EXPERT’S

TO PRIVILEGED
ACCESS
MANAGEMENT
(PAM) SUCCESS
People, processes,
and technologies that
accelerate your PAM
program beyond the
basics

1 thycotic.com | sales@thycotic.com
CHAPTER 1 – Defining “Advanced" PAM .............................................................4
CHAPTER 2 – PEOPLE: Establishing Stakeholder Roles and Responsibilities.........9
CHAPTER 3 – PROCESS: Understanding the PAM Lifecycle Approach.................13
CHAPTER 4 – TECHNOLOGY: Implementing and Integrating PAM Technology.....17
CHAPTER 5 – Continuing Your PAM Journey........................................................33

2 thycotic.com | sales@thycotic.com
Introduction

80
WITH UP TO of breaches due to compromised credentials, Privileged

% Access Management (PAM) has become a fundamental

security priority for organizations of all types. Yet, cyber
threats are becoming more persistent and business and
technical environments more complex and interdependent.
Therefore, proactive enterprises and rapidly growing
organizations are going beyond basic PAM security controls
to fortify and expand their privilege protection programs.

This best practice framework is Becoming a PAM expert isn’t simply

designed to help CISOs, IT operations, about becoming a wiz at using software.
and cyber security professionals It’s also imperative to develop a coherent
plan and execute an advanced PAM PAM strategy and continuous program
program by putting the right people, that works for all stakeholders, including
processes, and technologies in place. executives, board members, employees,
It reflects Thycotic’s experience with contractors, and other third parties. That
more than 10,000 PAM customers means taking a business-first approach
(including Fortune 500 enterprises) and enabling employees to stay
worldwide over the past 12 years. productive while reducing risks. PAM
Throughout the guide, PAM experts experts manage and collaborate across
from some of the world’s most departments to develop and execute a
security-conscious organizations PAM program that effectively reduces
share their experiences implementing risk across an entire organization. In this
advanced privileged security controls guide, you’ll learn steps to becoming a
and evolving their PAM strategies. PAM expert that help you balance the
goals of securing access to privileged
credentials, enhancing productivity, and
minimizing overall costs.

3 thycotic.com | sales@thycotic.com
 CHAPTER 1
Defining “Advanced” PAM
Let’s put “advanced” PAM in context of how most organizations implement
privileged security controls as they progress to become experts. As a reference,
you can refer to the PAM Maturity Model, which outlines the four phases of PAM
maturity shown in the chart below.

Fig 1
Privileged Access Management
Maturity Model

Privileged Access Management Maturity Model LOW RISK

To architecture
and operations

LAGGARDS LEADERS

ADAPTIVE INTELLIGENT
SECURITY POSTURE

ADVANCED
MATURITY LEVEL

BASIC

ANALOG

HIGH RISK
To architecture
and operations

4 thycotic.com | sales@thycotic.com
 Organizations in the Advanced phase have moved
Which Privileges from a reactive to a proactive privilege security
Does Your strategy. PAM is a top cyber security priority, with
PAM Program a commitment to continuous improvement of
Address? privileged security practices through an ongoing
PAM program.
Privileged accounts
are everywhere in As the ultimate stage of PAM maturity,
your IT environment
organizations in the Adaptive Intelligent phase
and can be human
take continuous improvement to a higher level,
or non-human. Some
integrating leading technologies such as threat
privileged accounts
are associated with intelligence, trust frameworks, machine learning,
individuals such and advanced automation to collect information
as business users, and adapt system rules. These organizations
local machines, or fully automate and manage the entire lifecycle of
domain and network privileged access, from provisioning to rotation to
administrators, while deprovisioning and reporting.
others are service
accounts used to Figure 2 provides a high-level overview of the
provide access to various types of privileged accounts, why and how
networks, databases they are used, as well as who uses them, and how
and applications, they should be secured.
including IoT
systems and DevOps Fig 2
toolchains. Privileged Access Management Matrix:
Why, Who, Where, and How

Why are they Types of Who uses Where are they How are they How are they Risks if
needed? privileged them? found? used? secured? compromised?
accounts?

