Privileged Access Management (PAM) deployment isn’t always successful. And on Reddit, SysAdmins aren’t holding back:
It’s overkill and I hate it
PAM is expensive and difficult to implement
I can say that it is hot garbage with every ounce of my soul
Ouch.
But is Privileged Access Management itself the problem? Or is the issue more to do with the way it’s being used? At Heimdal, we’ve seen many companies have enormous success using the technology when it’s deployed the right way.
Arguably, the underlying causes of frustration are PAM deployment mistakes. Many firms (and resellers) make common errors when integrating Privileged Access Management solutions into their environments. Unsurprisingly, they end up disappointed.
In this blog, you’ll learn about:
- The key challenges with Privileged Access Management
- Seven common PAM deployment mistakes
- Tips for more successful PAM rollouts
The PAM deployment challenge
Privileged Access Management provides organizations with a practical, sensible and effective method of controlling what administrators and other privileged users can do. A PAM solution lets you set limits to what privileged users can do, monitor and audit their activity, set time limits for them to make changes, and so on.
Yet while PAM is a useful technology, it often runs into deployment problems. According to one recent study:
- The average IT team only uses 62% of their PAM’s functionality
- 68% of IT managers says their PAM solution is too complicated
- 56% of IT teams have tried to deploy PAM but then never fully completed the rollout
Now, there are many reasons why PAM deployments might not work out – and software creators need to bear some of the responsibility. Not all PAM solutions are easy to use.
But the way people deploy the technology and their expectations for PAM are also an issue. As we’ve said before, the most common issues with PAM products “are related to misconfigured settings or misunderstanding of the way the product is intended to work”.
To overcome Privileged Access Management frustration, it’s valuable to learn about common PAM deployment mistakes – and how to avoid them.
PAM case study
Despite its challenges, PAM has plenty of benefits too, as Flemming Thøgersen of retail firm JYSK, explains: “[Without Privileged Access Management] compliance with data protection standards and security would be more difficult… [Also] our IT staff would be much busier and much more worried if they had to pay attention to everyone’s rights and manually escalate them. It would certainly be a rough time”.
7 common PAM deployment mistakes
Many organizations run into issues when rolling out PAM solutions. Here are seven of the most common PAM deployment mistakes.
1. Limited or non-existent PAM planning
One of the most common PAM deployment mistakes that organizations make is related to poor planning.
Mistake: All too often, companies expect PAM to be a ‘one and done’ style installation – a bit like deploying a firewall or antivirus. However, the reality is that PAM is more like an ongoing program of work. Rollout across organizations tends to be incremental, policies need to be adjusted over time, access controls need to be tweaked.
Consequences: Often, the Privileged Access Management solution only gets partially rolled out. Admins may be able to bypass the PAM, and some kinds of business technology (e.g. cloud-based SaaS apps) don’t get fully covered. As a result, there’s a high chance that you remain exposed to breaches.
How to avoid this PAM deployment mistake
Conduct an extensive and collaborative audit of your access controls. Choose Privileged Access Management software that matches up with your needs. Plan a stage-by-stage rollout, testing often and gathering feedback until your PAM solution is fully deployed across all user groups, services and devices.
2. Failing to communicate about PAM
Implementing PAM without proper user announcements… [means] you might have a riot on your hands
Andrei Hinodache, Heimdal.
Many organizations make the mistake of implementing PAM without adequately preparing their end users – leading to a lot of frustration.
Mistake: Naturally enough, the PAM administrator wants to install this new security technology, close security gaps and enforce strict access policies. They therefore roll the PAM out with little advanced warning.
Consequences: Without adequate preparation, employees who previously had privileged access are suddenly unable to do their work. They may have deadlines to meet or ways of working which are suddenly impossible. Employees resent the imposition of PAM and try to find ways around it – or reject the solution entirely.
How to avoid this PAM deployment mistake
Treat PAM as a collaborative exercise. Set up regular meetings with employees who have admin privileges to:
- find out what rights they have and what rights they need
- make them aware of the coming changes and explain how it will affect their working practices
These meetings are also a good opportunity to explain why and when things will be changing.
3. Incomplete PAM implementation
PAM implementations are awesome for the first 25-30% for [Proof of Concept/Proof of Value at a] small scale but are notorious for slow integrations with the whole environment
Reddit SysAdmin user.
Many organizations fail to deploy Privileged Access Management across their entire environments. This common PAM deployment mistake can have serious consequences.
Mistake: The ‘low hanging fruit’ of a PAM deployment will typically help with controlling access to servers and databases. However, many other kinds of users, devices and software don’t get covered.
Consequences: PAM is only really meaningful if your entire IT estate is covered. All your cloud apps, devices, VPNs and everything else should be subject to the same levels and types of control. If not, you’re leaving a back door open for bad actors.
How to avoid this PAM deployment mistake
Approach PAM as a long-term program. Aim to have at least one employee whose role is dedicated to expanding PAM across your entire IT environment.
4. Failing to remove existing admin rights
One of the most surprising – yet very common – PAM deployment mistakes happens when organizations fail to remove existing admin rights.
Mistake: After spending time and money buying and installing PAM solutions, many businesses allow people to continue using their pre-existing admin rights and controls. There are various reasons they may do this. Sometimes it’s due to push back from staff who don’t want to change, or because organizations believe it’s better to give people time to gradually shift over.
