Phone Number +1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

The Privileged Access Management Lifecycle and Path to Maturity

Written by Joseph Carson

August 7th, 2018

Privileged access management (PAM) can be defined as managing privileged accounts and delegating privileged actions. Within an organization, it governs who can access or use a privileged account and what they can do once logged in with that privileged account. Privileged access management includes both privileged account management and privileged session management.

The PAM process has a well-defined lifecycle and 4 distinct phases of maturity that organizations typically pass through on their way to becoming what I call “PAM leaders”. I will cover the PAM lifecycle further on, but if you’re curious to see where your organization places in the PAM Maturity Model, you can take Thycotic’s PAM Maturity Assessment right here. The model clearly presents the privileged access management requirements for each stage of PAM maturity.

Let’s take a quick look at cyber threats, the enterprise, and PAM

Like me, you’re probably concerned about the ever-evolving threat landscape of cyber-attacks as you watch large well-known enterprise organizations falling victim to cyber-crime. Every year billions of records are stolen, identity theft increases, more credentials are abused, and financial fraud is now extending into billions of dollars.

Senior executives are more involved in cyber security than ever before.  Even while executives and CISOs are trying to reduce the risk of these threats, compliance requirements are increasing, and the costs involved in helping their organizations stay protected and continue seamless operations are going up.  Technology alone is no longer enough to defend organizations against cyber-crime. Now, a strong defense must involve people, and therefore it needs to be simpler and quick to value.

Why is traditional cyber security not enough?

Unfortunately, traditional cyber security is no longer sustainable. It is too complex, often too difficult to manage and as a result, too costly—both in time and money. Therefore, organizations have little choice but to accelerate the move to simpler solutions; solutions that remove complex management demands on IT staff while at the same time building in more secure, seamless integrations.

Privileged Access Security is now one of the top security controls that many CISO’s are prioritizing to help them reduce the risks of cyber-attacks, empower their employees and protect their organizations from unauthorized access. Recently Gartner released a report stating that the #1 project to implement in 2018 is Privileged Access Management.

Your previous experiences with PAM Vendors may have been SCARY 

Your previous experiences with legacy Privileged Access Management solution vendors may have been unnerving: the project may have been complicated, required expensive experts, been very costly, taken years to implement, or the software never got fully installed.

Thycotic has made Privileged Access Management friendly. Our solution is simple and easy to use, can be easily learned by your own professionals, and provides value for money. Implementation is a fast and satisfying experience.

What’s the best way to get started with privileged access management?

Now, the problem for many organizations is where to start the PAM journey. How do you easily adopt a privileged access solution into your organization that will lead you to success and maturity?  Thycotic has developed a selection of resources to help educate you and get you started immediately without any cost.

Organizations that are just getting started with protecting and securing privileged access must identify which privileged accounts should be targeted. They must also ensure that those who will be using those privileged accounts are clear on the acceptable use and responsibility.

Start by defining what ‘privileged access’ means in your organization

How to define what ‘privileged access’ means in your organization

Before implementing a privileged access management plan you must identify what a privileged account is for your organization.  It’s different for every company so it is crucial you map out what important business functions rely on data, systems and access.

A useful approach is to simply re-use your disaster recovery plan which typically classifies important systems that need to be recovered first, and then identify the privilege accounts for those systems.  Classifying or categorizing privileged accounts at this stage is good practice as this helps identify your privileged accounts’ importance to the business and will make future decisions easier when it comes to applying security controls.

So, what does privileged access mean in your organization? It could mean access to infrastructure, sensitive data, configuring systems, deploying patches, scanning for vulnerability, cloud environments and a lot more.  To be able to achieve a solid definition I recommend you perform a Data Impact Assessment because this is exactly what most privileged accounts are protecting and used for—to access sensitive data or enable access to sensitive data.

Once you have conducted a Data Impact Assessment to classify your data, you’ll know what information is most important to your business.

Next, audit and confirm who should have access rights to view and manage this sensitive data.

Privileged accounts are everywhere—yet for most people they are invisible

Privileged accounts are everywhere in the IT environment. They are they glue that connects vast information networks. Yet for most people they are invisible.

Privileged accounts can be human or non-human. Some privileged accounts are associated with individuals such as business users or network administrators, while others are application accounts used to run services and are not associated with a person’s unique identity.

