Success Factors of Privileged Access Management
October 15, 2021
Accenture's recent 2021 Cyber Threat Intelligence report covered some of the most well-known recent attack scenarios, describing the methods used by attackers and providing advice to organizations on how to protect against such attacks.
It was still surprising to see in 2021 most attacks using common attack techniques. One could argue they are slightly more sophisticated, but still the underlying technique is well known. In the majority, the focus of these techniques continues to be discovering and exploiting privileged accounts.
So, why do we still fail to protect these accounts?
Over the last few years, I have been looking at this question, as I work with companies to help them recover their failed privileged access management (PAM) programs.
Unfortunately, the context with these companies was varied and made it difficult to extract a single, or even a common set of reasons for the failure of their programs. However, they had some common characteristics that could be influencing factors.
Below are the three characteristics I felt were most common, along with my rationale behind why they are such a negative influence.
| Factor | Examples | Rationale | Consequences |
| Poor governance |
• Lack of well defined PAM principles • Undefined PAM policies and controls • Unclear or undefined KPIs • No governance team |
Understanding of PAM requirements and principles, required policies and controls and metrics that will be used to measure success is key to a successful PAM program. Without these, even if a governance team exists, it will be difficult to control the project. |
• Project does not meet company requirements. • Solution does not implement adequate controls and policies. • Project cost and time overruns due to lack of appropriate monitoring. • Limited or insufficient budget provided for subsequent stages of the program due to lack of clarity on project progress. |
| Inappropriate change management |
• Undocumented changes in business ownership • Nonexistent awareness materials • Insufficient touch points with key stakeholders and teams • Insufficient communication to end users • Inappropriate go-live hyper care |
Although cloud adoption is drastically changing the way privileged accounts are used, humans continue to be among the biggest users of these accounts. It is therefore critical to ensure humans understand what will change, what will be expected of them and who to contact in case of an issue. Documenting business ownership and preparing relevant awareness materials for the different workshops that should be planned for the different stakeholders and for the communications to be sent out to them, is a big influencer in the success of these programs. Finally, before a change is implemented, it is important to engage and train the BAU teams to allow for one to two business weeks of extended hyper care of users during the usual learning curve as well as any stabilization of the solution. |
• Users find workarounds to the solution when they are unhappy or unaware of how to work with it. • Business as usual (BAU) teams are unaware of changes made to the solution due to lack of documentation. • Key stakeholders are negative influencers as they were not aware of project activities and goals. • Negative perception of the solution due to issues found after go-live and delays in addressing them. |
| Lack of onboarding strategy |
• Nonexistent discovery capabilities • No defined process for new account discoveries • Lack of roles and responsibilities assigned to key individuals • No automation implemented for some account types |
You only onboard what you know. Once a discovery process is in place, ideally automated, an onboarding factory should be set up. In essence, this means a process is defined and documented that explains what to do for each account that gets discovered: how to categorize it, to whom it belongs, the controls and policies that by default you would assign to it, etc. It also means that roles and responsibilities are assigned to key individuals for follow-up actions. In some cases, automated rules can be defined that support the automation of that same factory, allowing the company to onboard and manage accounts automatically soon after their discovery. Without these steps in place, the time it takes to onboard new accounts (and therefore help secure the business) is considerably higher and therefore more expensive. |
• Limited number of accounts secured due to limited visibility of existing accounts. • Delayed account onboarding due to lack of clarity on what to do once an account gets discovered. • Delayed account onboarding due to lack of clarity of who is responsible for each task within the process. • Unnecessary delays of account onboarding where rules can be defined for automated onboarding. |
Looking for signs of these characteristics in a PAM program is critical to avoid lack of awareness regarding the objectives, avoid delays in expanding the scope of the PAM solution and ensure that users are engaged, positive and, ultimately, become supporters.
Stay tuned for my next blog post around the do’s and don’ts of implementing a PAM program.
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this article is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
Copyright © 2021 Accenture. All rights reserved.
