Implementing identity and access management (IAM) can lend several procedures for the roll out of privileged access management (PAM).
Speaking at the Gartner Security and Risk Management Summit in London, Alan Radford, technical director of One Identity, and a representative from a European IT service provider, who was speaking off the record, discussed the implementation of PAM at the company, which they said came after finding more developers had access to customer data “and with 500 IT admins we want to know what is going on, and who has what privilege and when and how they are using them.”
The speaker said that when choosing what to implement, it is important to know whether you are going to choose IAM or PAM, as there are benefits to both “and it makes sense for you to do IAM first and procedures can then follow on PAM.”
Radford asked, if someone has neither PAM or IAM, can PAM be a stand-alone technology? The speaker that while PAM is not a stand-alone technology, “by having systems in place and accountability decentralized, in a sector where we are regularly audited internally and by the FCA” the technology enabled them to document its activities and controls.
They also said that “segregation of duties is a key element in IAM” as a developer should not be able to push a project into production, “but may be allowed in an incident to fix stuff” and that requires knowledge on how segregation of duties is implemented.
Looking at provisioning users, the speaker said that the IAM process should be easy to join, switch parameters and enroll users, and switch back. “You’re not introducing a new system, it’s a new project.”
They recommended figuring out what information you can use from IAM into your PAM integration “and figure out what you have under the hood in the company, and know who is responsible.”
Speaking to Infosecurity, the speaker said that you have to be aware that you’re not introducing a system, you’re introducing procedures, and you will hit the organization with a new system of working, “and this is a way of getting out of the project paradigm.”
The speaker said it is not like shifting from Outlook on-premise to Office 365, this is moving from something you were not doing to something you are. “That is not a project, that is introducing new ways of working and procedures that need to be followed, it is an ongoing thing, so you need to think about having a team to support that,” they said.
Asked if he sees a lot of the IAM and PAM procedures not being re-used, Radford said that you “cannot achieve true governance without encompassing all of your privileged access and all of your end user access, and understanding what the difference is between the two for your company.”