September 24, 2019//Tony HowlettLast Updated: November 19, 2020
Privileged Access Management (PAM) consistently receives recognition as the most important and impactful cybersecurity consideration. This is due to the criticality of privileged credentials and the need to protect them.
Similarly, with its access control for general employees’ everyday use cases, Identity Access and Management (IAM) earns similar regard as a high priority. In terms of “best bang for your security dollars,” these frameworks manage threats from, statistically, the highest threat profiles.
Despite all the benefits IAM and PAM offer, challenges might come up during the implementation phase. IAM and PAM protocols and platforms can get enormously complex because they typically touch every part of the IT infrastructure. Both technology and process challenges emerge to completing successful IAM and PAM project deployment.
Typical deployment cycles on these types of projects can run anywhere from 6 to 18 months, depending on the size of the organization and infrastructure considerations. Don’t let this fact discourage you.
For example, new tools exist to help with the enormous tasks of asset inventory and classification, often the most time-consuming hurdle to complete. Although cataloging IT assets proves critical in the long-run, you can start IAM and PAM project implementation with what you know; you can also add assets as you collect them.
Below are some other suggestions to make your IAM and PAM projects go smoother and deliver the improved security you seek without delays or blowing your budget out of the water.
Institutional friction can come from several areas. First, rank-and-file employees might become resistant to changes in how they access the systems needed to do their job. No one likes to learn a new way of doing things; I can assure you that if employee productivity is impacted, managers will come running. Therefore, consider partnering with internal communications before rolling out any user-facing processes. Having a solid communications plan before, during, and after the implementation can help to sell the benefits of stronger organizational security.
The other form of institutional friction often comes from the top. If the project is sold strictly from IT to the CEO or board, some department heads or C-levels may push back after the fact because of the expense and potentially lengthy implementation timeline. It is worth mentioning that lengthy projects that siphon off resources for other initiatives tend to draw significant attention.
Also, sales and marketing departments prove notoriously resistant to anything that may slow down the revenue train. Keeping your project moving means moving as fast as possible so that positive effects are felt right away, avoiding project “creep,” and eliminating unnecessary hassles.
Aside from gaining support from the executives, top managers, and rank-and-file, it’s imperative to communicate the benefits of these projects as organizationally-critical. Making exceptions to any individual or department can set a bad example and create unnecessary security holes. Assigning departmental “risk owners” proves usually effective in securing compliance from lagging chiefs.
This may sound counter-intuitive, but it is possible for your IAM and PAM project implementation to be “too secure.” Security solutions always exist on a spectrum between 100 percent usable and 100 percent secure. If your project makes sign-on and authentication processes too slow or difficult, departments could rebel. If that happens, your implementation may die on the vine.
For example, dual-factor authentication adds significant gains in security steps to these critical processes. However, it becomes important to find ways to make that step minimal, or even invisible to the user.
The ideal IAM or PAM upgrade should make things more secure while keeping processes at least as efficient as previous solutions. Using behavioral factors can help speed up the dual-factor process. Mobile authenticators make it easier for users; they don’t have to manage yet another key fob or access card to do their work.
Failure to abide by this principle and a strict focus on only security has been the death of many security upgrades.
If your infrastructure remains 100 percent on-premises, then you have in-house control of the assets needed and your decisions are straightforward. However, in choosing an on-premises solution, you may have to consider IAM and PAM project implementation along with data center upgrade schedules and manpower requirements that have to be balanced around other competing IT initiatives.
Cloud subscription-based pricing models can help you avoid up-front capital expenditures. Yet you need to understand the complexities of integrating your in-house directory services to cloud-based ones. Cloud-based IAM and PAM vendors often cite their ease of deployment when pitching their products.
While it is true that doing a demonstration or setting up a cloud-based sandbox can be as easy as 1-2-3, leading to a closed deal based on the perceived simplicity, implementation and integration with a distributed in-house infrastructure often proves the devil in the details.
Cloud technology often requires specific skills that you may not have in-house if you are new to cloud migrations. Hybrid environments may involve additional networking and firewall configurations for the cloud. Even a migration of traditional on-prem Microsoft AD to Azure AD involves some differences and tradeoffs possibly important to consider.
Moreover, putting all your identities and credentials in the cloud may bring you security and compliance issues you didn’t expect. Make sure you factor in all the work and possible costs, including implementation and professional service fees before signing on the dotted line.
IT departments are typically short-staffed and there are always more urgent projects that need immediate attention. IAM projects don’t typically deliver new functionality or features that affect the bottom line directly, so they may be overlooked. Day-to-day crises can take the focus off your IAM and PAM project implementation. Instead, look for solutions that support automation for repetitive tasks such as user entry, account setup, and other menial jobs.
Keep your engineers focused on the project’s core goals. Also, vendors generally offer implementation and professional services to assist with getting the project done. Lean on them when you can but also make sure you get a firm quote and deadline. Avoid open-ended, charge-by-the hour proposals. The vendor should be motivated to get the project done on time and on budget.
New tools and processes are available to help reduce the projected six to 18-month timeframe—the shorter the better. You want to begin benefiting from the improved security and minimize splitting between the old and new processes. Having an experienced project manager assigned to your IAM and PAM project implementation can both speed up the process and make sure that it gets priority and resources.
While IAM and PAM solutions offer powerful security features for network access by employees, organizations that outsource IT services must consider the unique threats that third-party vendors present. Sharing logins or using insecure remote support tools, like VPNs, is dangerous and completely avoidable. VPAM platforms (PAM for vendors) are management systems that facilitate all the access required by services providers, while isolating access to precisely the system components necessary. They also record each vendor interaction and provide detailed reporting for meeting regulatory compliance.
These are just a few of the pitfalls that a new IAM or PAM project can encounter. Others include budget cuts, vendor resistance, and a multitude of others. But if you can avoid the ones outlined above, you can insulate yourself somewhat from the others and well on your way to project success and better security. PAM and IAM are a critically important part of the information security pie. Make sure your IAM and PAM project implementation matches.