Skip to content

5 key success factors for a Privileged Access Management (PAM) project

When it comes to IT security strategy, the first measures implemented by organizations are generally data backup management, the deployment of solutions such as anti-virus, firewall and EDR, and the management of software and hardware updates. These measures allow to secure access for all employees, without differentiation.

But there is a group of employees, the “privileged users”, who configure these security solutions and are at the heart of critical IT and industrial infrastructures, whose powers are such that they can impact the security of the IT system and the organization.

To secure the access of these privileged users, deploying the solutions mentioned above is not enough. In fact, as recommended by several national security agencies and IT security regulations, it is essential to deploy a Privileged Access Management (PAM) solution. For privileged users, this deployment involves a major technical, functional, organizational and sometimes cultural change.

In this article, we’ll look at how to take all these factors into account to ensure the success of a PAM project, which is essential to the security of the organization.

Why deploy a PAM solution to manage privileged access?

When we talk about access management solutions, we immediately think of implementing an Identity Governance solution (IGA) to automate the management of identities, user accounts and associated rights, or an Access Management solution (AM) to manage user authentication by offering SSO and/or MFA.

IGA and AM solutions are management or governance solutions, not infrastructure management solutions, which:

  • Allow to manage access in a general, static way, by configuring the target environment to allow users to access their resources. But they don’t consider dynamic, “real-time” elements such as access context, user and device behavior, time principles (least privilege for the task to be performed, just in time with no residual privileges).
  • Do not allow resource discovery, dynamic management of authentication secrets on resources, e.g., secret rotation or secondary authentication (SSO experience, but different from classic SSO: use of another (individual) account in a vault dedicated to privileged accounts).
  • In terms of traceability, they offer only the auditing of connections, and not the details of what the user does and on which critical or administration resource.

Thus, an IGA or AM solution will manage all users, whereas a PAM solution will target access of privileged users or privileged accounts, covering:

  • Human or machine users of programs or software
  • Human user accounts: personal or shared accounts (e.g. a root account on a Linux server)
  • Software or machine accounts, such as application accounts or service accounts
  • Critical accounts used to perform critical actions on critical resources

These privileged accounts therefore require a different management than that offered by an access and identity management solution for all users. A PAM solution will therefore offer specific functional coverage of access security for these privileged accounts:

  • Access session management: video recording of sessions, connection audits and traceability of all actions carried out.
  • Access secret management: privileged account credentials are stored in a vault, and password rotation can be managed.
  • Transparent secondary authentication and elevation of privileges: an administrator logs into a portal using his or her personal account, and transparently uses a privileged account to connect to a critical resource.
  • Access to a wide range of resources, whether in an IT environment (Windows/RDP or Linux/SSH servers, web resources) or an OT environment (industrial control systems – ICS, PLCs, human-machine interfaces – HMI, supervision & control – SCADA, industrial IoT – IIoT…).
  • Native management of secure remote access (Remote PAM) for on-call administrators or service providers who need to administer their customers’ IT system resources.

A PAM solution therefore includes features dedicated to the management of these privileged accounts, enabling all resource and application administration accounts to be protected. But deploying such a solution is not neutral and implies major changes for the users concerned. There are several factors to take into account to guarantee the success of a PAM project.

Successful PAM project

1st key success factor: Treat a PAM project as a program, not just a project

Deploying a PAM solution, like an IAM project, should be seen as a program, not a project. It involves setting up an initial implementation project on a precisely defined perimeter beforehand, and then working on several smaller projects as the IT or industrial infrastructure evolves, or as the organization’s needs change, e.g. the provision of new resources or access to new service providers.

The deployment of a PAM solution is therefore not set in stone and will evolve over time according to the organization’s needs and the evolution of its infrastructure.

2nd key success factor: Start with the basics

As we have seen, a PAM solution can cover a very wide range of functions, users and resource targets. For this first implementation project, we therefore need to work on a basic foundation and not, from the beginning, deploy all functionalities on all resources for the entire target population.

Start by exploiting basic session management functionalities, by publishing a few resources and exploiting the secret vault to access these resources. You can also implement MFA and support administrators to manage the change induced by this new solution, for example by starting the pilot with IT Department employees rather than external service providers.

