BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    Use Cases and Industries
    See All Products
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

Minimize User Impact When Implementing Privileged Access Management

February 21, 2017

  • Blog
  • Archive
blog-minimize-user-impact-privilege-access-management.jpg There are two types of people in this world: Those who embrace change and the potential benefits, and those who resist change and emphasize the potential negative effects. When operating in the next generation economy, information technology changes can drastically impact productivity to streamline tasks or improve security. Rarely is the intent designed to complicate or slow processes down, but even the best of intentions can add extra steps, mouse clicks, or processes in the name of security. If you take a deep look as to why these changes are necessary, the extra steps benefit the entire environment and should be embraced rather than dismissed as a nuisance. If you consider the basic security changes we take for granted today like logging into your computer or even using a key to unlock a door, you recognize that additional steps are necessary to secure an asset and the information it contains. When considering and deploying a privileged access management (PAM) solution, the changes required are analogous to adding a pin to your phone verses always being unlocked. A simple step that almost everyone can embrace as a worthwhile change for the security it provides in the long run. To that end, PAM has a similar impact within an organization.

What is privileged access management, and how do you minimize resistance?

By definition PAM, is comprised of 4 primary disciplines:
  • Privileged Password and Session Management
  • Privilege Elevation and Delegation Management
  • Active Directory Bridgin for Unix, Linux and Mac
  • Privilege Auditing and Reporting
When implementing any of them, there will be changes to the environment, a user’s workflow, internal processes, and potentially be met with end user (or administrator) resistance. So how do you adopt the solution and address the concerns of those averse to change? Appoint an Internal Champion A key component for any successful project is to have a trusted advisor or internal evangelist promote and champion the project internally. They can train on the benefits, field questions, and help temper any resistance. No one likes changes being forced upon them but having a well-planned deployment, educating on the changes presented to the teams, and soliciting feedback to help teams feel empowered goes a long way to the success of any project that requires a change. While this may seem rudimentary, it is surprising how often these premises are missed and staff is sent a memo with new procedures with no rhyme or reason for the new policy and workflow. Start with a Pilot Second, start small and test regularly. Any deployment changes that will impact the masses or key trusted individuals need to be introduced methodically. Start small, demonstrate the benefits and solicit feedback. Many of the changes required for PAM are just a few extra mouse clicks. The security and compliance gained is measurable and should be a part of the education process. For example, the new procedure requires checking out a root password for PCI and SOX compliance using multifactor authentication and a PAM solution. These steps ensure it is done securely, and the session is being recorded for auditors to demonstrate compliance, and to catch hackers that might try the same thing to infiltrate your environment. That makes the extra steps understandable if the teams have the best interests of the company in mind. Determine What to Focus on First Third, something that many organizations consider the first step, is determining which PAM project to embrace first and which one will be the most successful with minimal resistance. To aid in this process, BeyondTrust has created a reference document called “The 7 Steps to Privileged Access Management”. It helps address the privilege problem by recommending solutions in order that maximize success, in minimal time, and ultimately with the least resistance. Steps to Implementation Based on these recommendations, the first step in implementing PAM is generally password management. In order to deploy the solution with minimal friction, consider the most sensitive accounts in your environment, age of passwords, difficulty in managing password changes manually, embedded passwords, etc. This leads to implementing privileged password management in the following order:
  1. Domain Administrators or Root on non-Windows assets
  2. Service Accounts
  3. Infrastructure
  4. User Administrator Accounts
  5. Application to Application (API) Coding
As you work down the list, you can theorize which teams will be the most understanding to the change and which will need more educating or need time to implement (i.e. code changes). Operations teams and security analysts will understand the reasons why the changes are best and can become your advocates if they are introduced into the process first For least privilege implementation of Unix, Linux, Windows, and Mac – similar to managing passwords – consider your highest risk users that have administrator accounts. This can be everyone from server admins to helpdesk staff all the way through end users that have admin rights or a secondary x-admin account. While removing admin or root rights away from servers logically seems like the best first step, it is much easier to do on Unix and Linux than Windows. This is simply due to the process changes needed on the different platforms in order to be successful. Therefore, for least privilege consider the following order:
  1. Removal or root privileges on Unix Linux
  2. Removal of secondary administrator or root accounts for all end users
  3. Elimination of needed accounts per department like the helpdesk
  4. Windows Server administrators
The removal of privileges is generally the highest resistance for any PAM implementation. Team members will try and justify reasons why they still need these privileges and why changing the workflow hurts them. This is where education and feedback are critical for the success of the project and the workflow must be as close to the current process as possible. Least privilege solutions are designed to do this but users may not be accustomed to two factor authentication or right clicking on an application, verses double clicking, in order to accomplish the same administrative task based on how the policy is configured. This is where education and trusted advocates help the most. Consider an FAQ Doc for Teams Finally, consider a Frequently Asked Question (FAQ) document for teams impacted by process changes. As simple as it sounds, it can address many of the common questions like:
  • Will I still be able to administer servers while I am working from home or on the road?
  • Will I be able to change the clock or add printers on my laptop?
  • If a program is no longer working, who should I call?
  • Why are you removing my x-admin account?
  • I am a developer. How can I compile code or access test servers?
If you need help with this type of document, BeyondTrust has guides for end users, administrators, and even helpdesk staff. These guides are designed to help create a model for a successful PAM implementation with known best practices from years of experience. For more information on how to get started on your PAM project, realize the additional security and compliance that a PAM project can bring to your organization, contact us today.
Photograph of Morey J. Haber

Morey J. Haber, Chief Technology Officer and Chief Information Security Officer at BeyondTrust

Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Mapping BeyondTrust Solutions to the Identity, Credential, and Access Management (ICAM) Architecture

Whitepapers

Four Key Ways Governments Can Prepare for the Growing Ransomware Threat

Whitepapers

The Operational Technology (OT) Remote Access Challenge

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.