Do’s and Don’ts of Privileged Access Management
December 1, 2021
In my first blog, I shared my thinking on the three most common characteristics influencing the failure of privileged access management (PAM) programs.
Based on my experience working with companies from multiple industries, I’ve developed my top do's and don'ts that in my eyes have made a difference in the success or failure of PAM programs.
The Do’s
| Principle | Example | Rationale |
| Define an insights-based strategy. | Use discovery reports to define the onboarding roadmap. | By making decisions based on factual data, companies will be able to better determine a strategy that produces results, to justify that decision and to help secure buy-in from the key stakeholders. |
| Establish a target operating model early. | Ensure there is a business as usual (BAU) team that can support the PAM solution when rolled out. | Having well-defined processes for the different operations of the PAM solution, early, will allow the relevant teams to be embedded and ensure a smooth transition between project delivery and service management. |
| Enforce policies and controls. | Establish approval processes for high-risk accounts. | Having a PAM solution does not guarantee that an account is protected. Just vaulting an account isn’t enough. A clear mapping between the company’s security policy and the configurations of the associated PAM controls is key to achieving better compliance and reducing risk. There will always be exceptions, but by default, there should be a master policy covering all accounts. |
| Automate everywhere. | Automatically onboard default administrative (break-glass) accounts. | Automation is an essential element to the successful, fast installation and onboarding of a PAM program. Automating onboarding of accounts where clear rules exist would drastically speed up the risk reduction for those accounts. |
The Don’ts
| Principle | Example | Rationale |
| Don't treat PAM as a one-off install. | Ensure continued expansion of the PAM solution scope to cover all privileged accounts. | Having a PAM solution is only useful if privileged accounts are being protected by it and if it includes appropriate controls. Just doing account vaulting or doing only one cycle of onboarding to protect a subset of accounts and leaving the rest in the "wild" will defeat the purpose of the PAM program. |
| Don't ignore people. | Engage with users and stakeholders early. | Engaging with users and key stakeholders early fosters discussion and alignment of the solution to their needs. This also helps manage their expectations regarding requirements. The earlier one addresses objections; the more time is available to overcome them. |
| Don't do vertical onboarding. | Focus on onboarding by platform across your estate. | Onboarding by platform (horizontal onboarding) allows you to remain focused on specific account types, onboard accounts at a wider scale and leverage synergies between different departments. |
| Don't onboard everything in one go. | Define an onboarding strategy by account type, and pilot each stage. | Doing the onboarding in waves (e.g., per account type) and within each wave piloting the onboarding process to a small subset of users, will facilitate a more sustainable onboarding process. It can also avoid risk and provide assurances that for each wave, the controls and configurations made for the onboarded accounts are correct. |
| Don't forget about detection. | Do real-time or batched account discovery. | Real-time or batched account discovery processes will allow the PAM program to discover new accounts, including those that are valid or shadowed. The objective of discovery is clear: Close the loop on unmanaged accounts to further justify the success of the PAM program. |
Following these principles will help achieve more successful projects in both time and cost, reduce risk more significantly and increase the scope of the program.
Exploitation of privileged accounts continues to be the focus of targeted attacks. It is therefore crucial to improve PAM programs, ensure that the appropriate controls are in place and scale them in a timely and efficient manner.
Remember, PAM will be successful only if all privileged accounts are protected. An attacker needs to find just one unprotected account to be successful. The clock is ticking, so do it sooner rather than later!
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this article is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
Copyright © 2021 Accenture. All rights reserved.