• Config changes • Domain Accounts • IT Admins • Servers • Interactive • Passwords • Malware

• Administrative • Local Accounts • Security Teams • Endpoints Logons • 2FA • Financial Fraud
Tasks • Root • Helpdesk • Operating • APIs • MFA • Ransomware
• Create/Modify/ • Privileged Users • 3RD Party Systems • Services • Keys • Compliance
Delete Users • Emergency Contractors • Hypervisors • Applications • Access Failure
• Install Software Accounts • Application • Software • Automation Workflows • Data Breach
• Access Data • System Admin Owners • Cloud • DevOps • Session • Data Poisoning
• Backup Data • Service Accounts • DBAs • Databases • SSH Recordings • Insider Threat
• Update Patches • Applications • Applications • Services • RDP • Launching • Service/
Interactively • Batch Jobs • O.S. • Programs • VPN • Behavioral Application
• Human • Developers • Browsers Analytics Downtime
• Non-Human • Revenue/Brand
Loss

1. Identity & Access Management

2. Privileged Access Management (PAM) - Secure Usage of Privileged Accounts and Privileged Data
3. Privileged Accounts (Objects)- Secure Vaulting of Privileged Credentials
4. Privileged Data (Target) - Secure Access to Privileged Data

5 thycotic.com | sales@thycotic.com
Checklist
PAM Maturity Basics Checklist

Before you tackle the more advanced phases of PAM

maturity described in this Expert’s Guide, make sure
you have the basics in place. You should be able to
answer "yes" to these questions.

1. Are you including privileged accounts in your broader IT cyber

security policy?

2. Are you discovering privileged accounts automatically in your

organization?

3. Do your privileged accounts utilize automatically generated

complex passwords which are rotated on a regular basis?

4. Are all your privileged credentials stored in a secure vault?

5. Are all your privileged passwords protected with multiple

credential verifications?

6. What security controls are applied to your privileged accounts?

7. What compliance and regulations are required by your

organization?

6 thycotic.com | sales@thycotic.com
 Where are you in
your PAM journey?
We recommend you This Expert’s Guide is intended to
get up to speed on PAM take you to Phase 3 of the PAM
by reading PAM for
Maturity Model and beyond. If
Dummies
you’re launching your PAM program
thycotic.com/
or working through the first two
PAMforDummies/
stages of PAM Maturity, be sure to
get the basics established first.

Next, we’ll take you beyond the

basics to help elevate your PAM
PAM maturity level. The following
Maturity
Model chapters detail the people,
processes, and technology you
A Framework To Help Organizations
Systematically Lower Privileged
Account Risk, Increase Business Agility
And Improve Operational Efficiency

need to plan and implement an

advanced PAM program. Figure 3
illustrates the key elements of a
The PAM Maturity successful PAM program.
Model Whitepaper
thycotic.com/
pam-maturity/

7 thycotic.com | sales@thycotic.com
PROCESS TECHNOLOGY
Guided by Automated
the PAM security
Lifecycle controls and
integration

