Modernise your Privileged Access Security Home Insights Blog Modernise your Privileged Access Security May 22, 2019 Modernise your Privileged Access Security Privileged Access Security, often referred to as Privileged Access (or Account) Management, and abbreviated as PAS or PAM, can be defined as: The principle of securing credentials deemed as critical to ongoing operations and used to access corporate IT resources, which carry risk profiles warranting the application of security controls in order to minimise the threat of disruption or theft of critical data. In this regard, Privileged Access Security should not be viewed mainly as the implementation of a PAS or PAM technology and augmented (or integrated) with other third-party security mechanisms and platforms. PAS should be viewed, and adopted, as an ongoing service which provides increased security assurance in addition to business gains and efficiencies. Key to providing an effective service is understanding the policies, processes, requirements and governance to ensure that the organization – with its inherent security culture and structure – can effectively deliver and support the service. Of equal importance is to meet the needs and expectations of the stakeholders who use and rely upon the service, such as system administrators, application developers, security operations and governance-risk-compliance teams. Both internal stakeholders (employees, management) as well as external stakeholders (business partners, clients, third-party suppliers) should be considered when assessing stakeholder needs and expectations. Hence, when assessing an approach to modernise your PAS service, it is best to avoid the temptation of immediately focusing on the latest technology, features and tools available on the market. Instead, start with a pragmatic review (or current-state analysis) of the organization’s policies and processes as well as its inherent security culture and structure, followed by defining the goals (or future state) for the service. This approach will allow you to effectively identify the changes needed (or gaps to be filled) to evolve the service to the desired future state, which delivers increased security assurance as well as business gains and efficiencies. When viewing Privileged Access Security as primarily a service, what do you need to consider in order to modernise it? To modernise your PAS and ensure it delivers on the business goals defined for the service, five key areas need to be assessed. 1. Policies Have the classifications or types of privileged accounts been clearly defined for the use cases in play? Are types to be permitted and types to be prohibited clearly defined and referenced in privileged access policy statements? Has privileged access policy been adequately defined with respect to controls applied to both internal users and external users? Does the privileged access security policy adequately reference controls and best practices from standard bodies, analysts, leading vendors and industry peers? 2. Processes Is the process for analyzing, updating and optimising privileged data, policies, processes and requirements sufficient? Does the process provide an accurate view of privileged access, as well as maximum security assurance and measureable business gains for the organization? Has the PAS/PAM solution been optimally designed? Does it reference design frameworks, principles and standards to support the future business goals and strategy of the organization? Are the processes and tools used to monitor, audit and report on privileged access adequately providing management teams, security operations teams and governance-risk-compliance teams with the right level of insight? Do the current policies, processes and systems used for controlling privileged access deliver the required levels of security assurance and compliance? 3. Requirements Have requirements been fully defined? Have policies, processes and governance been correctly formulated to deliver on and support the requirements? Which requirements are not being optimally supported by the current PAS/PAM solution in place or by other controls and processes? 4. Culture Is the security culture of the organization conducive to successful and ongoing modernisation of PAS? Which approaches, methods or tactics would accelerate and galvanise the understanding of its importance? Does the organizational structure enable or impede effective modernisation of PAS? What changes can be made to enable it, whilst avoiding negative impact to other areas of business operations? 5. Governance Has a risk model been determined for privileged accounts in use? For users/user groups that require privileged access? For corporate IT resources accessed via privileged accounts? Do the current processes and tools efficiently and reliably track privileged users who join the organization, change roles or leave the organization? Can you say with confidence that only the required level of privileged access (entitlements or permissions) is granted, in line with the user’s actual role or employment status? Are approval levels and workflows sufficiently defined to ensure that privileged access to critical data, information and systems is enforced, monitored and audited? By carefully analyzing how these five key areas apply to your organization, and answering surrounding questions, modernising your PAS to a future state that supports the organization’s key goals and strategy comes clearly into view. Armed with this insight and intelligence, you are then able to objectively look at the technologies and tools available on the market, hold meaningful, productive discussions and POCs with vendors, and ultimately arrive at a decision which applies best to your organization’s unique setup and business objectives. Maximise the value of your identity programme and streamline operations in your business. By: Paul Prevatt Senior Professional Services Consultant Paul is a senior professional services consultant at Optiv, specializing in identity and data protection. He provides consulting, design, implementation, enablement and optimization services to Optiv clients who have already undertaken, or are planning to undertake, digital identity and cybersecurity transformation programs. How Can We Help? Let us know what you need, and we will have an Optiv professional contact you shortly.