The privileged access management (PAM) space covers a lot of ground. The available technology from vendors like BeyondTrust, CyberArk, Thycotic, and StealthBits offer a wide array of tools to lock down privileged accounts. But just having tools isn’t enough—you must also have the right mindset and strategy. The key to success with PAM is treating it like a program.

This Isn’t Traditional IAM

In traditional identity management, an application can be connected for provisioning, or a workflow can be created to manage contractor accounts. Once done, these identity management projects are more or less completed and can be handed over to the operations team to support.

Unlike traditional access management, PAM is more of a living, breathing entity. In traditional IAM, organizations can wait to evaluate new programs for ROI; the decision to add it to the IAM program can be made later on.

On the other hand with PAM, new applications must be added immediately. This causes PAM experts to always be on the lookout for what is new so that it can be pulled into the organizational standards.

How to Treat PAM Like a Program

Define Organizational Priorities

The first step to a PAM program is identifying the organizational priorities. For some organizations, the top priority is to lock down the privileged credentials used in applications. This can get into the actual code of applications which might store hard-coded credentials. With PAM technology these hard coded credentials can be replaced with API calls to PAM software to retrieve credentials when they are needed.

Real-World Example

While working on an identity governance implementation at a major healthcare organization, GCA’s multi-year project came into the purview of their PAM program. What this meant from the service provider perspective was that they changed how we accessed their network.

Prior to the PAM program, our team used a VPN to connect to their network and from there we could launch Remote Desktop (RDP) sessions to perform our work. After the organization implemented BeyondTrust, our workflow changed. Now we logged into BeyondTrust during business hours, and BeyondTrust managed the RDP connections.

This improved the security posture of the organization from a few perspectives:

1. Sessions could be monitored
2. The organization could control when we had access to systems

In this scenario, our identity governance team was on a list of vendors that the PAM team systematically onboarded. They had a process which involved an introduction meeting, a demo, and a discussion on our requirements. Do we need to transfer files to these servers? Which servers do we need access to? What hours do we plan to work? These questions helped their team determine our level of access.