Privileged Access Management: Developing a Reference Architecture for PAM

Author

Doug Simmons – Principal Consulting Analyst

Gary Rowe – CEO, Principal Consulting Analyst

Abstract

A consistent set of well thought out Privileged Access Management (PAM) controls that are aligned with a comprehensive cybersecurity framework is an imperative for most organizations. This enables the automation and enforcement of controls over privileged credentials in any system, platform, or environment. As we’ve worked with our clients in developing IAM/Security strategies and reference architectures, PAM continues to be a top priority, and this will continue for the foreseeable future.

While most organizations at least claim to have a “least privileged access” strategy, the challenges associated with executing on this strategy are not insignificant. No matter how far along you are (or aren’t) in PAM deployment, don’t delay developing a Reference Architecture for PAM, which includes documented business and technical requirements, a comprehensive, defensible set of patterns mapped to existing and required capabilities and, ultimately, vendor solutions. By developing this foundation your organization will be able to select the appropriate vendor(s) and deploy the solution that best fits into your IAM environment and with the appropriate security controls. This process is intended to put your organization in the best position to make vendor choices, to determine your deployment priorities and strategy based on a solid requirements and business; not simply responding to vendor marketing programs and promises.

This report provides a solid framework for developing a PAM Reference Architecture. We review common enterprise requirements for PAM, then describe how to build a Reference Architecture for PAM that can fit well within the context of leading vendor offerings/directions in an effort to help you understand how to match vendor solutions to your needs and how to deploy those solutions thoughtfully and effectively.