Safeguard is now amongst the top-rated PAM solutions on IT Central Station based on the input of by One Identity Safeguard users on IT Central Station (ITCS). We, at IT Central Station, recently published a paper that explores what goes into selecting a Privileged Access Management (PAM) solution based on this customer input.
The Mandate for PAM
What we’ve learned from our visitors is that PAM is more than a technology. Rather, it’s a synergistic collection of practices, policies and tools. Each company does PAM their own way, but the goal is always the same: Establish controls over administrative – or privileged – access to critical systems. Indeed, PAM solutions are essential for effective security and for informed responses to incidents. Without forensic capabilities, it’s difficult to know who did what, when and what went wrong.
Next-generation PAM solutions can help security teams avoid incidents in the first place.
Selecting a PAM Solution
So how do real-world organizations select the appropriate PAM solution? To help, we’ve consolidated the insights of IT Central Station members to highlight their preferred PAM features and capabilities. They stressed basic efficacy along with ease of deployment. Transparency, scalability and ease of use also factored into selection. The latter is important because, if a solution is too difficult to use, it can end up on the shelf.
Basic effectiveness—A PAM solution needs to cover the basics:
- Password and session management
- Privilege delegation
- Session recording
While these seem like obvious capabilities to get with your new PAM solution, many organizations that deployed solutions missing one or more capabilities, found regret. While others that selected a PAM solution with these next-generation features, found new levels of functionality and security. For example, an Information Security Manager at a financial services firm said, “We went from a state where privileged accounts were being used and not being monitored – or even audited – to our situation now where we are starting to monitor these privileged accounts more closely.”
Ease of deployment—PAM solutions need to be easy to set up. If PAM is overly time-consuming or requires excessive external consulting to set up, it may fail to launch. No IT department volunteers for long, costly and frustrating projects. Praise for ease of deployment thus comes through in many reviews. One user remarked that “the install and deployment are quite rapid.” In this reviewer’s case, the process took just over two days.
Transparency—Ideally, a PAM solution should be transparent. End users should not even be aware that it’s operating. As one user put it, “The transparent mode for privileged sessions is really nice because it keeps the integration quite smooth. Also, users don't have to change the way that they work.”
Operations and automation ready—PAM solutions must integrate with many other systems, such as Identity and Access Management (IAM) solutions, Security Incident and Event Management (SIEM) systems, enterprise applications and so forth. Users prefer automated solutions that fit with existing IT operations, e.g. with RESTful APIs for easy integration.
Scalability—IT Central Station members want PAM solutions that scale easily. For instance, an Information Security Manager in the financial sector praised One Identity by saying, “It's very scalable. It doesn't matter what size of organization you have. If you have an organization of 1,000 or 100,000, the product is going to be scalable to your needs.”
Ease of use/management—PAM solutions must be easy to manage. If it takes too many hours to support, the IT team will not be happy. The less administrative effort required, the better. One user noted about One Identity’s PAM portfolio, “It is easy to manage. There is a very logical, clear user interface. Also, the integration of scripts is thoughtfully implemented. Overall, it's a nice product to manage.”
Flexible, consistent approvals—Security managers want a solution that supports flexibility in granting privileged access requests. Access approvals have to be universal for PAM to work as a security countermeasure. If users can get privileged access without a knowledgeable manager verifying that the user should have that level of access, there will be serious risk exposure.