Highlights from “CISO Perspectives on Privileged Access Management” #GartnerIAM

Earlier this week, Idenhaus attended the 2018 Gartner IAM Summit in Las Vegas. #GartnerIAM is one of the most attended annual conferences for Identity & Access Management professionals. After last year’s event, we shared 6 Highlights from Gartner IAM Conference 2017. This year, we wanted to highlight one session that stood out in particular, “Panel Discussion: CISO Perspectives on the PAM Journey”.

Considering new use cases such as cloud, DevOps and IoT, organizations must transform their static Privileged Access Management projects into dynamic PAM programs that enable agility, growth and innovation. This interactive panel discussion will be for everyone – from those just beginning their journey to leaders looking to fine tune a sophisticated deployment.
BeyondTrust: Panel Discussion: CISO Perspectives on the PAM Journey

The session provided applicable information on best practices for a Privileged Access Management (PAM) solution roll out, as well as insightful lessons learned. Privileged access management is about providing controls in your IT environment to manage who can administer systems. The idea is that this solution provides formal controls to limit who has privileged access, but also what those users are able to do with that access. Having good controls in place won’t eliminate the risk, but will greatly minimize the risk.

The panelists for “CISO Perspectives on the PAM Journey” were:

  • Edward Panzeter, Sr. System Engineer, Universal Health Services
  • Tyler Mullican, AHS
  • Mike Freeman, Cybersecurity Manager, Sentara Session Gartner

Key Business Drivers for Privileged Access Management:

  • Failed audits (e.g. local admin accounts on workstations, and the like)
  • Security Assessments – Inability to effectively manage identified Use Cases
  • Improved security posture
  • Risk Management

Imperative to Prioritize Initiatives to Manage Change 

  • Think about risk-based methodology, what are the highest risk parts of the organization
    • Implement high impact, low risk initiatives first
    • Password management is the most frequent ‘quick win’ initiative
  • Evaluate Initiative against the likelihood it will disrupt the business
  • Begin with small wins until you build confidence in the organization, which allows the culture to change with the new PAM processes

PAM Best Practices/Key Takeaways:

  • Make sure that change to the business units has minimal impact and is rolled out slowly
    • Organizations can only take so much change, so it needs to be phased properly
  • Security is a disruptive field and changes the way the business operates (processes/workflows)
  • Use Project Management Best Practices to break the project down into manageable chunks
  • Get executive buy-in first and then educate the organization about the initiatives and why they are important
  • Rely on PMO to coordinate communications.
  • Find Subject Matter Experts who can be Project Champions –
    • SMEs know who to go to, who the stakeholders are, and where the challenges lie. They make it easier to build trust and collaboration across the business units/stakeholders
    • SME support is not a part-time job.

11 LESSONS LEARNED FROM PRIVILEGED ACCESS MANAGEMENT PROJECTS

  1. Roll out training on a module-by-module basis so the learning comes with the use of the tech
  2. Privileged Access Management is not disruptive to the Admins that use it, but organizationally it creates a whole new way of thinking that puts security first.
  3. As organization starts to shift how they operate, application owners start coming with new ideas on how to add security
  4. As Admins adopt the tools and get comfortable with them, they will identify other accounts
  5. Choose a seasoned staff member that is trusted to build a bridge to stakeholders
  6. PMO integrated to communicate issues, identify blockers, and manage progress (manage and track to milestones)
  7. Application teams is a good candidate for the Pilot
  8. Cultural awareness and understanding – formal training sessions as part of the roll out.
    • Why are we doing this? Security, Regulatory Compliance, Protecting Information, Protecting the company
    • How are we going to roll it out? Stress that not trying to take anything away from the Admins, just trying to make it more secure
  9. Identify internal SMEs to guide the implementation process and where you will need external services providers. Dynamic between internal & external is important
  10. After implementation, the next component of success is reporting.
    • Identifying key reports
    • Present to execs in digestible format
    • Make sure the reports are customized for the organization
  11. Every time you present a report is an opportunity to teach the business and help them to understand security and why PAM is important.

Privileged Access Management solutions provide a level of protection that makes it more difficult for internal and external users to exploit vulnerabilities for nefarious purposes. The successful implementation of a PAM solution is more than just installing a new technology; it requires communication, training, and a change in organizational culture. The experiences shared by this panel are surprising, in that they emphasize the importance of change management and developing a ‘security culture’ over the technical implementation itself. 

Were you at #GartnerIAM 2018? Which session did you find the most interesting, and why? I’d be pleased to hear your thoughts below.

 

Follow @Idenhaus on Twitter and subscribe to our biweekly newsletter.


An IAM Assessment is a quick, expert evaluation of your environment that identifies and addresses the most common issues organizations face when implementing a solution.

This is ideal for organizations that:

  • Are struggling to get their IAM solutions deployed
  • Have a misalignment between their processes and technology
  • Have an immature IAM solution with too many workarounds
  • Companies that want to accelerate their IAM programs

Click here to learn more about the IAM Assessment.

Share

Leave a Reply

Your email address will not be published. Required fields are marked *