Topics to reflect on internally when considering a new product or solution.

If PAM is to be effective across an organization, a technical audit of all IT should be undertaken to see how and where privileged accounts interface with other IT components and other parts of the organization. This will encompass all types of computing devices, operating systems, and platforms and enterprise uses, including mobile, virtual, cloud, and IoT.

PAM can be deployed on-premises (including as a virtual appliance), in a private or public cloud or delivered as a service from the cloud (PAMaaS). Before deployment, organizations should decide on which platform suits the organization best – choices here will be influenced by industry sector, size of company, level of technical resources in-house and likely future demands and cost.

Detection and remediation of threats to privileged accounts is a critical component for an overall cybersecurity strategy and architecture. However, these tools must complement and interoperate with other cybersecurity tools. Additionally, adding PAM to your security architecture may require bringing in knowledgeable security analysts to administer it.

IT architects must create a plan and schedule for deployments. Depending on the size of the organization in question, a phased approach may work best.

Organizations must ensure that they have technical expertise for PAM if they are to run it fully in house and on-premises. Like any IT tool, PAM solutions vary in ease of deployment and usage. Therefore, organizations need to balance the needs and size of the organization with cost, availability of technical resources when choosing a PAM solution. For some organizations, a PAMaaS may be the best route forward.

In large organizations, members of the IT security team may go on to become internal “product managers” for PAM solutions and policies. Smaller organizations may rely on an IT leader or MSP.

Those PAM solutions that are managed and operated in-house will need administrators appointed as well as technical leaders to authorize usage and product lifecycles.

There must be valid business cases for the project. For privileged access management, avoiding costs associated with lost data via privileged accounts is the primary driver.

There must be sufficient budget approved.

To be effective, PAM deployed across many types of computing devices, operating systems, and platforms that the enterprise uses. The project must be backed at the C-level. It needs both technically knowledgeable people as well as people with business knowledge to determine which are the most important assets to succeed.

Ensure that guidelines for Information Security in general and PAM in particular are defined and mapped to policies.

Each organization needs a group dedicated to handling breaches and other security incidents. Each team member should have specific roles and responsibilities. This team handles initial responses, investigations, containment, remediation, and communication. A PAM expert should be part of this process.

Define the Incident Response processes – who reacts? What are the recommended steps to be taken for different kinds of incidents? What kinds of automated responses will be acceptable to the organization? Who is informed? Who communicates with executives and other users? Who communicates with external parties, such as partners, customers, and perhaps the media?

Understand the risks to systems and, better, information assets. Base security policies on risks and appropriate mitigation techniques.

Train users to avoid suspicious emails and attachments that are targeted towards users of privileged accounts. Train responders how to investigate incidents, contain damage from events, and restore to fully operational state.