PAM, everyone needs to have it

PAM, you hear about it more and more. Everyone must have it.

I also think that it is true for almost every organization. You have to have something that guards your risky permissions in these times of low trust (0-trust), working from home, flex contracts, cloud services and increasingly intelligent automation. But what you shouldn’t do is buy “PAM” without knowing what your organization really needs. Too often I’ve seen organizations buy expensive PAM products, install them, and only then find out that that’s not the solution to their issue. Again, the already old adage applies: “if you automate a problem, you’ll have an automated problem”. The first issue that arises with PAM is the term “PAM”. Everyone has a different definition and scope to this. Because this is not expressed, it leads to disappointment and conflict. My article PAM needs PIM helps to dampen this confusion.

PAM is a collection of capabilities that ensure the use of permissions that pose a high risk is done carefully. Therefore, the second important step - after eliminating conceptual confusion and establishing a common language - is a clear risk analysis. What risks does the organization face that have a connection to the use of permissions. Often a good starting point is to ask the following questions:

Who actually wants PAM?
Why do those individuals want PAM?

This provides insight into the stakeholders and their motivations. Surprisingly, these questions are not asked in most PAM projects I have experienced. If they are asked, they are asked to the wrong target group: the users of the high risk accounts: the system administrators. This is precisely the group that generally thinks it does not benefit them.

Once the true reason for wanting PAM has been uncovered, it is an excellent starting point for setting up the risk analysis. Many times an information-based approach is a good supporting step in this:

What information represents risk?
What permissions can this information have to view, modify and/or delete?
Who have these permissions?
Why do they have these permissions?

This is often a valuable addition to the standard search for all administrator accounts that most PAM projects start with. Not infrequently, the greatest risks do not lie with these administrator accounts but with other accounts of which the organization is not even aware that they exist.

And always remember to ask the question, “how much risk can my organization accept?” Not every risk needs to be completely eliminated. For some risks, the cost of action is disproportionate to the cost of maintaining the risk.

Another pitfall that follows is to solve the issues arising from the risk analysis by purchasing a new product. I get that, a new toy always seems more fun than having to play with the old, familiar toy. But often, by covering certain situations procedurally and making better use of existing resources, many surprising results can be achieved that have a significantly smaller organizational and financial impact than implementing a new PAM product.

Of course, a well-chosen PAM product can - and will - add a lot of value to your organization. But only if the PAM product answers the questions your organization has and guards the rights that pose real risk to you at a price you are willing to pay for it.

To help you do this, Capitar Security, together with Micro Focus, has developed a checklist that can help you through this first phase of a PAM project: PAM Checklist.