Improving the adoption of Privileged Access Management across the organization
Blog: Capgemini CTO Blog
Many organizations have now deployed a basic level of privileged access management (PAM) tooling and/or processes around the control of privileged accounts. But PAM systems do not by themselves reduce privilege risks to a level acceptable to the business. The challenge many organizations now face is how to drive increased adoption of an Enterprise PAM service, securing the usage of all high-risk privileged accounts, and more. Driving increased adoption of PAM is not an easy “one-off” exercise. In our experience, it requires several foundational elements to be undertaken as part of a holistic PAM approach, as described below:
The first challenge for many organizations is for enough people to really understand what PAM is, why it is required, and what level of PAM controls are really required. This stage involves creating a mindset for PAM improvement across the organization – for key stakeholders to appreciate the risks faced by the organization, the value of PAM in mitigating these risks, and the investment required to achieve effective PAM. It creates the background sponsorship for wanting to move forwards with PAM on an ongoing basis.
“If you don’t know where you’re going, any road will take you there.” What does effective PAM look like? Organizations need to define a clear target state for PAM that can meet current and future requirements, going well beyond PAM technical architecture and tooling. This target state includes a well-defined set of policies, standards, controls, a target operating model with appropriate governance and RACI model, a clear definition of PAM-related requirements, and ongoing service lifecycle processes. The creation and maintenance of a comprehensive multi-staged PAM program and a comprehensive PAM target architecture are key deliverables of this element.
The first element of any PAM program is to discover the privileged accounts and secrets in use across the organization and assess how these accounts are being used and controlled and the risks that exist around them. This assessment will include controls such as account ownership, and account health (e.g., who is using and who is able to use these accounts?). Discovery is not a one-off exercise – it needs to be continually repeated and acted upon. Discovery gives a detailed understanding of the state of PAM across the organization that can then be measured and acted upon. Modern tools with AI capabilities are now transforming the discovery process.
Once the target state is clear, the next challenge organizations face is how to create a core capability for PAM that can be reused across the enterprise and beyond. Increasingly organizations are looking at cloud-based and SaaS-based services to reduce the time and costs involved in creating and managing the core technology components of the PAM capability. We have seen the Identity-as-a-Service (IDaaS) market mature from addressing just access management, to also address identity governance and administration, to now finally starting to also address PAM. However, even the most advanced SaaS-based services currently provided by PAM software vendors still require significant components to be designed and deployed on-premises, as part of a hybrid architecture.
At Capgemini, we recognize this challenge and provide a service called Capgemini IDaaS/PAM, which is a fully managed and hosted standardized PAM service based on the complete CyberArk suite. Whilst retaining all the cost and time benefits associated with regular SaaS solutions, Capgemini IDaaS also provides the flexibility and full functionality associated with on-premises deployments, including more advanced services such as privileged threat analytics and secrets management. Furthermore, Capgemini IDaaS includes the L2/L3 service wrap and integrations with other cybersecurity defense components. One of the benefits of deploying an extendable and cutting-edge core PAM service such as Capgemini IDaaS is that it then more effectively positions the organization for the next stage – exploitation.
Deploying an Enterprise PAM service by itself provides no business benefit whatsoever – it is the exploitation of this core service that ultimately enables effective controls to be put in place around the usage of privileged credentials. But how can this be done? This is where many organizations struggle – often some initial high-profile accounts are controlled but integrating wider accounts and services at scale is prohibitively complicated and costly.
To address this challenge, we see organizations increasingly building “factory model” services to be able to rapidly onboard and integrate services and accounts in a reliable and repeatable approach. By using a standardized core service such as Capgemini IDaaS, there is an opportunity for undertaking easier and repeatable integrations. But PAM Factory Model services go well beyond the technical integrations – they also include business engagement, security advisory, and communications activities required for each integration. Capgemini can provide PAM Factory Model services and the associated Application Management RUN services as part of Capgemini IDaaS/PAM, or it is equally possible for organizations to build their own exploitation services where preferred. But either way – we now see a PAM Factory Model as an essential component of any organization’s drive to exploiting PAM.
PAM is an ongoing process and not a one-off implementation. New methods of working (e.g., DevOps, move to the cloud, increasing use of third parties, etc.) are constantly changing the risk landscape. In response, new PAM technologies and approaches are constantly being developed. To stay compliant and maintain a low-risk profile, a best practice is to constantly innovate to address these changing requirements. This again is where Capgemini can help – through our highly experienced advisory consultants, our modular Capgemini IDaaS services that exploit the latest PAM technologies, to using our Cybersecurity Experience Centers to help visualize and gain stakeholder agreement on how to move forwards with the latest solutions – we can help organizations better understand their needs and move forwards on their PAM journey today and tomorrow.
As described above, driving increased adoption of effective PAM requires a level of awareness/sponsorship and many foundational and structural elements to be in place, to support ongoing and repeatable processes such as a PAM Factory Model. The benefits behind the increased adoption of PAM are huge. Given these benefits, it is our view in Capgemini that there should be increased focus in organizations towards planning for effective PAM Adoption from the very start of any PAM program, and not treating adoption as a subsequent phase only to be properly considered after initial technology deployments.
Click here to learn more about our uniquely effective Identity as a Service.
Follow our Showcase page on LinkedIn to know the latest on Capgemini cybersecurity services.
Co – Author
Global Head of IAM Capability
Co – Author
IAM Project Manager