Program driven cybersecurity initiatives
Focus on the long-term value to your organization when planning a cybersecurity initiative
Although Privileged Access Management (PAM) products can be easy to deploy quickly, a recent project with a multinational firm demonstrates the value of organizing a privileged access management program rather than a myopic focus on rapid product deployment. In building a PAM program, organizations provide themselves the opportunity to identify and deploy process optimizations that can provide long-term business benefits.
Recently one of our PAM architects was working with a multinational firm that had struggled with allowing privileged access to their networks for a trusted operations partner. Their partner was responsible for the maintenance and ongoing operations of the client’s on-site servers across the globe. The client had chosen initially to deploy “-A” accounts for their partner’s staff, meaning that each person had two Active Directory accounts:
- An account for normal, day-to-day use
- A privileged account (ending in “-A”) which was intended for administrative operations
An internal audit conducted by the client showed the following risks of the “-A” model:
- There were no separate controls to prevent “-A” accounts from being compromised, such as multifactor authentication
- If the hash of a “-A” account was stolen, there would be an ongoing breach by a privileged user that might not be scrutinized or audited
- User provisioning and de-provisioning was inconsistent, and there were instances where a user’s unprivileged account was de-provisioned yet the “-A” privileged account was left active, typically as it was being used to run scripts or similar applications
Understanding the risk, the client rapidly moved to select a software product for privileged access management, with a mandate of securing access to Active Directory domain administrator and UNIX root accounts. The client could demonstrate the AAA (Authentication, Authorization, and Auditing) solution rapidly.
This is where many organizations would make the mistake of relying on a simple deployment, often with a quick-start provided by the vendor, in the belief that it is just a technology project rather than involving organizational change. We’ve seen this before, and know that this belief and approach leads to disappointment and missed improvement opportunities.
At the direction of our architect, the client instead re-oriented toward developing process flows and lifecycle management for privileged access management by their operations partner. Server and user onboarding and offboarding processes were whiteboarded, discussed, and internally publicized prior to acquiring a software solution. The client recognized these critical business processes were independent of the selected product, and that understanding and optimizing how internal users and operations partners gained privileged access in their global network environment would provide long-term business benefits.
The client only moved forward on the software purchase once most of their key operations were documented and agreed to by all stakeholders. This resulted in a faster implementation cycle, as organizations who neglect process definition often find most of their time is spent trying to reverse-engineer existing provisioning processes while under the harsh spotlight of an active technology project.
The modified processes also allowed for better organizational change management and internal proactive marketing to departments and operations partners who might have otherwise pushed back against the changes. The client learned that having taken a program approach – with clearly defined requirements, inputs, expectations, and outputs – allowed them to rapidly onboard third-parties, when it previously had been a bespoke process for each third-party access. Finally, this well-thought-out program allowed them to better discuss and manage third-party risk at their Board level, which is too often neglected or solely addressed in contracts but not in practice.
Prior to deploying any new PAM solution, we encourage customers to consider these three questions:
- Does my organization have clearly defined processes for provisioning and de-provisioning users and groups, and clearly defined and understood controls for defining, approving and granting privileged access throughout my organization?
- Which business users and third-parties will be affected by the proposed deployment of this solution, and what pain points will they cite as a reason to be exempt from the solution?
- If the PAM technology vendor were to become insolvent in five years, would my organization have sufficient knowledge and documentation to migrate to a different technology even if there is no ‘migration utility’ from the new vendor?
Integral Partners helps companies with these questions and more every day as we build proactive privileged access management programs. Follow us on Twitter, LinkedIn, our blog for recommendations, or contact us for personalized guidance and recommendations.