Privileged Access Management: The Struggle is… Not Real?

Dave Shackleford, SANS Instructor, Founder at Voodoo Security
January 25th, 2018

Privileged access management, or PAM, is a technology that is growing rapidly and increasing in importance to enterprises everywhere. The reasons are obvious – many attacks and malware make use of privileged identities, and insider scenarios with unchecked privileges in play can be devastating as well. Auditors and regulatory compliance bodies are paying much closer attention to privileged accounts in organizations, too, as many IT teams are now being asked to provide comprehensive controls over privileged account access, along with extensive audit trails of privileged user activity.

In my upcoming webinar, “Privilege (and Password!) Management without the Pain”, we’ll get real about the upside to privilege management tools, and work to dispel some of the myths around how challenging they are to install and operate.

All this said, privilege management tools are often cited as one of the thorniest technologies to plan for and implement within enterprise IT environments. One of the reasons for this is the sheer breadth of privileged access seen in the enterprise today. The task of implementing PAM feels daunting, likely because there are so many systems, lots of different accounts, and numerous use cases to consider in looking at how admins get their jobs done.

Sadly, this is a symptom of larger messes – they take more time and effort to clean up. Many newer PAM tools have seriously streamlined discovery processes for privileged access, and have also emphasized deployment processes to speed things up and make the integration of PAM more seamless than ever. Coupled with this, the ease-of-use has long been lacking in PAM products for many years. Some products are complex, with interface design that doesn’t make choosing policies and implementing diverse PAM throughout the IT environment simple or intuitive at all.

This is definitely changing, too. If admins cannot figure out how to use products, let alone maintain them over time, they won’t. And we all know what happens in that case – we go back to the Dark Ages of “root” and “local admin” and who knows what else.

PAM products are also adapting rapidly to new technology stacks that include cloud services, containers, DevOps deployments, development-focused secrets management platforms, and many more. Long gone are the days when PAM is used just for Windows and Unix/Linux… we have way too many tools and technologies today to stop there. Modern enterprises need the full gamut of PAM capabilities – session management, high-availability for the solution itself, application-to-application mapping, strong discovery and account/application detection, and coverage of major operating systems along with newer technology stacks. Enterprise-class vendors will also emphasize usability and interface design, so that admins and security/audit teams won’t need advanced degrees to figure out what they need to do within the product.

2018 is upon us, and it’s time to dispel the myth that “PAM is difficult”. As a core cybersecurity and auditing technology that touches many of your most critical applications, services, and systems, it will understandably take some time to plan and deploy. However, think of the other side of this coin – privileged identities are being compromised and abused at an alarming pace – are you immune to this? Can you afford NOT to look at a solution that can help solve this problem?

In my upcoming webinar, “Privilege (and Password!) Management without the Pain”, we’ll get real about the upside to privilege management tools, and work to dispel some of the myths around how challenging they are to install and operate.

Dave Shackleford, SANS Instructor, Founder at Voodoo Security

Dave Shackleford is the owner and principal consultant of Voodoo Security and a SANS analyst, senior instructor, and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as CSO for Configuresoft, CTO for the Center for Internet Security, and as a security architect, analyst, and manager for several Fortune 500 companies.