PEOPLE

Stakeholders roles
and responsibilities

Fig 3
The PAM Expert
Triangle for Success

8 thycotic.com | sales@thycotic.com
CHAPTER 2
PEOPLE: Establish Key Stakeholder
Roles and Responsibilities
No matter how advanced your technical Access Management, IT Operations,
skills, you can’t build a successful PAM Development and Engineering, and so
program without engaging the key on. These teams typically report up
stakeholders. You need to align people through the CISO or CIO to executive
and technology so PAM can be readily management, who in turn report to the
deployed and adopted across your board of directors.
organization.
To avoid friction among these groups,
Your comprehensive PAM program PAM experts must prioritize collaboration,
must engage multiple IT and business
transparency, and joint goals across
functions and tap specific people to
departments. Keep in mind, while
take on roles and responsibilities, from
cyber security teams may set PAM
executive management through system
goals and strategy, they’re dependent
administration. Organizations—even
on their IT Operations counterparts for
small ones—must identify a person,
help with implementation and ongoing
department or formal team that takes
management and reporting.
ownership of the program, setting PAM
policies and ensuring they are carried out.
Additionally, PAM policies impact the
The Identity and Access Management
workflow of other teams. For example,
(IAM) team is typically responsible for
a PAM program with strong ties to both if your PAM team removes local admin
security and risk personnel. rights from endpoints to reduce risk,
you’ll need to work closely with IT support
In a smaller organization, getting buy-in teams to keep the business running and
for PAM is usually quicker, as it’s often avoid a backlash from angry users.
one of many security and operations
responsibilities within a single IT team. Figure 4 illustrates the broad range
In larger organizations, PAM may be a of stakeholder roles and titles across
shared responsibility across different an organization, along with their
teams: IT Security, IT Risk, Identity and responsibilities and involvement in PAM.

9 thycotic.com | sales@thycotic.com
 Fig 4
PAM Key Stakeholder Roles and Responsibilities

PAM Focus and Individual Roles What They Do and How You Can Help
Responsibility and Titles
Oversight C-Level Executives/ Executive leadership is ultimately held responsible for
Board of Directors cyber security by customers, auditors, and regulators.
Their commitment to a PAM program is essential to
approve appropriate resources, time, and budget.

Most executives and BODs aren’t cyber security experts

and likely don’t have an understanding of PAM compared
with other cyber strategies. To gain support from this key
stakeholder group, PAM experts need to build awareness
and understanding of the importance of protecting privileged
accounts and regularly communicate the impact of their PAM
program. Align reports to business priorities to show how PAM
enables business innovation and reduces cyber risks.
Accountability/ Chief Information CISOs serve as the “glue” that brings multiple security
Direction Security Officers disciplines together, including application security,
network security, incident response and more.

CISOs need to consider how PAM works within their overall

security strategy and toolset. They should set high-level
goals and measurements for success that are shared
across teams. They must reserve appropriate resources
and approve timelines. If necessary, they can resolve
conflicts and eliminate roadblocks to PAM adoption.

Beyond being security guardians, CISOs are increasingly

seeking ways to become business enablers, ensuring
security tools and policies also make processes more
efficient and accelerate business goals.
Governance Security Security Administrators handle all aspects of information
Administrators security and protect the virtual resources of an organization.
They’re responsible for desktop, mobile, and network security.
PAM may be part of a larger Identity and Access
Management (IAM) and Identity Governance function, which
should consider PAM in the context of Active Directory or
other identity management solutions and policies.
PAM specialists within this group are responsible for
installing, administering and troubleshooting PAM
security solutions, including least privilege policies,
application control, and privileged behavior analytics.
The PAM governance responsibilities of this group
include outlining, confirming and organizing rules for
secrets, permissions and workflows. They own naming
conventions, folder structure and other foundational
aspects of PAM governance that keep the PAM program
organized and on track.

10 thycotic.com | sales@thycotic.com
Compliance Auditors & Like most cyber security functions, PAM policies are
Compliance heavily derived from compliance requirements that may
Officers include PCI, NIST, ISO, SOX, HIPAA, and EU GDPR. Because
of legal implications, compliance teams should have input
into PAM governance, including policy creation, logging and
reporting requirements.
Risk Risk Management PAM may also fall under IT Risk Management, which is
Management Officers responsible for risk ranking and determines which
privileged accounts and use cases represent the highest
risk and must be prioritized in a PAM program.
Deployment IT Operations/ IT Operations as well as Cloud Managers are essential
Cloud Managers to assuring PAM deployment in the context of your
organization’s IT architecture and hosting policies.
Operations IT Administrators IT Operations Managers, responsible for set up and
management of applications, databases, networks, and other
IT resources, are key stakeholders for ongoing PAM success.
These folks are tasked with day-to-day administration of PAM
software. If PAM security policies negatively impact their
productivity or create friction for business users, IT Admins
will feel the pain and may not adopt the solution.

