Why do PAM projects fail? Tales from the trenches

(Image credit: Image Credit: 8MAN)

Privileged accounts hold the keys to highly sensitive company information and once these credentials are targeted, they can easily lead to a breach of a company’s most valuable assets; from databases to social media and unstructured data. Most enterprises have implemented some form of Privileged Access Management (PAM), but many find these initiatives fail to live up to expectations. Below are some common reasons why a PAM project might fail to meet the initial expectations; coupled with practical insights on how to prevent it from becoming a dud.

1) Incorrect focus during the scoping phase

During PAM project initiation the must-have business requirements tend to be overlooked in favour of technical feature sets that are nice-to-have. Some features might initially look attractive, although they do not necessarily introduce additional business value. For instance, agent-based installations might seem to offer a greater level of forensic insight and control because they can operate on a lower level than non-agent-based PAM solutions. At the same time, these systems might not be able to cope with an extended scope (such as network devices), agents are costly to maintain and create additional network traffic. Agents also potentially store sensitive information on the end-points you want to protect. Also, agents are easier to be bypassed by privileged users and introduce delays in the implementation process.

Though it may sound obvious, organisations are encouraged to focus on the goals of the business. Prioritise the business goals ahead of technical feature sets, think about what the optimal result of the PAM programme is from technical and user prospective. Make sure the organisation will be protected externally as well as from insider threats – and don’t forget those perpetrators who steal/misuse/abuse insider accounts to facilitate a data breach.

Consider the users, who will include:

  • Administrators – who shall need to manage the system every day, are these administrators external workers from a managed service provider or vendor?
  • End-users – who shall be accessing the system every day
  • Stake-holders – who will want evidenced outputs (reports, attestations, accountability)
  • Use-cases – how people currently work, then what should / should not be changed

The business needs to be secure and compliant whilst not placing extra burdens on users so that they can work efficiently. Those PAM solutions that minimally disrupt users and their workflows will work better in long term. 

2) Too trusting of privileged users

It’s easier than one might think to fall into to the trap of allocating privileges with a very wide scope of coverage, which may seem necessary for the business to function. However, it almost goes without saying that the more privileges are allocated, the bigger the increase in risk for an unwanted data breach. For example, in a recent survey, it was found that two-thirds of respondents globally grant privileged account access to third-party partners, contractors or vendors. Placing too much trust on users, especially those outside of the organisation, should be considered a risk too far.

By implementing a “trust but verify” approach to privileged access, companies can keep business flowing with a few minimal extra steps, such as multi-factor authentication or monitoring user behaviour and process checks to ensure that the privileges are only executed upon the needs of the business and with full accountability entrusted on the end-user.  

3) Believing PAM simply is an issue to be resolved, rather than a multi-layered security strategy

Often, PAM programs address only a subset of the underlying issues, which is why too many of them underdeliver, fail to achieve desired objectives or fail outright. As in other areas of IAM, addressing PAM in silos and without a comprehensive view is bound to disappoint.

One of the biggest mistakes organisations typically make is equating Password Management (PM) to a “PAM project”. Password vaults, whilst useful as part of a PAM strategy, offer a standalone measure will not solve all privileged user related challenges. Adding additional layers of security, for instance, complementing PM with session monitoring and analytics will bring multiple returns on your security investments.

Multi-Factor Authentication is also a great tool to secure access, again, if this is not complemented with other PAM elements, such as privileged behaviour analytics, user experience can be affected with unnecessary authentication codes for the numerous access attempts during a working session.

Addressing too few disciplines cannot be considered a complete PAM programme. At the very least, a holistic PAM approach will include:

  • Unix root delegation
  • Credential vault or safe
  • Windows delegation
  • Active Directory Administrator delegation
  • MFA
  • Session monitoring
  • Privileged user behaviour analytics

4) Overlooking identity governance

Not just another empty phrase, Identity Governance and Administration (IGA), recognises that since privileged accounts are prime targets for breaches, the requirement to govern those accounts and that access is omnipresent. This has led to a greater desire in larger organisations to have an identity governance strategy, that not only embraces the PAM solution, but consolidates it with employees’ other privilege, access and asset information. This will allow the business to execute risk assessments across the entirety of the business with all avenues of threat in scope.+

Successful PAM programs are a combination of the right technology, internal policies and people all working concurrently to achieve governance. While choosing the right technology is important because it can provide a single source of truth applied to everything and everyone, when PAM is applied as a pure technology exercise, then the root issues do not get resolved. Instead, they continue to mount.

Therefore, every PAM project needs to be undertaken with an eye towards governance.

Conclusion

When embarking on a PAM programme, you need to focus on business needs rather than technology features and build in a trusting and verifiable approach combined with different layers of PAM security that are seamlessly integrated and interacting with one another – either from one source or the least minimum number of sources. In order for organisations to get the most from their investments, financial and otherwise, they should try to visualise the entire picture, instead of operating with a “project in a box” mentality. 

And this should all be done with a view towards governance. Once the project is scoped correctly with these baseline considerations, it will make the process infinitely more effective, ultimately reducing risk and hardening the organisation against attacks stemming from poorly managed privileged accounts.

Paul Walker, Technical Director position, One Identity
Image Credit: 8MAN