If you are looking to implement or enhance a Privileged Access Management (PAM) program in your organisation today, you are not alone. Today, given the types of attacks we see on companies, if your organisation is not doing this you should be concerned. Given the complexity, large enterprises will bring in consulting & professional services. More and more organisations even make the decision they do not want to manage this themselves but deploy a Managed Security Service Provider (MSSP) to set-up and run the entire PAM program for them.
I have had the opportunity to be involved with clients and employers in these programs over the years in several capacities. Depending on which MSSP organisation you ask, they will represent different methodologies and “best practices” to implement a PAM solution. When you review their proposals, here are my thoughts on what to ensure is included for success.
A discovery process. This is where all privileged accounts are found and enumerated. Many vendors offer tools that will help automate this process, but no matter what they tell you, there is always a great manual effort to do this effectively. This is especially true in financial institutions or very large complex organisations. The tools will help, but don’t under-estimate the amount of work and make sure the MSSP or consulting teams are prepared to do this on your behalf. Be very cautious of anyone trying to ‘scope’ this part of the exercise. Gathering all these accounts is one of the key factors that will reduce your security exposure, so it is important to take the time and do it correctly.
Next is analysis. All of the discovered accounts are now reviewed. Is the account really required? What is its function? What business requirement does it solve? It is important that the MSSP you choose knows in detail your business requirements and why. While they may have the expertise, experience, and ‘best practice’, your organisations reasons for having certain accounts are factored in to this part of the engagement. It is at this point where it is best to identify accounts that are considered ‘out of scope’.
Once you have the analysis complete, it is used as input to the design and architecture. This is where the expertise of the MSSP is of the greatest value. They will understand the vendor solutions they have, or the ones you have chosen. They can now architect and configure these solutions, and develop the security policies that will govern access to the privileged accounts. If done correctly, this process involves the client the least. Once completed, the MSSP can present and explain the design, answer any questions and make any adjustments. In some cases, clients don’t actually care to see any results from this phase, just a confirmation it has been completed is sufficient.
The next part is key as it is the ‘interface’ between the client and the MSSP. Process review and design, is where the MSSP processes are connected to client processes, any modifications are made, new processes are created where required and how interactions will occur is agreed upon. I have found that it is very important that the client is directly involved during this phase. If you are the client and you are not involved, your involvement is minimal, then it is important you call this out. Having these processes aligned and making sense is key to a successful PAM program.
Last is implementation and training. For large enterprises especially financial services this is typically a phased approach involving change, implementation & training for staff, other third party vendors. I have found that transparent communication is key to this phase being successful.
Methodologies will vary, but as long as you have the steps above embedded in whatever methodology is chosen you should be well on your way. Be cautious if they are not present or you feel the MSSP pushes back on including them. If they persist, you may want to find a more understanding provider.