2020 has been an unusual year, one that has tested traditional best practices, demanded unprecedented agility and highlighted gaps in legacy systems. Record numbers of organizations now have people working remotely, many for the first time, raising security concerns they hadn’t previously considered. The new normal for remote access has made identity and access management a business issue companies can no longer ignore.
Why PAM matters
The 2020 Verizon Data Breach Investigations Report tells us that 78 percent of attacks on web applications involve stolen credentials. Though 70 percent of these breaches are committed by actors from outside an organization, outsiders aren’t the only threat when it comes to stolen credentials. Authorized insiders, through “privilege misuse,” are a key cause of data breaches—illuminating potential dangers within an organization’s own ranks.
It’s imperative organizations have a plan to address both abuse from outsiders and misuse from insiders, and at the core of both problems is how to manage permissions. The current landscape has only accelerated what was an already urgent need for companies to adopt and support a privileged access management (PAM) program.
The fundamental questions to ask
Do you really know who has access to your most important systems and assets? How do you monitor logins across thousands of accounts? How are you protecting your passwords? The reality is that without true visibility, these fundamental questions can’t be answered with confidence.
Firewalls are no longer enough: as more and more applications move to the cloud, it’s time to think beyond your perimeter. A PAM program can introduce key security measures like session isolation, privileged access and account monitoring, and multi-tiered control. Adopting PAM is a business imperative not only for avoiding threats, such as breaches audit findings, but for implementing the best practices of a mature security posture.
PAM is a program, not a project, and it’s complex
Organizations motivated to explore PAM solutions because of an audit finding sometimes approach security as a one-and-done project: they check the box and then they check out. But access management is a battle of inches: keeping your company safe means maturing your approaches, applying best practices, and tooling innovations to stay one step ahead of evolving threats. The companies that succeed in making PAM an integral part of their business are those that invest in PAM as an ongoing program within a holistic identity and access management (IAM) strategy.
A surprising number of security executives and their teams lack in-depth knowledge and experience with IAM, especially PAM. This means that the leaders entrusted with the success of a PAM program don’t necessarily have the in-house expertise to execute on it.
PAM is complex because it doesn’t just manifest in the silo of IT—it impacts nearly every area of the business, from HR and finance to marketing and software development—and because it requires knowledge of adjacent security areas, such as identity governance and administration (IGA.) Consulting the guidance of outside experts lets leaders understand and integrate the latest technologies and best practices, and gives you a strategic perspective on how to implement systems and processes so they best serve your business objectives.
For effective adoption, start with “why”
Many organizations interested in adopting a PAM program want to start with the technology: they see tooling as a way to quickly fix existing problems and prevent new ones. But as with many change programs, success with PAM begins with a change in mindset. Are you ready to review your policies? Are you willing to change your processes and daily behaviors? Do you have the right people on-board, and the right buy-in, to implement a PAM program correctly? Companies often talk about the challenges of harnessing people, process, and technology to achieve their desired outcome, but in reality, the key to overcoming PAM adoption challenges is almost always people.
Take for example, IT staff who complain to management about having to change the way they do things when a new PAM tool is implemented. We’ve found that complaints are often due to lack of communication in explaining why the change is important—why adopting new procedures will improve their workload or user experience. Similarly, when executives balk at the cost of investing in security programs, their resistance is often due to lack of understanding why those programs are necessary—how they align with business objectives, why they reduce risk and how they increase efficiency.
When you invest time in bringing your teams and leadership on-board around a new security mindset, and explain why it’s necessary and how it will help the company achieve its objectives, you’re much more likely to see effective adoption.
Prepare for successful implementation
Unsuccessful PAM adoptions can have a cost beyond the original implementation. The project may suffer delays or cost overruns. You may find yourself compromising on use cases or scoping down business objectives. Valued employees may become frustrated and leave, or you may lose their credibility and influence. We’ve even seen executive sponsors halt PAM projects and vow never to try again. Your organization could even suffer a physical loss.
If you’re considering a PAM solution, make sure you’re set up for success by aligning the tools, teams, and skillsets you need to effectively adopt a new system. This is also a great time to align vendor roadmaps with your own requirements and use cases, and to think about solutions outside on-prem—for example, whether you need PAM “for the cloud” or “in the cloud.” You’ll also want to look at your overall identity and access management (IAM) strategy and roadmap and understand how PAM fits into the bigger picture.
Before making decisions about PAM initiatives, it’s helpful to consult with a partner you can trust. Understanding your objectives and requirements, and how to realistically map them to the best solution, helps you avoid expensive mistakes. As Gartner has pointed out:
“the challenge exists not in the security of the cloud itself, but in the policies and technologies for security and control of the technology. In nearly all cases, it is the user, not the cloud provider, who fails to manage the controls used to protect an organization’s data. CIOs must change their line of questioning from ‘Is the cloud secure?’ to ‘Am I using the cloud securely?’”
PAM programs with executive support, employee engagement, and a purpose-driven culture are more likely to succeed. Security is a team effort, and both top-down enforcement and bottom-up protest are incompatible with effective adoption. This means building a committed team of stakeholders that knows why it needs a PAM program, how to run it, and how to address future challenges and needs.
If you need help finding the clear strategic approach, executive buy-in, and stakeholder cooperation that will give your organization an adoption advantage, we’re here to help.