ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > A Framework to Evaluate PAM Implementation

A Framework to Evaluate PAM Implementation

Richard Hoesl, CISSP, SCF, Martin Metz, CISA, Joachim Dold, Stefan Hartung
| Published: 2/21/2017 9:11 AM | Category: Risk Management | Permalink | Email this Post | Comments (0)

A study in 2016 found that 80% of the more than 500 chief information security officers (CISOs) surveyed consider privileged access management (PAM) a significant topic, and a number of them have already implemented specific PAM solutions. In general, these solutions try to attain the following goal(s):

  • Keeping the number of privileged access channels low
  • Authorizing, activating and deactivating the usage of privileged access channels
  • Detecting, evaluating, recording and terminating the usage of privileged access channels

Over the course of a variety of implementation projects, we found that implementing PAM is not only a question of technical functionality; a successful PAM solution, in fact, requires a comprehensive framework comprising the following building blocks:

  •  Governance
  • Privileged access channel inventory management
  • Privileged users management
  • Control and monitoring

Why is this comprehensive framework necessary? New privileged accounts and privileged access channels are constantly created in today’s fast-changing IT organizations. These channels are the most desirable target for attackers and any diligent IT organization must strive to protect them. An important enabler in this effort is technology, which allows these channels to be detected. Another important enabler is appropriate processes to manage and protect channels. Governance, in turn, focuses and sustains this technological and organizational effort. Only if governance succeeds in creating a strong security culture can PAM truly succeed. Thus, PAM must not be regarded as a tool, but as an integral part of an ongoing organizational effort to increase the security of the organization.

In our recent Journal article, we introduced our framework to enable organizations to evaluate PAM implementations with regard to their completeness and, thus, viability and efficiency.

What are your thoughts about the building blocks, and dos and don’ts of PAM implementations? Questions, recommendations, hints and amendments to our framework are highly welcomed.

Read Richard Hoesl, Martin Metz, Joachim Dold and Stefan Hartung’s recent Journal article:
Capability Framework for Privileged Access Management,” ISACA Journal, volume 1, 2017.


There are no comments yet for this post.