Consequences:
What would you do if you have two options for doing one thing, where one is a brand new option that you might have used only once when training, and one is the option that you’ve known for the past few years? You’re gonna go for the option that you know – because that’s fastest, that’s easiest and that’s most reliable for you
As this quote from Andrei spells out, if you allow people to continue using their old admin rights, they’re much less likely to adopt the new PAM’s way of doing things. Clearly, that leaves you open to all kinds of potential breaches. But it also causes confusion and misunderstandings internally.
https://youtube.com/watch?v=2WuXKhApCaY%3Fsi%3DAkTiILw9wrHtXwka%26enablejsapi%3D1%26origin%3Dhttps%3A
How to avoid this PAM deployment mistake
While deploying PAM should be collaborative, you also need to enforce the change too. Give people adequate training so they understand how to use the new technology. Use change management techniques to ensure they comply.
It’s also valuable to deploy an easy-to-use PAM solution like Heimdal’s PASM, which makes things much simpler when it comes to adoption.
5. Not factoring in sensitive exceptions
At the risk of appearing to contradict the last point, sometimes you need to allow for sensitive exceptions when rolling out a PAM solution. This is particularly the case for non-human, legacy technology that needs privileged access to certain servers or databases – but which can’t easily be managed with a PAM solution.
Mistake: In their enthusiasm to deploy PAM solutions, administrators take a blanket approach to access management – and fail to take into account special cases and exceptions.
Consequences: Certain kinds of business technology (particularly legacy software) will need access to your servers or databases. But if your PAM is regularly rotating passwords, those access rights will soon be disabled. For certain IT systems, this can prevent them from doing essential work.
How to avoid this PAM deployment mistake
Oftentimes, the underlying issue here is that organizations have failed to do a complete audit of all users that have admin rights. IT departments may not consider non-human services which require access to key systems. A comprehensive mapping process – which involves getting input from many different departments – should help avoid this sort of issue.
6. Not automating PAM tasks
At the start of this article, we highlighted quotes from frustrated SysAdmins on Reddit who were disappointed by their PAM. For some, the technology can feel like a whole extra layer of repetitive, time-consuming work.
Mistake: In most organizations with PAM, there will be at least one or two people whose job it is to manage the solution. Unfortunately, many PAM tasks can be highly repetitive, low value and tedious:
- Approving requests
- Onboarding and offboarding privileged staff
- Rotating passwords
- Monitoring activity across a huge number of systems
This is time consuming stuff and is often very dull.
Consequences: Bored, frustrated SysAdmins are likely to start looking for a new job soon. Also, redundancy often leads to losing focus and human error.
How to avoid this PAM deployment mistake
Modern PAM solutions provide you with a wide range of automation features. These will automatically handle many of the most repetitive tasks – saving time and money and improving staff morale.
7. Failing to monitor and adapt the PAM
As your business changes, so will your policies around access and rights. Your PAM needs to adapt to this.
Mistake: Very often, companies treat PAM as a solution, not a long-term program. Even if they manage to roll it out to the entire business, they fail to adapt it to changing circumstances.
Consequences: Your PAM policies may be too restrictive, too lax, or simply no longer fit how your business works. As a consequence, the PAM solution dampens productivity and reduces efficiency.
How to avoid this PAM deployment mistake
As situations change, you should adjust your PAM and its policies. Whether it’s down to M&A’s, company growth, changes in working patterns (e.g. working from home) or changes in cyber threats (e.g. the rise of AI-powered hacking), you need to regularly adjust your PAM solution and policies to mirror changing circumstances.
Get it right: Avoiding PAM deployment mistakes
There are several common PAM deployment mistakes organizations make. Often, they boil down to a lack of clear planning or understanding of what PAM really is – and how it should be used.
The good news is that many organizations have had real successes with PAM deployment. At its simplest, it requires:
- Identifying privileged accounts
- Identifying sensitive assets and data
- Removing unnecessary access
- Implementing modern PAM protections
- Monitoring, auditing and repeating these processes
By learning about common PAM deployment mistakes, you can avoid the pitfalls of Privileged Access Management and experience the benefits this technology can offer.
For a complete, easy to use, and highly effective approach to privileged access, discover Heimdal’s Privileged Account and Session Management (PASM) solution.
Frequently asked questions
Why do companies make PAM deployment mistakes?
There are several reasons companies make PAM deployment mistakes. Sometimes, the responsibility lies with PAM software providers. The tech can be confusing, ‘heavy’, and hard to use. Other times, a PAM solution just isn’t fit for purpose. Finally, customers may not fully understand how to use or deploy PAM effectively.
Why has my PAM rollout stalled?
PAM deployments can often begin well, but rollout slows down after installation on your most used databases and systems. If your PAM deployment has stalled, go back and carry out the privileged accounts, assets and data mapping again. You may find that certain systems, users or software have not been identified. Once you know what’s missing, you can push forward with the deployment.
How common are PAM deployment mistakes?
PAM deployment mistakes are very common. If you’re struggling, you’re definitely not alone. According to one study, 79% of enterprises don’t yet have a mature PAM platform. Many businesses make similar errors when rolling out PAM. But with proper planning and the right PAM tools, you can turn things around.
Source: https://heimdalsecurity.com/blog/pam_deployment_mistakes/