Phone Number +1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

Top 10 Questions to Ask Before Planning Your Privileged Account Management Strategy and Implementation

Written by Joseph Carson

August 25th, 2016

Updated September 2020

The shocking findings from the groundbreaking report from Thycotic and Cybersecurity Ventures highlight that many companies are not doing enough to protect their privileged accounts from cyber-attacks. In this post, I’ll reveal the findings and provide the information you need to plan and implement a privileged account management strategy for your organization.

Many companies—80%—consider Privileged Access Management a top priority for their business. This shows that companies acknowledge the importance of privileged accounts and with 60% of companies required to demonstrate compliance—either due to a government regulation or industry regulation—failure to protect privileged accounts could result in a failure to meet compliance which could result in a direct impact to the business.

Privileged accounts have full permissions to computer systems and environments…

The main reason privileged accounts are so critical to both industry and regulatory compliance is that privileged accounts are what is known as the “keys to the kingdom”. Privileged accounts have full permissions to computer systems and environments which typically have access to locations where sensitive data like financial records, classified data, or personal identifiable data like email, address, credit card, social security number details are stored.

Most organizations do not realize privileged accounts are not just human accounts or job roles, but privileged accounts exist everywhere; this includes every piece of networking equipment, switch, and Internet of Things devices. Today, organizations are manually managing these accounts and if they aren’t, they’re leaving it as the default setting.

We know that companies do understand the importance, so why have so many companies failed to protect and secure privileged accounts? 

It appears many companies have identified this as a major cyber security risk, yet have failed to communicate or implement solutions that help automate and secure privileged accounts. This then leaves the company completely open to the risks associated with poor privileged account management practices.

Just 10% of companies implemented a commercial solution

Additional survey findings included: 40% of organizations indicate they have not communicated the importance of following IT security policies to their stakeholders, 60% still rely on manual methods to secure privileged accounts, and just a shocking 10% of companies have implemented a commercial solution dedicated to protecting and securing privileged accounts.

So while we have acknowledgement and privileged account management as a high priority, it appears that one of the major problems is that companies don’t know where to start or what solutions exist to help solve one of these major cyber security risks.

Here are some easy steps on how your company can get started on a privileged account management strategy:

  1. Educate key stakeholders about PAM security
  2. Discover how many privileged accounts you have, where your privileged accounts are located, and what teams you might have to work with internally to start managing them appropriately.
  3. Decide whether PAM software would be helpful
  4. Plan your implementation
  5. Manage PAM as an ongoing program, not just a software roll-out

One of the most critical steps is to ensure every stakeholder has been clearly communicated to and educated on the risk of privileged accounts. This clearly is one of the most significant failures, and it’s important to identify what privileged accounts mean to your company.

Ask the following questions to find out:

  1. What is a privileged account?
  2. Where are privileged accounts located?
  3. Who has access to privileged accounts?
  4. Do you have contractors accessing privileged accounts?
  5. When are privileged accounts used?
  6. What is the risk of privileged accounts being used by an external attacker?
  7. What is the risk of privileged accounts being used by an insider?
  8. Do you have an IT Security Policy covering privileged accounts in place?
  9. Are government and industry regulations applicable?
  10. Are you actively reporting on privileged account use and exposure?
  11. Do you have a way to classify or associate high privileged accounts and their respective owners?
  12. Do you have a way to provision just-in-time access to privileged accounts?

Once you have identified how privileged accounts are applicable to your business the next step is to discover privileged accounts that exist on your network.  Sometimes this can be a shocking result as it highlights the gap in what was known and not known.

Usually, at this point, it becomes clear that you need PAM software to help you manage the accounts you discovered. The next step is to draw up a list of requirements. This blog provides a helpful list of PAM requirements to consider.

The choice between on-premise or cloud PAM is important

An important choice is whether you want to deploy an on-premise solution or a cloud one. Instead of installing, hosting, maintaining, and updating your PAM software on-premises yourself, cloud-based SaaS PAM software is hosted and managed by your PAM vendor. They manage the cloud environment for your PAM software, and make sure it’s secure, available, and updated. In many cases, this removes much of the administrative burden of maintaining and updating infrastructure yourself and instead offsets this type of work to the vendor.

If you decide to go for an on-premise solution, you’ll need to do some preparation to see how it will fit within your IT environment. What servers will you need? What’s your disaster recovery strategy? It’s important to work with your vendor closely to understand what infrastructure is needed and recommended to meet your PAM strategy goals.

Vendors can help in a big way here by providing reference architectures that give clear direction on the best set-up for their particular solution. Of course, these can be tweaked and adjusted based on your needs and goals, but they provide an important start to get your PAM solution mapped out. If working with a vendor’s professional services team, they may even have the customer complete requirement documents to build customer-specific diagrams.

Thycotic provides a number of reference architectures with commonly used variations to assist our customers in planning and implementing our PAM solutions on their own. These architectures, provided by Thycotic’s Professional Services Solutions Architect team, are based on years of experience with thousands of Thycotic customer implementations and are regularly updated and edited based on feedback and evolving best practices.

If you happen to have an on-premise PAM solution already and are considering moving your PAM to the cloud, check out these cloud recommendations.

An important thing to remember is that PAM needs to mold, flex, and change as your business and security needs change and evolve. PAM is a program, not simply a software implementation. Treating PAM as an ongoing effort ensures that improving your security posture is prioritized long term.

 

Like this post?

Get our top blog posts delivered to your inbox once a month.

SHARE THIS