cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Californian
Viewer III

Privelege Access Management

I have been asked to looked at Privelege Access Management for my organization. Any help or thoughts keep me posted.

5 Replies
Tim_ISC2
ISC2 Team

(ISC)2 ran a Security Briefings webcast that focused on this subject that you can find here - https://www.isc2.org/en/News-and-Events/Webinars/Security-Briefing?commid=225465

 

Additionally, we ran an E-Symposium on "Getting to Know You - Consumers and The Identities" in August (you can find here) - https://live.blueskybroadcast.com/bsb/client/CL_DEFAULT.asp?Client=411114&PCAT=7540&CAT=10703 (Note: have to be an (ISC)2 member to access).

 

And we have an upcoming webinar on December 7th on the topic - Privileged Access Management in a DevOps Environment - https://www.isc2.org/en/News-and-Events/Webinars/Security-Briefing?commid=282043

txlincoln
Newcomer II

Looking at the topic now. My advice is make sure your processes are really solid or it will only be big hinderance to getting work done. Also for segementation reasons I am leaning towards vendors that can offer me a device to put in my data center.

Robert
Newcomer II

In an agent based system don't underestimate the overhead of maintaining the connection to the master. In a busy enterprise you can quickly find yourself with orphaned agents.

Define a lifecycle for PAM processes and size the team correctly.
SemperFi_guy
Newcomer I

I think there are a few items that you need to focus on when you are looking at a privilege access management (PAM) solution. 

 

  1. Scope of the project (what problems exist today and tomorrow that you are trying to resolve)
    1. Is this a solution for window, database, UNIX/Linux, on-prem or cloud offering (public or private).
    2. Timeline
    3. Executive backing (this is critical,  introducing change is typically challenging and without executive backing you will stall in your deployment).
    4. Are you looking for best in breed technology or one product to do everything.
  2. What are the integration points within your environment
    1. What is your identity source: AD, IDM, LDAP, etc?
    2. Will this solution be required to integrate with your event management solution or SIEM solution?
    3. Should the product offer an API interface for integration with ticketing system, etc?
  3. Beware of ala cart vendors (vendors that offer low price to get in the door but then nickel and dime you to death for each and every feature they offer)

 

 

txlincoln
Newcomer II

Excellent point about ala cart vendors.