Domain Administrators may be used to sharing privileged

credentials or maintaining them in other ways. The shift to
centralized PAM will require their buy-in and willingness to
change existing processes.
DevOps Developers Developers may use open source PAM tools, create their own
methods to protect credentials in the development process, or
use no PAM controls at all, in order to maintain velocity in their
aggressive release schedule.

In advanced organizations using a DevSecOps model, cyber

security is integrated into the development process. To
incorporate developers in your PAM program, especially in
terms of managing privileged credentials via centralized
controls, PAM experts need to embed PAM within the
DevOps toolchain and match developer requirements for
speed and scale.

11 thycotic.com | sales@thycotic.com
PAM Focus and Individual Roles What They Do and How You Can Help
Responsibility and Titles
Business Units BU Directors PAM experts need to understand from business units which
applications, systems, and users require privileged access and
which don’t.

Business Unit Directors help to ensure PAM adoption and

understanding of policies among business users. They may be
called on to approve privileged access or privilege elevation re-
quests or to review account activity for people on their teams.

Many business units license SaaS applications, with or without

permission from IT management. BU Directors must be willing
to integrate those tools into an organization’s PAM policies
and processes.
Human HR Directors The assistance of the Human Resources department is
Resources essential in raising employee security awareness. HR may
also be involved in determining privacy and other policies that
relate to employee procedures following a breach of privileged
credentials.
Legal Attorneys Legal staff may be involved not only in shaping policies around
privileged access but also in setting procedures for managing
a breach of privileged credentials and the individuals involved.

Legal staff reviewing contracts with third-party contractors

and vendors should ensure that PAM requirements are included
in all agreements. For example, third parties should agree
to certain levels of permissions, approval requirements, and
session monitoring before they’re allowed access to sensitive
systems and information. Additionally, any vendors providing
software or other technology must confirm in their provider
agreements that they have PAM best practices in place.
Managed Cloud Partner's Managed Security Service Providers or MSSPs require special
Security SOC Team or attention, with security measures for SOC teams or other
Services Consultants consultants spelled out in SLAs.
Incident CISO, Security The Incident Response Team will likely include many of the
Response Teams Admins, Legal, individual stakeholders described here. A formal IR team
HR, Corporate should be established, headed by the CISO, a plan put in place,
Communications and regular meetings held to review and discuss IR procedures
and evolving threats.

12 thycotic.com | sales@thycotic.com
 CHAPTER 3
PROCESS: Process and Scope of
the PAM Lifecycle
To move beyond the The Privileged Access Management Lifecycle approach
basics, you must plan provides a framework to help PAM experts manage
and implement PAM privileged access as a continuous process rather than a
in the context of one-and-done project. The diagram below illustrates the
an ongoing, evolving key stages of the Lifecycle. A brief description of each
program. stage follows.

Fig 5
Privileged DEFINE
Access
Management
Lifecycle

REVIEW & DISCOVER

AUDIT

MANAGE
RESPOND & PROTECT

TO
INCIDENTS

DETECT MONITOR
USAGE

13 thycotic.com | sales@thycotic.com
 Define
Start by defining what ‘privileged access’ means,
identify what a privileged account is for your
organization and define governance policies.
Centralized PAM
These decisions are different for every company
for a Holistic,
so it’s crucial you map out what important
Integrated
business functions rely on data, systems, and
Strategy
access. Gaining understanding of who has
As your PAM program
privileged account access and when those
advances, you’ll bring more
departments into the fold. accounts are used is essential to managing the
Rather than having multiple, scope and complexity of your PAM program.
overlapping PAM solutions
operating in departmental
silos, an advanced PAM
program centralizes all PAM Figure 2 in Chapter 1 provides the categories of
policies and processes for privileged account use and access you’ll want
comprehensive, efficient to consider as you define your own privileged
management and oversight. workplace.

