Friday, 4th December 2020

What to look for in a Next-Gen PAM solution

By Alan Radford, PAM Field Strategist, One Identity.

Before there were privileged access management (PAM) solutions, it seemed that everyone was given access to privileged accounts with little regard for who had access, when they had access and what they did with that access. As security breaches started to rise and compliance regulations were written, it was obvious that manual processes and home-grown approaches to privileged access management solutions weren’t enough.

That is because first-gen privileged management started with solutions for password management and delegation along with ways to unify a UNIX environment. Shortly after, session-management solutions were created and eventually analytic capabilities were introduced. And while these solutions worked, they were developed by separate companies and each solution solved a specific problem.

These solutions were disjointed, difficult to deploy and difficult to integrate with existing environments and business processes. They also didn’t take into consideration how admins worked. Often, these first-gen solutions introduced friction to high privilege activity, having a negative impact on productivity as a result.

From a business perspective, first gen pam solutions were also not able to provide correlation between who is doing what and how across different systems. This presented unseen gaps in higher level business compliance rules. For example, an end user in accounts receivable should not be able to also access accounts payable, but what about the database admin who has back end access to both databases?

If a request is made for administrative access to one of those databases context is often missing. Commonly a request will simply be for ‘adminaccount5’ on ‘server4’, offering no insight into whether the request is compliant or not, but resulting in approval regardless.


Program versus projects

First-gen solutions took a short-sighted, project-based approach to PAM vs. a holistic program-based view. Next-gen PAM solutions drastically reduce the disjointedness of multi-vendor point-solutions. They address nearly all PAM needs with one solution. Today, it is typical to find next-gen, single-vendor PAM portfolios that cover password management, session management, delegation in heterogeneous environments, analytics, authentication and – the holy grail of PAM – governance.

Each component is part of a unified whole rather than a collection of siloed, and functionally limited, point solutions.

Enter Next-Gen PAM

Modern next generation PAM solutions address the entire PAM process, not just individual challenges. They are designed to be operations and automation ready making them easy to deploy and to integrate into any environment and business processes. Next-Gen PAM solutions support the way that admins do their work, provide maximum transparency and reduce the friction that is typical of first-generation solutions. They grow with the organisation and enable it to scale and transform the PAM program organically, as the environment and business evolve. In a world where my car is a computer with wheels, my pace maker is a computer with bio-electrical connectivity and my critical infrastructure is controlled and monitored by IT Systems, protecting the privileged accounts that can do most harm is not optional.

Here are five things to look for in next-gen PAM:

Easy to deploy

Next-gen PAM solutions are easy to deploy, offer a variety of delivery options and require minimal changes to your environment. They must be secure by nature and eliminate deployment challenges of first-gen solutions. Hardened physical and virtual appliances enable organisations to deploy the solution without the additional overhead of securing the solution once it is installed. Think in terms of a black box flight recorder, if privileged users themselves cannot tamper with it, then the assertions are more trustworthy.


Security teams must be able to monitor, record and analyse privileged sessions without having to onboard any assets. This enables them to get immediate value as other PAM controls are implemented. In addition, next-gen PAM solutions will be able to be installed in cloud platforms like AWS and Azure.

Transparent and frictionless

Next-gen PAM solutions are unobtrusive and intuitive in order to ensure user acceptance. They also offer a wide variety of ways for people to gain privileged access. With next-gen PAM solutions, users must be able to gain privileged access with the same tools and processes they used before PAM controls were put in place. Good solutions offer a variety of methods to gain privileged access by being implemented transparently and requiring no changes to the way a user works. Users will continue to leverage familiar tools to do their jobs and any workflow (e.g. approval process) is frictionless. This means that approvals are provided through push requests to mobile devices, ticketing systems or any other workflow process already in use. With added analytics, organisations will obtain risk scoring tied directly to their SIEM solutions, so that security operations will spot incidents earlier while still using their traditional tools.

Operations and automation-ready

A next-gen PAM approach must not require changes in the way businesses operate in order to enhance security and add value to the existing process. Therefore organisations must be free to use whatever vendor they choose for other areas where seamless integration is necessary, such as DevOps, Identity Governance and Administration (IGA), IT Service Management (ITSM) and Robotic Process Automation (RPA). Look for a solution with an API-first design, so teams are enabled to extend or integrate PAM to the tools and processes on which businesses already rely. All functionality must be exposed through by API and open source tools and SDKs must be actively maintained to support integration.

Scale and transform with the business

Next-gen PAM supports hybrid environments and cloud initiatives, with flexibility enough to grow and evolve with the organisation’s needs, without making drastic changes to existing operations and environment, resulting in rapid time to value. Decent next-gen PAM solutions will be optimised for on-prem, hybrid and cloud environments in order to scale easily and provide additional functionality through SaaS-delivered identity services, such as multifactor authentication, SaaS-app connectivity and governance.

An identity-centred approach to PAM

Today’s environment requires organisations to adopt an identity-centric approach to ensure maximum security control and governance across the entire IAM spectrum, including PAM. It is common practice for organisations to standardise employees with an account in Active Directory. Therefore, looking for options that combine Active Directory bridging solutions with Active Directory security and management solutions, organisations can unify accounts - both standard and privileged users - across the most critical systems and infrastructure. This unification brings all resources under one umbrella, ties accounts to single identities and enables just-in-time privilege to put the organisation on the path towards true identity-based PAM. With identity unification, organisations can adopt more mature approaches, such as IGA, into their PAM programmes, without taking on the overhead of a heavy IGA framework. Once unified, teams can request, grant and certify the entitlements for a user across all resources and all the accounts, including privileged accounts.

Conclusion

When looking for a true next-gen PAM solution, look for a vendor equipped to achieve this identity-centred approach to security, provides you with the flexibility to use whatever technology you use today for existing processes and can add value to those processes without introducing ay friction.

To help understand where most PAM solutions are today and where they need to go from here, get your copy of KuppingerCole’s whitepaper, Enhanced Privilege Access Management Solutions.

By asking the right questions, organisations will end up with a next-gen PAM option that will not only keep it and its employees more secure, but also support business operations and satisfy ever-changing compliance mandates in an organic and profitable manner.

By Elena Molchanova, Head of Security Awareness Marketing, Kaspersky.
A recent HP panel discussion sought to provide some answers to this question – topics covered includ...
By Mike Kiser, senior identity strategist, SailPoint.
You may be surprised to learn that one of the first computer viruses to bring millions of computers...
By Salvatore Sinno, Chief Security Architect and Director of Cybersecurity Innovation, Unisys.
How IT managers protect corporate networks from targeted attacks By Chris Connell, Deputy Vice Pre...
Why business decision makers should expand their network security strategy, By Chris Connell, Deput...