Now, you can follow the PAM Lifecycle

Once you have performed a Data Impact Assessment and confirmed who should have access rights, the next step to maturity is to follow the Thycotic Privileged Access Management Lifecycle. This will get you moving quickly on the path to protecting and securing privileged access. You can learn more about the Privileged Access Management Lifecycle in Thycotic’s free PAM for Dummies Digital Book.

Privileged Access Management Lifecycle

Like any IT security measure designed to help protect critical information assets, managing and protecting privileged account access requires both a plan and an ongoing program. You must identify which privileged accounts should be a priority in your organization, and ensure that those who are using these privileged accounts understand acceptable use and their responsibilities.  This report briefly describes a PAM lifecycle model which provides a high-level road map that global organizations can use to establish their own Privileged Access Management program.

Here are the steps of the PAM Lifecycle:


Define and classify privileged accounts. Your business functions rely on data, systems, and access, and dependence on these entities varies from one organization to another. If you’re not sure how to get started on this task, look at your disaster recovery plan as it typically classifies your critical systems. Then, don’t forget to align your privileged accounts to your business risk and business operations.

Develop IT security policies that explicitly cover privileged accounts. Does your organization have a policy that details acceptable use and responsibilities for privileged accounts? It’s vital you have a working understanding of who has privileged access, and when it is used. For this reason, you must treat privileged accounts separately by clearly defining a privileged account and spelling out acceptable use policies.


Discover your privileged accounts. Automated privileged access management software enables you to identify your privileged accounts, implement continuous discovery to curb privileged account sprawl, identify potential insider abuse, and reveal external threats. This full, on-going visibility of your privileged account landscape is central to combating cyber security threats.

Manage and protect

Protect your privileged account passwords. Proactively manage, monitor, and control privileged account access with password protection software. Verify that your password management solution can automatically discover and store privileged accounts; schedule password rotation; audit, analyze, and manage individual privileged session activity; and monitor password accounts to quickly detect and respond to malicious activity.

Limit IT admin access to systems. Develop a least privilege policy to enforce least privilege on endpoints without disrupting business operations. Privileges should only be granted when required and approved. Least-privilege and application control solutions enable seamless elevation of approved, trusted, and whitelisted applications while minimizing the risk of running unauthorized applications.


Monitor and record sessions for privileged account activity. Your privileged access management solution should be able to monitor and record privileged account activity. This helps enforce proper behavior and avoid mistakes by users because they know their activities are being monitored. In the event of a breach, monitoring privileged account use also helps digital forensics identify the root cause and identify critical controls that can be improved to reduce your risk of future cyber security threats.

Detect abnormal usage

Track and alert on user behavior. Up to 80% of breaches involve a compromised user or privileged account. Do not underestimate the value of gaining insights into privileged account access and user behavior. Visibility into the access and activity of your privileged accounts in real time helps catch suspected account compromise and potential user abuse.  Behavioral analytics focuses on key data points to establish individual user baselines, including user activity, password access, similar user behavior, and time of access to identify and alert on suspicious activity.

Respond to incidents

Prepare an incident response plan in case a privileged account is compromised. Simply changing privileged account passwords or disabling the privileged account is not adequate when a privileged account is breached. Once in your system, criminal hackers can install malware and even create their own privileged accounts. If a domain administrator account gets compromised, for example, you should assume that your entire Active Directory is also compromised, so that the attacker cannot easily return.

Review and audit

Audit and analyze privileged account activity. Continuously monitoring privileged account usage via audits and reports helps identify unusual behaviors.  This may indicate a breach or misuse. These automated reports aid in tracking the cause of security incidents, and also demonstrate compliance with policies and regulations.  Additionally, privileged account audits equip you with the appropriate cyber security metrics and vital information organization executive require to make more informed business decisions.

Bottom Line: The key to improving cyber security around Privileged Access Management stems from an understanding and implementation of a PAM lifecycle approach.  Only a comprehensive solution can ensure that your “keys to the kingdom” are properly protected from cyber criminals and malicious insider threats. And that your access controls meet the regulatory requirements for compliance mandates in your industry.

Privileged access and the latest cyber security methods

In this video, Thycotic’s Chief Security Scientist and author of “PAM for Dummies,” Joseph Carson, delves into privileged access and the latest cyber security methods and explains why you cannot approach cyber security from a technology-only point of view.

Request a Quote

What does cyber security like this cost?
Not as much as you think.

Get a quote for the ONLY enterprise-grade PAM solution available both in the cloud and on-premise.


Like this post?

Get our top blog posts delivered to your inbox once a month.