What to look for in a next generation privileged access management solution
- Published: Friday, 23 October 2020 10:07
A security breach of a privileged account is a nightmare that organizations hope they will never need to respond to. Alan Radford explains how next generation privileged access management (PAM) solutions provide assurance in this area; and what such a PAM should include.
Before there were privileged access management (PAM) solutions, it seemed that everyone was given access to privileged accounts with little regard for who had access, when they had access, and what they did with that access. As security breaches started to rise and compliance regulations were written, it was obvious that manual processes and home-grown approaches to privileged access management solutions weren’t enough.
That is because first-generation privileged access management started with solutions for password management and delegation, along with ways to unify a UNIX environment. Shortly after, session-management solutions were created and eventually analytic capabilities were introduced. And while these solutions worked, they were developed by separate companies and each solution solved a specific problem.
These solutions were disjointed, difficult to deploy, and difficult to integrate with existing environments and business processes. They also didn’t take into consideration how admins worked. Often, these first-gen solutions introduced friction to high privilege activity, having a negative impact on productivity as a result.
From a business perspective, first gen PAM solutions were also not able to provide correlation between who was doing what, and how, across different systems. This presented unseen gaps in higher level business compliance rules. For example, an end user in accounts receivable should not be able to also access accounts payable, but what about the database admin who has back end access to both databases?
If a request was made for administrative access to one of those databases, context was often missing. Commonly a request would simply be for ‘adminaccount5’ on ‘server4’, for example, offering no insight into whether the request was compliant or not, but resulting in approval regardless.
Program versus projects
First-gen solutions took a short-sighted, project-based approach to PAM vs. a holistic program-based view. Next-gen PAM solutions drastically reduce the disjointedness of multi-vendor point-solutions. They address nearly all PAM needs with one solution. Today, it is typical to find next-gen, single-vendor PAM portfolios that cover password management, session management, delegation in heterogeneous environments, analytics, authentication and – the holy grail of PAM – governance.
Each component is part of a unified whole rather than a collection of siloed, and functionally limited, point solutions.
Enter next-gen PAM
Modern next generation PAM solutions address the entire PAM process, not just individual challenges. They are designed to be operations and automation ready, making them easy to deploy and to integrate into any environment and business processes. Next-Gen PAM solutions support the way that admins do their work, provide maximum transparency, and reduce the friction that is typical of first-generation solutions. They grow with the organization and enable it to scale and transform the PAM program organically, as the environment and business evolve. In a world where my car is a computer with wheels, my pace maker is a computer with bio-electrical connectivity, and my critical infrastructure is controlled and monitored by IT systems, protecting the privileged accounts that can do most harm is not optional.
Here are five things to look for in next-gen PAM:
Easy to deploy
Next-gen PAM solutions are easy to deploy, offer a variety of delivery options and require minimal changes to your environment. They must be secure by nature and eliminate the deployment challenges of first-gen solutions. Hardened physical and virtual appliances enable organizations to deploy the solution without the additional overhead of securing the solution once it is installed. Think in terms of a black box flight recorder: if privileged users themselves cannot tamper with it, then the assertions are more trustworthy.
Security teams must be able to monitor, record, and analyse privileged sessions without having to onboard any assets. This enables them to get immediate value as other PAM controls are implemented. In addition, next-gen PAM solutions can be installed in cloud platforms like AWS and Azure.
Transparent and frictionless
Next-gen PAM solutions are unobtrusive and intuitive in order to ensure user acceptance. They also offer a wide variety of ways for people to gain privileged access. With next-gen PAM solutions, users must be able to gain privileged access with the same tools and processes they used before PAM controls were put in place. Good solutions offer a variety of methods to gain privileged access by being implemented transparently and requiring no changes to the way a user works. Users will continue to leverage familiar tools to do their jobs and any workflow (e.g. approval process) is frictionless. This means that approvals are provided through push requests to mobile devices, ticketing systems, or any other workflow process already in use. With added analytics, organizations will obtain risk scoring tied directly to their SIEM solutions, so that security operations will spot incidents earlier while still using their traditional tools.
Operations and automation-ready
A next-gen PAM approach must not require changes in the way businesses operate in order to enhance security and add value to the existing process. Therefore, organizations must be free to use whatever vendor they choose for other areas where seamless integration is necessary, such as DevOps, Identity Governance and Administration (IGA), IT Service Management (ITSM) and Robotic Process Automation (RPA). Look for a solution with an API-first design, so teams are enabled to extend or integrate PAM to the tools and processes on which businesses already rely. All functionality must be exposed through by API and open source tools and SDKs must be actively maintained to support integration.
Scale and transform with the business
Next-gen PAM supports hybrid environments and cloud initiatives, with flexibility enough to grow and evolve with the organization’s needs, without making drastic changes to existing operations and environment, resulting in rapid time to value. Decent next-gen PAM solutions will be optimized for on-prem, hybrid and cloud environments in order to scale easily and provide additional functionality through SaaS-delivered identity services, such as multifactor authentication, SaaS-app connectivity and governance.
An identity-centred approach to PAM
Today’s environment requires organizations to adopt an identity-centric approach to ensure maximum security control and governance across the entire IAM spectrum, including PAM. It is common practice for organizations to standardize employees with an account in Active Directory. Therefore, looking for options that combine Active Directory bridging solutions with Active Directory security and management solutions, organizations can unify accounts - both standard and privileged users - across the most critical systems and infrastructure. This unification brings all resources under one umbrella, ties accounts to single identities and enables just-in-time privilege to put the organisation on the path towards true identity-based PAM. With identity unification, organizations can adopt more mature approaches, such as IGA, into their PAM programmes, without taking on the overhead of a heavy IGA framework. Once unified, teams can request, grant and certify the entitlements for a user across all resources and all the accounts, including privileged accounts.
When looking for a true next-gen PAM solution, look for a vendor equipped to achieve this identity-centred approach to security, provides you with the flexibility to use whatever technology you use today for existing processes and can add value to those processes without introducing ay friction.
To help understand where most PAM solutions are today and where they need to go from here, get your copy of KuppingerCole’s whitepaper, Enhanced Privilege Access Management Solutions.
By asking the right questions, organizations will end up with a next-gen PAM option that will not only keep it and its employees more secure, but also support business operations and satisfy ever-changing compliance mandates in an organic and profitable manner.
Alan Radford, PAM Field Strategist, One Identity.
Alan is a business technologist with over 10 years’ experience in identity access management. Having lived and worked in both the UK an Australia, consulting on projects for companies of all sizes across EMEA and Asia Pacific, Alan is an experienced subject matter expert in privileged access management and governance, Alan has worked with organizations across the globe facing unique challenges in the IAM space, bringing innovation and thought leadership to drive successful IAM strategies.