Identity and Access Management; It’s a program – not a project

March 14, 2017

When considering an Identity and Access Management (IAM) project to address Privileged Account Management (PAM), most companies are fearful to look beyond their IT stakeholders.  For ongoing success, it’s important for PAM project sponsors to engage from the outset with business stakeholders who, as owners of their corporate data, must exercise due care by taking reasonable steps to secure critical information.  Business leaders must be at the forefront in understanding and supporting security initiatives such as PAM that can directly affect business processes and daily activities.  Furthermore,  organizational change management and experienced project leadership are fundamental components  of successful PAM adoption and cyber risk reduction.

Last year, Integral Partners worked with a healthcare organization to assist an in-progress CyberArk implementation project to address compliance with the Sarbanes-Oxley (SOX) Act; all elevated access by privileged accounts needed to be audited.  The project team had set an ambitious goal of passing an internal SOX audit to demonstrate success to the senior management team that had sponsored and funded the project.

The project had been ongoing for six months when they contacted us for consultative advice, and it became clear the project was struggling. The senior leadership team had assigned the project to their security team, as they viewed this as a technology project.   With the executive mandate in place, the security team ambitiously started deploying the CyberArk solution to approximately 10,000 UNIX servers.

The client’s initial project team consisted solely of senior UNIX administrators, with no representation from business users, database administrators, or other departments. The primary concern of the UNIX administrators was that deploying CyberArk meant significant changes to the workflow for requesting and accessing privileged accounts on UNIX. The UNIX administrators also worried about changes to thousands of scripts which ran with privilege in the environment; they were afraid these scripts would break.

Unfortunately, the original security team had not realized the scope of the project they had launched, and the project manager they assigned had no background in IAM programs.  The project manager had not been given enough time to develop a communications plan or to identify additional stakeholders to participate in the project. As such, changes were introduced to end users by word of mouth. Those end users became upset at the concept of having to access privileged accounts using another method and  escalated to their managers to protest the change. This resulted in the project manager and the PAM project being continuously under fire from internal resources, which created substantial project delays and inefficiencies.

Our solution was to pause the project to redefine the scope of sensitive data and privileged user accounts, which had previously been ad hoc definitions. We invited end users, administrators, and database users who had not been included in the project to participate as stakeholders. We provided a communications plan and user training, so each community of users would understand why changes were being made and how those changes would affect their workflows and business efficiency.

A cursory analysis showed many UNIX service accounts running with elevated access; access needed to be logged and controlled to comply with SOX.  Script developers and maintainers received tailored training on how to modify their scripts to use CyberArk’s solution for auditing and running privileged commands on UNIX.

The project succeeded because the business and cross-functional participation enabled everyone to understand the value of the PAM solution and accept the project’s changes to their daily activities. The communications plan and tailored training for the various user communities averted further internal pushback, and the client passed their internal SOX compliance audit. They also added the CyberArk solution to the standard image for new UNIX servers, making them natively compliant with SOX requirements.

Organizations contemplating PAM initiatives should engage their business users who have an obligation to practice due care in securing their corporate data. Their active participation ensures that project resources are prioritized and aligned from the beginning, and changes to business activities are addressed early.  Companies should plan to dedicate a full-time project manager with a background in cybersecurity or IAM programs to succeed. Finally, organizational change management, including a nuanced communications plan, should be developed and deployed to reduce the risk of end users attempting to maintain the status quo because of their fear of change.