Privileged Access Management (PAM): Where to Start

Danny Murphy by   03.13.2019   Data Security

Privileged Access Management (PAM) is something that many organizations still struggle with on a day to day basis. One of the biggest reasons that this happens is because organizations do not prepare their Active Directory environment properly before starting their PAM project.

What is Privileged Access Management (PAM)?

Privileged Access Management (PAM) solutions usually center around an organization’s Active Directory environment and function as a way of delegating privileged access from a central and monitored location. PAM solutions are usually deployed for three primary reasons; to identify which of your users have privileged access, to centrally manage all privileged accounts throughout the business and to reduce the risk surrounding those privileged accounts.

Privileged Access Management (PAM) Risks

Planning a Privileged Access Management (PAM) project is a major undertaking. One of the main challenges you will need to overcome is that PAM often relies heavily on Active Directory integrations. So, if the Active Directory is not as ‘tidy’ as it should be, then the value of the whole project is in jeopardy and you risk replicating your AD failures across to your new PAM project.

What to Do Before Starting Your Privileged Access Management (PAM) Project

Here are our key recommendations of the top five things you should get in place prior to, or in parallel to your Privileged Access Management project:

1. Determine Which Active Directory Accounts Need to be Monitored

The first step to any successful Privileged Access Management (PAM) project is to identify which of your accounts have administrative access to your Active Directory. PAM solutions do not focus on this, they focus more on authentication. So, before you start your PAM project, you should have a way of identifying the accounts that have high level access and the ability to make potentially disastrous changes to your Active Directory. Essentially, you will need to create a list of your Domain Administrator Accounts, Domain Administrator Groups and Domain Service Accounts.

2. Perform a Clean-Up of Your Inactive User Accounts

If your Active Directory is unclean, meaning full of inactive user accounts, your Privileged Access Management project won’t get off the ground. You will need to be able to identify these inactive user accounts and take action to streamline your Active Directory. Typically, this will involve deleting the accounts, disabling them or moving them to a different OU. If you don’t want to do any of these, then the minimum step to take would be to reset the passwords of these accounts to avoid potential misuse from unauthorized access.

3. Track Changes to Maintain the Integrity of Your Active Directory

It’s not enough to do a one-off audit of your privileged accounts. What happens if permissions change and more privileged accounts are created without your knowledge? For a successful Privileged Access Management project, constant vigilance is required when auditing and monitoring permission changes being made within your Active Directory.

4. Identify Which of Your User Accounts Present the Most Risk

You’ve identified which accounts have the ability to make administrative changes to your Active Directory. Now, you need to identify those user accounts that have privileged access to data. These are users that have access to personally identifiable information, confidential business information, intellectual property and any other data that is deemed to be sensitive. Users with this level of privileged access present the biggest risk to the security of your AD and the success of your Privileged Access Management implementation.

5. Understand Which AD Accounts are Frequently Locked Out

High numbers of account lockouts in Active Directory can derail your ongoing Privileged Access Management activities. High numbers of account lockouts need to be investigated as they can be damaging to business continuity and security. Before you fully commit to your PAM project, ensure you have a way of identifying and troubleshooting Active Directory account lockouts.

A Solution to Complement Your Privileged Access Management (PAM) Project

To ensure that your Privileged Access Management (PAM) project is successful, you will likely need to deploy a Data Security Platform either before you start or in conjunction with your PAM solution. When choosing which Data Security Platform suits your environment you need to make sure that it has the ability to address each of the points listed in this article.

As it happens, we have a solution that can help. LepideAuditor is a Data Security Platform that perfectly complements PAM solutions. If you want to see how we can help you complete a smooth PAM implementation, take a demo of LepideAuditor today.

If you liked this, you might also like...