Risk-Based Prioritisation Drives Effective PAM Programme
“Improvements were proposed based on our best practice, including our privileged account prioritisation method.”
Driven by an external audit that exposed a privileged-access risk, an investments client had launched a privileged access management (PAM) programme. The main activity was to roll out CyberArk, a well-known PAM tool. After two years the client was still struggling to realise risk-reduction benefits from the tool, as well as experiencing performance issues and push back from users.
We see many organisations in this position. They focus on the deployment of security tooling without considering the control requirements outside the tool itself that are also necessary for effective security. It is important to use an industry-standard control framework, such as ISF SOGP or CSA CCM, to make sure all the controls needed to secure assets are implemented.
The client asked i-confidential to review its approach and provide advice on whether it should continue trying to deploy CyberArk. We were already a trusted advisor to the CIO and wider team, and we have a track record of helping other clients improve their PAM controls.
Using our PAM Capability Model, we reviewed the client’s programme. The review involved a series of workshops with the security team, IT support teams, and the application development teams. We then produced a recommendations report. The holistic view we provided helped our client more clearly understand the control scope needed for an effective PAM programme.
Improvements were proposed based on our best practice, including our privileged account prioritisation method. This helped the client define a risk-based scope for the programme. It could then determine what was affordable to onboard into the PAM tool. Going forward, the client understood the cost vs. risk-reduction impact of onboarding too many accounts and users.
Using our PAM Capability Model, we identified two fundamental issues the client was unaware of. First, the account scope for onboarding to CyberArk was too broad. This caused performance and usability issues.
The client had too many users in scope who did not require privileged accounts for their roles. It was trying to onboard too many accounts that were relatively low risk at the expense of much higher-risk accounts. This drove up the cost and complexity of the deployment for marginal returns on risk reduction.
The second issue was the client’s programme only focused on improving the PAM controls that could be delivered by the tool – password rotation, password obfuscation, keystroke logging etc. Other fundamental controls, such as monitoring, account recertification, and multi-factor authentication were not being considered.
Prioritising what was onboarded based on risk helped the CIO financially justify continuation of the CyberArk rollout, as well as allowing for investment in the additional PAM controls outside the tool’s remit that are so important.