Make sure people from

different departments have
input into the process and The definition stage of a PAM program may
receive the training they need be the most time-consuming and involve the
to support PAM.
most stakeholders as it sets the stage for all
“Having a product that that follows. You likely won’t have the resources
everyone agrees on to protect every data asset, therefore you must
makes people a lot more prioritize where the most critical keys to your
productive,” advises Michael
kingdom reside, who uses them, when and for
Somerville, University of San
Diego. Everyone will share what purpose. This isn’t strictly a security or IT
the same policies, metrics department exercise but must involve executives
and goals for success. and business unit managers to fully understand
what mix of privileged access is appropriate for
your organization.

14 thycotic.com | sales@thycotic.com
Discover
Identify your privileged accounts and implement continuous discovery to curb
privileged account sprawl, identify potential insider abuse, and reveal external
threats. Define policies for service account governance. Initial inventory and
continuous discovery of privileged accounts (human and non-human) across
your organization is critical to ensuring ongoing visibility of your privileged
account landscape and crucial to combating cyber security threats. Discovery
must be automated and reviewed on a weekly basis at a minimum.

Manage and Protect

Proactively manage and control privileged account access, schedule password

rotation, and manage privileged session activity. For IT Administrators and
privileged account users, you should control access and implement superuser
privilege management to prevent attackers from running malicious applications,
remote access tools, and commands. Integrate monitoring as part of session
launchers admins use to open remote connections. To prevent service account
sprawl, implement proactive service account governance. Least privilege and
application control solutions enable seamless elevation of whitelisted applications
while minimizing the risk of running unauthorized applications. Secure access to
systems and services that reside on-premise and in the cloud, including IaaS, PaaS,
and SaaS. Automated controls are the only way to practically manage and protect
privileged accounts at scale.

Monitor
Monitor and record privileged account activity. This will help enforce proper
behavior and avoid mistakes. If a breach does occur, monitoring privileged account
use also helps digital forensics, identify the root causes, and identify critical
controls that can be improved to reduce your risk of cyber security threats.

15 thycotic.com | sales@thycotic.com
 Detect
Build Auditing
& Compliance Ensure visibility into the access and activity of your
Checks Into Your privileged accounts in real time to spot suspected
PAM Process account compromise and potential user abuse.
PAM behavioral analytics solutions focus on key
Virtually all cyber security data points to establish individual user baselines,
regulations worldwide call for
including user activity, password access, similar
PAM security controls such
as access control, password
user behavior, and time of access to identify and
complexity and rotation, and alert you of unusual or abnormal activity.
least privilege policies. Even
organizations not beholden
to industry or location-based Respond
requirements benefit from
following best practice security When a privileged account is breached, simply
frameworks such as NIST and
changing the password or disabling the account
CIS controls.
isn’t enough. While inside, hackers could have
Some regulations are highly installed malware and even created their own
prescriptive while others give privileged accounts. If a domain administrator
you broad guidelines but leave
account gets compromised, for example, you
the detailed decisions up to you.
As a PAM expert, your judgment should assume that your entire Active Directory
is essential so that you don’t is impacted and investigate and make changes
approach compliance as a so the attacker can’t easily return.
“check the box” exercise but
a process to strengthen your
security posture. Review and Audit
Internal audits, planned and Continuously observing how privileged accounts
unplanned, help teams prepare
are being used through audits and reports will
for external ones. As part of
your audit process, map your help identify unusual behaviors that may indicate
PAM practices to security a breach or misuse. Automated reports help
controls outlined in the laws track the cause of security incidents as well
that apply to your organization as demonstrate compliance with policies and
and make sure you know the
regulations. Auditing privileged accounts will
deadlines for compliance.
also give you metrics that provide executives
Learn more: thycotic.com/
with vital information to make more informed
cybersecurity-compliance-
audit/ business decisions.

