One of the most challenging parts of adopting a privileged account management solution is the changes that it requires people and teams to make.
When adopting PAM, security teams must often get out of their comfort zone to build relationships of trust with infrastructure, application, cloud, and database teams so they can implement proper security controls for privileged access.
Below are some of the challenges we’ve seen regarding PAM adoption, and suggestions for overcoming them.
Teams misunderstand how PAM will impact day-to-day work
When it comes to applying security controls that will impact the daily work of infrastructure and operations, security and IAM teams are often hesitant to engage with them directly. We’ve found that the most successful PAM implementations include a healthy dose of meeting with management, teams, and individuals to help explain how PAM will change their day-to-day work.
Sometimes the hesitation is due to a lack of understanding on the part of the security/IAM team, but it can also come from well-earned battle scars created during past experiences.
Regardless of the cause, you shouldn’t avoid engaging directly with the impacted teams to clearly explain the “whats, whys, and hows” of implementing PAM controls in both negative and positive ways.
Discovering accounts with elevated privileges can be a challenge
PAM vendors provide scanning and discovery tools that may seem like a simple fix for finding privileged assets and discovering privileged accounts. Don’t fall for this trap! Vendor scanning and discovery tools can help, but you need to be smarter than that.
Start with what you already know. Most security teams keep asset inventories that may be a starting point. Full environment scans tend to overwhelm IAM teams while they attempt to identify large numbers of unknown assets. Setup target scans of known assets and work to onboard them. Remember that applying automation is a process of centralizing, standardizing, and then automating processes. Implementing PAM is no different.
Previous failed attempts at implementing PAM poisons the water for the rest of the organization
It’s important that the first PAM adopters in an organization have a great experience. PAM implementations often span years while organizations and assets are onboarded. Having a poor initial experience with a solution will make things much more difficult than they have to be going forward.
Before implementation, take the time to plan the changes. Overcommunicate. Tell people what you’re going to tell them, tell them, then tell them what you told them. Meet with impacted teams frequently. Start with smaller teams you have a trust relationship with, then expand out to larger, more complicated organizations. Start with better supported assets like Windows operating systems, or Active Directory. Leave the more difficult ones like network devices, databases, and service accounts until you’re comfortable with the process.
The specific language and concepts of PAM can create communication gaps between IAM teams and the rest of the business
IAM teams tend to develop specific vocabulary to describe terms that can have similar or confusing meaning. Take the time to simplify the terms you use so anyone can comprehend the message.
Terms like identity, account, credential, management, human and non-human accounts, vaulting etc. may need to be simplified, carefully explained, or adapted to the audience to ensure there is full comprehension. Don’t assume anything. Experienced technical people can be hesitant to reveal what they don’t know. Avoid putting them in that position if you can.
Cooperation from disparate IT and engineering teams to on-board their privileged accounts
An approach that works for one team may not work for another team, and IT and engineering teams tend to present a different set of challenges.
Implementing PAM often requires resources from various IT teams – including directory, server, network, and infrastructure. Well configured PAM solutions often depend heavily on directory services for role-based access controls. Onboarding new servers to a PAM solution often requires process changes for the server build team. Working with each of these teams in a carefully orchestrated way builds credibility for you and minimizes the friction that change can cause.
Lack of standard naming patterns for privileged human and non-human accounts (LKQ, Dragonfly)
Implementing PAM often exposes inconsistencies in account naming patterns that cause additional operational overhead for PAM programs. Establishing a need for a trusted relationship with directory and server teams can open the door to eventually automating privileged account onboarding for human and non-human accounts.
The use of a separate admin account for human privileged activities is not fully deployed
Many organizations have adopted a model that uses a separate account for privileged tasks. These types of accounts are named differently across organizations, but may be referred to as “secondary admin”, “adm”, “dash a”, or “underscore adm” accounts.
Implementing PAM often exposes inconsistencies in the adoption of secondary privileged accounts which can cause additional operational overhead for PAM programs during roll out. Be prepared to slow PAM adoption to address issues as they come up. Carefully explaining the impact of these issues as they come up will help you build trust with your executive team and other stakeholders.
How does Integral Partners help organizations implement PAM effectively?
We developed a process for onboarding teams that is very effective. We evaluate each team’s entire privileged access ecosystem including human accounts, non-human accounts, servers, devices, and applications. Based on the assessment, we develop a strategy for integrating the various technologies, identifying the credential management approach, and then we onboard the team’s privileged accounts and access to completion. We then transition the team’s future onboarding needs to an operations team.
Some of the solutions we implement include:
- BeyondTrust Password Safe and Password Safe Cloud
- CyberArk Core PAS and CyberArk Privilege Cloud for managing privileged accounts and monitoring privileged activities on servers, devices, and applications
- BeyondTrust Privilege Manager and CyberArk EPM for managing Windows and Mac least privilege on workstation endpoints and servers
- BeyondTrust AD Bridge for centralizing privileged access (and all access) in Active Directory
- BeyondTrust Privilege Remote Access for managing vendor privileged access
Our process includes:
- Education through training and knowledge transfer: We work with individuals and teams to help them understand the impact of adopting privilege management solutions which helps mitigate the fear of adoption.
- Documentation: We provide world class documentation in a train the trainer approach that helps IAM teams learn to perform onboarding and handle ongoing operations on their own.
- Best practices: We develop and convey best practices based on real-world experience implementing PAM at many clients.
- Development of PAM workflows: We apply a “just enough” approach to PAM with the appropriate workflows and processes that helps reduce productivity impact and eases adoption.
We focus exclusively on IAM. It’s all we do. We can deliver the results you need, on time and in budget. You get high-touch guidance, quick answers, and access to our deep base of expertise.
- We’re trusted partners with all leading vendors but tool agnostic
- We have over 20 years of experience with IAM and PAM
- We can help – from strategy, evaluation, purchase, implementation and support
Want to learn more? Schedule a quick conversation with one of our IGA experts. They can answer any initial IGA questions you have or other IAM related issues.
Click here to reach out and get started.