Many PAM projects start with the question: “Which PAM product should we purchase?”. To avoid disappointment and unnecessary costs, it is wise to go through the questions below and only then ask the question: “Which PAM product shall we purchase?”. By first answering the questions below, you start with the basics so that an expert can help you make the right choice.
What is the motivation?
Why does the organization want a PAM tool? What is the driving force? The most common reasons:
- Audit finding
- Response to an incident (at own or similar organization)
- Feeling of not being ‘in control
- ‘The neighbor has it too’
- …
The importance of defining the drivers is to understand who has the greatest interest in any PAM implementation, and who therefore must be involved in the analysis and choices.
What are the risks?
What risks does your organization face that you want to reduce through PAM? Consider:
- The value of proprietary information (PII, Intellectual Property, reputational damage, fines)
- The trustworthiness of management partners and own administrators
- The security awareness of the organization
- The different groups of people who are granted access (employees, clients, customers, et cetera)
- Dependency on Cloud Services
- …
What is already being done?
Many times there are already PAM-related measures being implemented, or resources being used. Such as:
- Separate accounts for daily operations and high-risk actions
- An IAM solution in which separate accounts for Privileged Identities and segregation of duties are managed
- Governance on access rights for administrators
- Code of conduct for administrators that defines how to handle certain issues
- Sound change management procedures
- Monitoring and SIEM/SOC
- Attention to security awareness
- …
What additional measures are needed?
Based on the risks and the measures already taken, we can see where the gaps are. For each remaining risk there is an important consideration: is this risk of such a nature that I need to take measures or is the risk acceptable in this state.
What can be done with the current resources?
For those risks that are not acceptable: In the first instance, look at the extent to which they can be reduced to an acceptable level through the use or improvement of existing resources, practices, procedures and policies.
Which PAM product is best suited
The risks that remain after these questions are the risks that any PAM product to be purchased could cover. Most PAM products have a wide range of functions, not all of which are necessary or provide added value. A tool for this is the PAM Selection Matrix.
©Steven van der Linden, June 2021