Privileged Access Management: Enabling the Business and Managing Risk

As part of a recent blog, Risk Management: A Holistic Approach, a number of critical and foundational risk-based strategies were analyzed and several approaches for strategic risk management were discussed and addressed. Several of these strategies were focused on the complexities of managing user access, along with the access risks created as a result of the complex needs of the business and support team members. These access risks are commonly introduced by the need to perform critical business and support activities such as:

  • Troubleshooting system and process issues
  • Enabling back up support for an individual
  • Performing sensitive or critical activities that need to be monitored
  • Performing mass updates
  • Day to day application support
  • System development activities

These activities create challenging scenarios for many organizations, often resulting in compliance and governance gaps that are difficult to resolve. Many organizations have turned to Privileged Access Management (PAM) solutions to assist in this area.

 What is Privileged Access Management?

In its simplest form, Privileged Access Management (PAM) is a process that enables business and technology users to temporarily gain system access that is different from their day-to-day access. In some cases, Privileged Access Management can be implemented using a highly manual process that includes a number of email notifications, a manual review of system logs, and maybe a few phone calls. However, in today’s digital age, there are several solutions are that are available to streamline and automate Privileged Access Management needs. These solutions typically enable automated logging capability to track usage and activities performed with the elevated access. PAM tools typically provide these logs and reports to system and business leadership to provide a detailed accounting of the activities performed during the use of the elevated account. Some of the key features of a PAM tool include:

  • Ability to “check out” or request temporary access to an ID or role
  • Ability to automatically terminate temporary access after a defined period
  • Ability for a user to request elevated or privileged access
  • Automated workflows to capture approvals for using elevated or privileged access
  • Data extraction from applications to generate a list of transactions or activities performed
  • Ability to show a reviewer before and after values for fields or data changes
  • Automated workflows to capture review and approval from designated reviewers

  Why implement Privileged Access Management?

In today’s increasingly digitized business world, a greater degree of flexibility and a decentralized ability to respond to issues and make informed decisions is more critical than ever. A robust Privileged Access Management solution and program can help enable knowledgeable users in critical process areas such as supply chain, finance, accounting, IT, and accounting, take ownership of key solution support and process needs. Privileged Access Management solutions enable organizations to effectively support the solution in a manner that often satisfies the strictest of the compliance and governance needs, along with reducing operational risks within the solution and overall landscape.

Additionally, over the last year organizations have faced unprecedented challenges to continue operating effectively in the midst of a pandemic with much of their work force operating remotely. Fully implementing strong PAM processes and robust PAM solutions have enabled numerous organizations to continue operating effectively and efficiently, while remaining tightly controlled and compliant while their workforce remains working remote.

Where to begin when implementing a Privileged Access Management Solution?

In many cases, organizations often struggle with the development of the initial approach and overall usage strategy for the PAM tools. In many cases, organizations simply deploy the solution without clear guidelines outlining the key processes and procedures that will support the long-term integrity and sustainability of the PAM solution. These organizations often find themselves perpetually struggling with a PAM deployment that never seems to get off the ground. In this initial deployment of the PAM solution, organizations should clearly outline the following:

  1. Appropriate Use – The initial strategy should outline the use cases, circumstances and team members that should be using the PAM solution. Ultimately, the appropriate use of the PAM solution should align and enable the compliance and governance needs of each organization.
  2. Ownership & Stewardship – The initial strategy should outline the business and technical leadership responsible for reviewing the logs, and overall use of the PAM solution.
  3. Timing & Communication – The initial strategy should outline the timing that business leadership has to review system logs and activities performed within the use of the PAM solution.

The definition of a robust strategy and guidelines to manage usage of the tool will increase the effectiveness of the initial implementation and help to lay the foundation for a lasting PAM deployment.

What types of access should be included in a Privileged Access Management solution?

All ERP systems and business applications contain sensitive permissions and processes that require tight control and oversight. When implementing a PAM solution, these permissions and accesses should be assessed and prioritized based on the compliance and governance needs of each organization. The most critical of the process and accesses should be considered for the inclusion within the PAM tool. Additionally, these sensitive and powerful permissions should only be granted to the required users. Limiting access to the appropriate level of users will further reduce risk due to inappropriate use, and help to avoid over-use, and unnecessary burden on the team responsible for reviewing PAM usage.

It is important to keep in mind, excessive elevated access usage may result in too many logs and require burdensome reviews. The needs of the business need to be carefully considered when defining and rolling out a process for super users. However, process owners and managers still have day to day work to do and cannot be bogged down with numerous and massive activity logs to review. Therefore, striking a balance between control and enablement is essential.

Potential Privileged Access Management solutions

There are a substantial number of tools available to enable Privileged Access Management needs.  These solutions often have different use cases, are built for specific applications/platforms or are built to enable enterprise wide use across many different applications. Selecting the right one depends on a number of factors including, business applications, application hosting/location as well as the overall scope of the organizational need for the solution.

One of Altum’s partners, SafePaaS offers a Privileged Access Management tool called FireFighter ID. Firefighter ID is provided as a central component of SafePaaS’ AccessPaaS™ application suite. Firefighter provides a robust set of processes, including PAM ID request, PAM ID check out, PAM ID check in, as well as a log review process that enables the business to efficiently review the activities performed by using a PAM ID.

How does SafePaaS’ FireFighter ID tool work?

SafePaaS’ FireFighter ID is built around a secure process for controlling privileged user access across multiple systems with an independent system of record to provide an audit-trail for privileged access management access. SafePaaS enables pre-authorized users to request temporary access to elevated privileges to an organization’s business applications. The enhanced Firefighter request processing enables System Administrators or managers to grant immediate access to pre-approved users with assigned fire fighter access to be able to get immediate access without any bottlenecks. The elevated access is logged and reported for management review.

Lastly, for many organizations, the complexity of developing a well governed process, selecting, and implementing an ideal software tool is challenging. Altum Strategy Group specializes in assisting their client partners to select software, define, and build governance programs, implement technical solutions, and manage the process that supports and enables deployments that are successful for the long term. Altum also partners with industry leading solution providers, such as SafePaaS to combine best in class solutions along with best in class deployment and process enablement.

Please feel free to contact Altum Strategy Group, contact@altumstrategy.com, or SafePaaS, emma.kelly@safepaas.com, to find out more.

 

Contact Us for More Information