Access security: why PAM should come before IAM
Identity and Access Management (IAM) projects are all the rage at the moment. This is understandable, since digital ecosystems are expanding and the number of applications (like GSuite, Office 365 and Slack) just keeps on growing, so the consolidation of access to the applications from different sources under one roof increases security and productivity.
In contrast, Privileged Access Management (PAM) is often seen as an extension to IAM. PAM users are a much smaller group of people, consisting of, for example, system administrators, security architects, 3rd party IT consultants or software engineers. There’s a reason they are often called superusers, since they not only use applications governed by IAM, but also access a company’s digital lifeblood, such as the network infrastructure, credit card databases or company’s intellectual property.
While PAM and IAM are both important, when you are prioritizing your projects, we think PAM should come first. Here are six reasons why.
1) PAM users set up your IAM and domain controls
Privileged accounts exist on the systems before anything is even deployed. They also exist there throughout the lifetime of the system.
In fact, privileged users control how your IAM, domain controllers or Active Directory is set up, so that should already tell you how important is to ensure that their actions are tracked and accounted for appropriately.
Setting up IAM is one your most important projects so you should make sure that those who actually implement the project can be successful in their tasks and that everything’s done by the book.
2) Privileged access is the gateway to sensitive and business-critical information
Since the number of people governed by IAM systems outnumber those controlled by PAM software, it might seem logical to think IAM is more important. But consider this. The more restricted and heavily guarded the information is, the bigger the impact it tends to have if it is seen by the wrong people, is leaked or gets misused.
That is why you need to know who has the privilege to access that information. Since PAM users have the power to change your network infrastructure, update critical databases or set up IAM systems, it doesn’t get more privileged than that.
Wouldn’t you like to ensure that you get a solid audit trail of such access every time and that no one walks away with credentials that opens a connection to your mission-critical data?
3) PAM can speed up the completion of your IAM project
How fast and well your 3rd party consultant or in-house superuser configures your cloud environment might have a direct impact on how efficiently your staff or your customers are able to use a number of your digital services.
We conducted a survey among 625 IT professionals all over the world. The results demonstrate that the majority of respondents say they experience roadblocks when accessing or configuring access to assets in multi-cloud and hybrid environments. You can download the full report called Re-Thinking Privileged Access Management in the Age of Hybrid Cloud here, but some of the most common road blocks include:
- 34% - configuring access
- 30% - repeatedly logging in and out
- 29% - granting access to other users
- 25% - waiting for access
- 23% - hopping between consoles
All these roadblocks can be removed with a great PAM tool. It makes sense that your superusers are highly productive already before IAM adoption: the faster your admins work, the faster your identity project is completed as well.
4) Vendor-agnostic PAM integrates with any IAM
As part of an IAM project, companies often realize they need to categorize their employees into groups for their IAM to work efficiently - if they haven't done so. Individuals associated with these groups then get access to different tools based on their roles. This removes the burden of granting entitlements per individual each and every time.
In contrast, privileged users have always been role-based: you define the role of a system admin, Linux admin or software developer. Then, you define the level of privilege for the role, link the right individuals to the role and grant access based on a role.
By using role-based access controls (RBAC), it is easy to integrate privileged users to an IAM solution and then provide consistent user experience, regardless of whether the privileged user requires IAM-level or PAM-level access. For superusers, PAM is simply another application that is available only to them.
Moreover, proper integration eliminates the need to maintain separate directories for IAM and PAM users, since the individuals and their authorizations are hosted IAM, but their roles and privileges in PAM.
At least some of the most advanced PAM solutions do this type of integration automatically.
Moreover, we believe that the IAM you use should be your choice. In fact, it doesn't matter how many IAMs you use: our PAM can handle them all. You are welcome to partner with any IAM vendor you like, but one of the vendors we can recommend is OneLogin.
5) Regulations demand that your IAM project is accounted for
Privileged users need to access databases that contain sensitive, personally identifiable or business-critical information. This is the reason why understanding who has access to this type of information, why, with what level of privileged and when is not optional: it is mandated by regulations, such as General Data Protection Regulation (GDPR), the Sarbanes–Oxley Act (SOX) or Payment Card Industry Data Security Standard (PCI DSS) to name a few.
You should take aspects like compliance, proper Segregation of Duties and the principle of least privilege into consideration during your IAM setup phase.
6) You mitigate risks in the hybrid cloud
Let’s look at some facts based on the 2020 Verizon Data Breach Investigation Report (DBIR). Over 40% of all error-related breaches involved misconfigurations. This comes as no surprise, since cloud is complex. A typical example is when a system admin or other privileged user sets up a datastore in the cloud, forgetting proper security measures to protect the data from unauthorized privileged access.
Credential theft is a big problem also in the cloud. According to the DBIR, there’s a two-fold increase in web application breaches to 43%, when compared to last year. Stolen credentials were involved in over 80% of these cases. Cloud assets were involved in nearly a quarter of all breaches of which 77% involved breached credentials.
Ensuring proper access controls and smooth user experience for your most critical user groups increases the overall security posture of the company. While setting up your IAM, reducing complexity from your environment makes it easier for privileged users to do their job properly. This not only increases productivity, but significantly decreases the risk of misconfigurations.
7) PAM can be set up faster
PAM solutions come in all flavors but the best of them are fast to set up. I’m not going to mince words here: our lean PAM solution, PrivX, can be up and running within a few days. IAM projects are more complicated because they involve more moving parts. Why would you wait for the completion of your IAM project before you streamline your superuser access and make sure your most critical information is handled properly?
Make sure that administrators are productive from day one of your project. The goal is to make IAM and PAM work in unison but make no mistake: start with your PAM. In the meantime, check out the short 2 min video that captures the idea behind PrivX.
Currently employed by SSH.COM as Product Marketing Manager, Jani is a mixed-marketing artist with a strong background in operator and cybersecurity businesses. His career path of translator->-tech writer -> marketer allows him to draw inspiration from different sources and gives him a unique perspective on all types...