Management Falls Short
Although a fully implemented IAM solution is a foundational and necessary security control, it is still not sufficient and is missing some capabilities to fully know who has access to what assets. For example:
- Shared accounts are used by many organizations to minimize the administrative burden of privilege account creation and management. Unfortunately, by the inherent design of shared accounts, IAM solutions lack the visibility into who has access to these systems and what occurs when those accounts are invoked.
- IAM systems are great at establishing and removing the access to accounts but they lack the visibility and reporting when privileged access is performed on applications and databases.
- Since IAM systems manage the access to a large variety of different classes of systems, they are limited into how detailed they can define access permissions to an application or even an individual command. This creates a security risk of granting too broad of permissions for a system administrator just to access an asset, application, script, or database.
- IAM systems are not designed to actually monitor or control activities against accounts. The ability to audit and monitor the actions of system administrators is a critical security capability required by regulations and reviewed periodically by auditors.
- Due to compliance requirements, many organizations are required to produce complete attestation certificates for both privileged and non-privileged access. Given the lack of visibility into shared privileged accounts, IAM systems cannot actually produce these required complete certificates. The ability to know who has access to what assets and to be able to complete an attestation process is a necessary security and compliance requirement.
What IAM and PAM Can Do Better
When either technology is used standalone, there are also some capabilities that are lacking in both IAM and PAM implementations:
- The account setup for an IAM implementation can be long, expensive and complex. The use of automation can significantly reduce issues. Account setup automation is one of the key benefits of being able to integrate a PAM and an IAM solution.
- Similarly, the on-going management of changes to privileged accounts is both tedious, time consuming and can create a security and compliance issue due to change control. These life-cycle changes (join, move, leave) should be automated by integrating user and role changes from the IAM system into the PAM system.
- IAM systems maintain policies that formally define permissions for users and groups. When these policies are changed for users or groups that have access to privileged accounts, it is important that these changes are automatically implemented in the PAM solution to ensure policy changes are actually enforced. When tool is used standalone, only have the process is automated and the other half is generally manual.
How to Do PAM and IAM Right
Organizations can realize the full value of IAM and PAM implementations and improve security and compliance requirements by selecting solutions that provide a strong level of integration capabilities.
The integration capability should provide the following:
- Simplifies IAM setup and on-going management
- Complete visibility of access for both non-privileged and privileged access using PAM
- Full compliance attestation certificates of access regardless of account type
- Consistency of privilege access and elevation with policies in a repeatable automated approach
What to Look for in Your PAM and IAM Solution Providers
As organizations plan to implement IAM and PAM solutions, the following are some recommendations that should be considered:
- Ensure the PAM solution provides at least basic integration capabilities with your IAM solution and vice versa.
- Ensure the PAM vendor published roadmap provides improvements in IAM integration and manages the latest platforms from Unix and Linux to Windows and OS X.
- Leverage the integration of PAM and IAM to:
- Provide a seamless approach to provisioning and privileged access
- Ensure consistent implementation of access policies
- Reduce risk
- Improve compliance and reporting
How does your PAM and IAM deployment stack up? To learn more about how to integrate PAM and IAM deployments, check out this on-demand webinar. “The Road to Privileged Access Begins with Identity.”
Larry Brock, Principal at Brock Cyber Security Consulting
Mr. Brock is the principal at Brock Cyber Security Consulting, LLC. His primary focus is to help companies improve their capabilities to protect, detect and respond to attacks on their intellectual property from both insider and advanced cyber threats. Previously and for more than 11 years, he was the Global Chief Information Security Officer at DuPont. Prior to this role, he has work in other Information Technology Positions, Marketing, and Research & Development at DuPont and as a Security Officer within the USAF. Within DuPont IT, he was the CIO of the Nylon Flooring business unit. He has also led the development and implementation of several large systems including; manufacturing product control, materials management, engineering maintenance, quality management, and data warehouse systems. While working in the Corporate IT group, he led the migration to open-based systems for both networking and computing. In DuPont Research & Development, Mr. Brock led the development and deployment of imaging based systems, including a patented system to electronically move radiographs between hospitals and remote physicians. He served as an Information Security Officer within the U.S. Air Force and assigned to the National Security Agency (NSA). He served on active duty at the NSA for 4 years and then in a reserve capacity for 26 years. Mr. Brock has BS and MS degrees in Electrical Engineering and is a Certified Information Security Manager, CISM.