Over the past couple of years, it’s been very satisfying to see the increased coverage for Privileged Access Management (PAM) from the industry analyst community. This was evidenced in December 2018 when Gartner published its first Gartner Magic Quadrant for Privileged Access Management, a clear sign that market maturity had reached a point that it warranted its own MQ.
Since the beginning of 2019, Gartner has continued to build its PAM coverage out considerably, and with increasing emphasis beyond basic password vaulting. The core PAM team at Gartner has rolled out a series of research notes and reports that provide a comprehensive primer for Identity and Access Management (IAM) Leaders as well as Security & Risk Professionals to learn the basics of PAM, move on to best practices for PAM, and then drill down into specific tactics to enforce and support a least privilege approach.
Below, we have provided short synopses of three reports, available to you with complimentary access from Centrify.
IAM LEADERS’ GUIDE TO PRIVILEGED ACCESS MANAGEMENT
Gartner has provided an excellent summary of what PAM is, and outlines the difference between Access Management, Identity Governance and Administration (IGA), and Privileged Access Management (PAM). This report highlights where PAM can help organizations provide secure access to critical assets for privileged users, and meet compliance requirements related to securing, managing, and monitoring privileged accounts.
This Gartner report summarizes PAM tools for a range of use cases, how to use PAM to manage privileged services and machine accounts, as well as how to secure third-party external privileges and remote administrative access. It then looks at how digital transformation is creating new attack surfaces, such as DevOps and Cloud, and where PAM can help reduce risk.
BEST PRACTICES FOR PRIVILEGED ACCESS MANAGEMENT THROUGH THE FOUR PILLARS OF PAM
As organizations look to capture the value to be gained from transformative technologies like the Cloud, DevSecOps, containers, and microservices, they are also adding massive complexity to their IT estate. This report from Gartner states that, “Identity and access management leaders often lack a comprehensive understanding of all PAM use cases across the enterprise, including new challenges for PAM coming from companies moving to the cloud.”
As IAM Leaders gain a greater understanding of PAM, they can move on to best practices that can get the organization on the path to PAM maturity. The report highlights key challenges and recommendations, and how to leverage your current InfoSec program as the foundation for PAM policies, processes, and procedures. Then it outlines Gartner’s Four Pillars of PAM, and the 5 W’s of Privileged Access (Who, When, What, Where, and Why).
REMOVE STANDING PRIVILEGES THROUGH A JUST-IN-TIME PAM APPROACH
As organizations continue along a PAM Maturity model, they will want to move beyond the “basics” of PAM and adopt a stronger posture based on a least privilege approach. Least privilege means granting only enough privileged access for only the amount of time needed to complete the task. These are often referred to as Just Enough, Just-in-Time (or JIT) PAM.
This report specifically focuses on JIT PAM, outlining the various key challenges that this approach can address, including ensuring that privileges are only granted when a valid reason exists. It does also look at how organizations can reduce the amount of privileged accounts that are “fully armed” and overprivileged, which can be address with Just Enough access. The goal, Gartner points out, is to have zero standing privileges (ZSP).
Centrify’s PAM Maturity Model aligns well to these recommendations. First, don’t leave your organization in the “Danger Zone” where you are doing nothing to secure and manage privileged access in your organization. At the very least, try to get to the first phase where you discover all machines and vault away shared and admin passwords. Then move on to more of an Identity-Centric approach to PAM based on least privilege, focused on consolidating identities, establishing alternate admin accounts, enforcing MFA, and enforcing Just Enough, Just-in-Time access. Finally, an organization with a truly mature PAM posture will harden the environment with high assurance, centralizing service management accounts, using host-based auditing, vaulting secrets, and enforcing a higher NIST assurance lever for MFA.
I hope you enjoy these three Gartner reports. If you are interested in trying any of our Identity-Centric PAM solutions, be sure to visit our Trial Center.