In a second phase, we can build on this basic foundation to exploit additional functionalities such as password rotation, and increase the scope of resources, by adding databases to be administered for example, and the scope of users, by opening up access to service providers.

3rd key success factor: Change management

The use of a PAM solution changes the work habits of privileged users, who may feel they are losing their privileges. Change management is a sensitive issue that needs to be considered before the project begins, right from the initial design phase, to ensure that the new solution is adopted.

Deploying a PAM solution involves changes at various levels:

  • It’s a new technology that requires training for users and those who will be responsible for administering the solution.
  • This new solution involves changes to daily work habits: in the past, an administrator used to connect directly to a Windows or Linux machine using MSTC or putty to carry out administration tasks. They will now be obliged to use a bastion, distinguishing their administration tasks from office tasks, which will not use the same environment.

Similarly, when it comes to password management, it is often necessary to move from an individual approach (where everyone manages according to their own method) or a collective approach (with the implementation of a shared vault), where it is very often possible to read the password, to an approach where the password is no longer known.

  • The actions carried out will be monitored, which may generate mistrust among users, since their actions will be traced in a video recording that will allow the actions carried out to be reviewed afterwards.
  • Cyber-security pressure is growing, with ever-increasing security and regulatory compliance requirements, as well as the fear of attack due to an increasingly high-profile threat. This inevitably increases the demands companies place on their service prodivers.
  • Users may see the need to go through a bastion to carry out their administration tasks as a constraint, since this will require additional actions, such as authenticating on a portal and then accessing a resource.

Because of all these changes, users may have a negative perception of the “value” of a PAM solution. Administrators and service providers therefore need to be made aware of the importance of implementing the solution, in terms of securing the work of employees who are no longer suspects by default in the event of a security incident, since the system objectifies the facts, or in terms of efficiency (automation of connection chains, for example).

To achieve this, we need to support users by implementing an approach that aims to:

  • Share the vision as early as possible and prepare the project by objectifying the gains for employees and the impacts.
  • Spend time beforehand with the teams concerned, listening attentively to their needs, and preparing for training and skills transfer, while taking into account deadlines and schedules to integrate the time needed for acceptance/adoption of the change.
  • Communicate regularly and create forums for users to discuss issues, fears and difficulties. It is also important to provide documentation or quick access to information.
  • Specify the framework for monitoring privileged access and actions, carried out for operational rather than HR purposes, by clearly explaining what can be exploited in the logs, whether in text or video format, and above all pointing out the interest for the employee (post-incident forensic analysis, to protect the employee) and ensuring that each employee concerned is aware of it, has understood, and consents (the solution itself warns the user of the recording of the session).

The diagram below summarizes the change management methodology proposed by our teams

4th key success factor: Define use cases based on risk analysis

The deployment of a cyber solution is often linked to the analysis of an attack surface, i.e. the search for a solution whose functional coverage will address the identified risks.

In the same way, a PAM project is not a single IT initiative, but a cyber security project, and must therefore be the subject of a risk analysis beforehand, to define the various use cases.

For example, a table such as the one below details the main domains and the use cases for each domain. This table should be drawn up for each type of resource, defining the criticality, the access context and the action performed.

PAM use cases

5th key success factor: Guarantee the integration into the existing IT systems

The aim is to deploy the PAM solution while integrating it as seamlessly as possible into the existing IT system:

  • At the network level, networks will have to be segmented to access different resources.
  • The solution can exploit the various directories used by the customer: AD, SAML authentication via Azure…
  • The solution must be able to integrate
    • with the existing MFA as an SMS gateway
    • with the SIEM, which retrieves logs from the PAM solution
    • with ITSM
    • with the EDR already deployed for virus analysis before file transfer

Deploying a PAM solution is therefore no trivial matter for an organization. There are several key success factors to take into account to ensure the success of the project, and in particular the adoption of the solution by privileged users, which is essential to guaranteeing the security level of your IT system. Our teams, or those of our integrator partners, have implemented a proven methodology based on numerous deployments of our PAM solutions, to help you define your use cases, deploy the foundation of your Privileged Access Management solution, and manage the change management of your teams.

To find out more about our PAM project experience, please contact us.

Â