Skip to main content

Modernise your Privileged Access Security

May 22, 2019

Privileged Access Security, often referred to as Privileged Access (or Account) Management, and abbreviated as PAS or PAM, can be defined as:

The principle of securing credentials deemed as critical to ongoing operations and used to access corporate IT resources, which carry risk profiles warranting the application of security controls in order to minimise the threat of disruption or theft of critical data.

In this regard, Privileged Access Security should not be viewed mainly as the implementation of a PAS or PAM technology and augmented (or integrated) with other third-party security mechanisms and platforms. PAS should be viewed, and adopted, as an ongoing service which provides increased security assurance in addition to business gains and efficiencies. 

Key to providing an effective service is understanding the policies, processes, requirements and governance to ensure that the organisation – with its inherent security culture and structure – can effectively deliver and support the service. 

Of equal importance is to meet the needs and expectations of the stakeholders who use and rely upon the service, such as system administrators, application developers, security operations and governance-risk-compliance teams. Both internal stakeholders (employees, management) as well as external stakeholders (business partners, clients, third-party suppliers) should be considered when assessing stakeholder needs and expectations.

Hence, when assessing an approach to modernise your PAS service, it is best to avoid the temptation of immediately focusing on the latest technology, features and tools available on the market. Instead, start with a pragmatic review (or current-state analysis) of the organisation’s policies and processes as well as its inherent security culture and structure, followed by defining the goals (or future state) for the service. 

This approach will allow you to effectively identify the changes needed (or gaps to be filled) to evolve the service to the desired future state, which delivers increased security assurance as well as business gains and efficiencies.

When viewing Privileged Access Security as primarily a service, what do you need to consider in order to modernise it?

To modernise your PAS and ensure it delivers on the business goals defined for the service, five key areas need to be assessed. 

1. Policies
Have the classifications or types of privileged accounts been clearly defined for the use cases in play? Are types to be permitted and types to be prohibited clearly defined and referenced in privileged access policy statements?

Has privileged access policy been adequately defined with respect to controls applied to both internal users and external users?

Does the privileged access security policy adequately reference controls and best practices from standard bodies, analysts, leading vendors and industry peers?

2. Processes
Is the process for analysing, updating and optimising privileged data, policies, processes and requirements sufficient? Does the process provide an accurate view of privileged access, as well as maximum security assurance and measureable business gains for the organisation?

Has the PAS/PAM solution been optimally designed? Does it reference design frameworks, principles and standards to support the future business goals and strategy of the organisation?

Are the processes and tools used to monitor, audit and report on privileged access adequately providing management teams, security operations teams and governance-risk-compliance teams with the right level of insight? Do the current policies, processes and systems used for controlling privileged access deliver the required levels of security assurance and compliance?

3. Requirements
Have requirements been fully defined? Have policies, processes and governance been correctly formulated to deliver on and support the requirements?

Which requirements are not being optimally supported by the current PAS/PAM solution in place or by other controls and processes?

4. Culture
Is the security culture of the organisation conducive to successful and ongoing modernisation of PAS? Which approaches, methods or tactics would accelerate and galvanise the understanding of its importance?

Does the organisational structure enable or impede effective modernisation of PAS? What changes can be made to enable it, whilst avoiding negative impact to other areas of business operations? 

5. Governance
Has a risk model been determined for privileged accounts in use? For users/user groups that require privileged access? For corporate IT resources accessed via privileged accounts?

Do the current processes and tools efficiently and reliably track privileged users who join the organisation, change roles or leave the organisation? Can you say with confidence that only the required level of privileged access (entitlements or permissions) is granted, in line with the user’s actual role or employment status?

Are approval levels and workflows sufficiently defined to ensure that privileged access to critical data, information and systems is enforced, monitored and audited?

By carefully analysing how these five key areas apply to your organisation, and answering surrounding questions, modernising your PAS to a future state that supports the organisation’s key goals and strategy comes clearly into view. 

Armed with this insight and intelligence, you are then able to objectively look at the technologies and tools available on the market, hold meaningful, productive discussions and POCs with vendors, and ultimately arrive at a decision which applies best to your organisation’s unique setup and business objectives.

Maximise the value of your identity programme and streamline operations in your business. Download our Identity Maturity Assessment to learn more. 
 


    Paul Prevatt

By: Paul Prevatt

Senior Professional Services Consultant

See More

Related Blogs

May 08, 2019

Privacy Across the Pond, Part 1

From privacy to identity to work-life flow — CTO and Head of Strategy, Andrzej Kawalec and GM and Global Vice President of Digital Identity and Data M...

See Details

April 17, 2019

MythBusters: Debunking Five Common Identity and Data Management Myths

Debunking common myths about IDM. Examples: too expensive and complex; current IT teams can't support IDM evolution; custom is better; company data/IP...

See Details

April 10, 2019

Indecent Proposal? When Identity, Privacy and Ethics Collide

Users expect data privacy – and regulations require it. Yet, security measures require full visibility into all data in the business ecosystem. This b...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.