I’ve recently had several meetings with journalists and analysts to introduce Osirium and Privileged Access Management (PAM). I always enjoy these discussions as it’s a chance to promote the company and think again about how we tell the story. Generally, these interviewers don’t know the company or the PAM market, so it’s a chance to ensure that the story is told in a way that doesn’t assume too much or get bogged down in jargon.
A frequently asked question is, “What is PAM?” quickly followed by, “Why should anyone care?” This is perfectly reasonable, and the short version of the answer is: PAM is the critical foundation to cybersecurity, which is essential to keeping a business safe and operating.
The discussion often moves on to talk about the changes I’ve seen in the PAM market. For some time now, I’ve been talking about the questions we used to get around “What is PAM?” and more recently, it’s more like “I know we need PAM. Which vendor should I select?”
There’s an evolution of that line of questions: “What can PAM do looking forward? Can it show value to the business and be more than just an insurance policy?”
Here are a few thoughts on this past, present and future discussion of PAM.
The starting point for any history of PAM is very vague. If you wanted to be awkward, you could argue that back in the mainframe days of themid-20th century, Systems Operators might have had Operating Guide manuals that included administrator usernames and passwords as part of their documentation. Sadly, and remarkably, there are still too many people managing passwords on paper even today.
What might be called PAM evolved out of password and identity management tools over the last couple of decades. It started with groups within the password managers and vaulting systems reserved for system admins. They might have a little more security around them or restricted access because these credentials are so valuable, but they didn’t do much more than that. Indeed, many of today’s Identity Management (IAM) tools still don’t do much more, but they still call it PAM.
What might be called “real” PAM tools started to evolve that added more features around control of privileged credentials, such as monitoring privileged sessions and (more recently) only granting access via privileged accounts as needed (“Just in Time” or “no standing privileges”).
The typical discussion point was, “I have a password management system; why do I need PAM?”
In the last couple of years, that question has largely been answered. Cyber security experts recognise the importance of active management of privileged accounts and who has access to which systems.
Industry and regulatory standards such as Cyber Essentials, Data Security and Protection (DSP) in the NHS, and NIST 800 have all introduced specific requirements for managing privileged accounts.
So, now the questions are about how to implement PAM, not why.
At a superficial level, many PAM solutions look to have similar features. Many have features beyond core PAM, often to address edge case scenarios or fit an Analyst’s opinion. It’s sometimes difficult to focus on what’s important. That’s why Osirium recently published the PAM Buyer’s Guide.
Traditionally, PAM has been seen by many as a blocker to productivity. After all, PAM is intended to stop bad things from happening, but that can make life harder for genuine admins trying to get their work done. There have also been many PAM projects that were over-complicated, tried to cover too many systems in one go, and were expensive. They never delivered on the promised ease of use, so they weren’t fully adopted.
At Osirium, we think the goals of a PAM project should be a)pragmatic and achievable and b) offer opportunities to optimise IT security and operations and be an enabler for digital transformation.
The Buyer’s Guide helps to identify and prioritise the requirements for a PAM solution to ensure project success. It also identifies opportunities to make businesses more efficient.
For Osirium, the admin experience of using PAM should be optimised to minimise the impact on their work and to help them complete work quicker. The Osirium PAM Client includes many features that make it easy for admins to access the systems they need. After all, thousands of systems, services, and devices often need to be managed, so finding the right target system isn’t easy.
From its earliest days, Osirium PAM has not just protected admin credentials but also included automation to accelerate the tasks IT admins must perform every day or week. Indeed, automation was the unique feature that meant Osirium won a Gartner “Cool Vendor” award. To this day, no other PAM system includes secure automation.
With the launch of Privileged Process Automation (PPA), this was taken to another level as many IT tasks involved updating multiple devices or systems. For example, consider how many accounts must be created for a new staff member and removed when someone leaves the organisation.
We’ve just published a case study showing how powerful the idea of safely delegating privileged tasks can be. In the study, account management tasks are delegated to GP practices, improving user satisfaction and security. The same automation could apply to any distributed organisation with remote locations that don’t have local IT staff, such as retail, hospitality, transport and many more.
When the credentials for a connection are managed, privileged sessions only last as long as they’re absolutely needed, the sessions are monitored and recorded, and the changes made during the session are locked down by automation, Privileged Access Management is taken to a new level.
PAM can move from the tool that slows IT down, to the key system to protect the business, reduce manual effort, and deliver business value.
Rather than thinking that all current PAM solutions look remarkably similar, the bar has been moved, and any solution that doesn’t offer automated privileged sessions isn’t ready for the security needs of today, let alone tomorrow. That will be the key factor to not only improve security but also get support from the business.