16 thycotic.com | sales@thycotic.com
CHAPTER 4
TECHNOLOGY: Implement and
Integrate PAM Security Controls
Once you’ve engaged the proper stakeholders and created PAM processes, you can
begin to implement and refine PAM solutions that fit your specific business model
and your industry. Implementing PAM successfully throughout your organization
depends on choosing the right technologies to automate and control privileged
access across diverse environments and ecosystems.

The following table provides actionable guidance with prescriptive technical

recommendations for PAM experts. These controls help to establish PAM security
across the PAM Lifecycle and build a strong foundation that can scale as your PAM
program grows in maturity.

Fig 6
PAM Security Controls Mapped to Lifecycle

PAM Security How To Put The Control In Place

Lifecycle Technology
Stage Control
Define Policy & PAM governance includes system installation, organization, and
Governance implementation across business units and functional areas.

Large or diverse organizations may choose to onboard a few

business units or locations first, and then roll out PAM throughout the
organization, segment by segment. You’ll need to decide if you protect
high impact systems first as they represent the most risk, or test PAM
first on low impact systems with fewer dependencies.

Your governance requirements guide how you set up roles, workflow,

permissions, and reporting within your PAM solution. Take the time
to set policies for naming conventions, plan your permission folder
structure according to departments or teams, set rules for sharing
secrets, and define a chain of approvals that match the structure of
your organization. Then, configure your PAM solution to match.

Determine if you plan to manage and configure your PAM solution

in-house or work with a PAM provider for managed or professional
services.

17 thycotic.com | sales@thycotic.com
PAM Security How To Put The Control In Place
Lifecycle Technology
Stage Control
Define Policy & Confirm requirements for your internal IT environment and policies
Governance such as expectations for High Availability and SLAs with other
departments. This information will help to define the underlying
architecture you’ll need for an on-premise PAM implementation or
may guide your choice toward a cloud-based option.

If you’re installing your PAM system in-house, set up and test

distributed engines, databases, firewalls, routers, failover and test
sites.

Identify SQL admins, AD admins, IIS admins and any other key
stakeholders who will be managing your PAM solution.

Discover Discovery & Run discovery processes to find all accounts that require privileges,
Automation including human accounts, service accounts, local admin accounts on
endpoints, and applications.

Discovery should include Windows, Mac, Unix, and VMware ESX/ESXi

accounts. For additional discovery of legacy or custom technology,
you may need PowerShell scripts.

Account for scheduled tasks, application pools, and all dependencies

between systems.

It’s important to set up continuous discovery processes so

information stays up to date as people come and go and systems
change.

Based on your discovery, you can determine how many people have
Domain Admin rights currently at your organization and identify
opportunities where those could be reduced or shared. For example,
you can replace individual named accounts with shared accounts and
remove named accounts from the DA group. Or, you can configure
your PAM solution to have it temporarily belong to the DA group only
when utilized.

18 thycotic.com | sales@thycotic.com
PAM Security How To Put The Control In Place
Lifecycle Technology
Stage Control
Manage and Access The core of PAM, access security, includes vaulting, delegation, and
Protect Security elevation of privileged credentials, ideally in accordance with a least
privilege model. This enables the secure usage of privileged accounts.

Privileged passwords, certificates, and keys are stored and managed

in a secure repository – an encrypted vault – with very restrictive
permissions, ideally requiring MFA to access.

When users or systems “check out” secrets, PAM establishes single

user accountability for a specific time period.

PAM can establish automatic connections between people and

systems without exposing credentials to users. An advanced PAM
solution can serve as a proxy through which an administrative session
is performed and automatically relay the privileged account password
from its vault to the target device or application.

Advanced PAM programs identify and remove embedded/hard-coded

passwords and replace them with API calls that inject passwords into
applications or config files.

You can rotate credentials regularly – and unexpectedly – without

impacting dependent applications. You can randomize and rotate
service accounts and local accounts on controlled endpoints as well.

As your program expands to more systems and departments, you can

set up custom password changers for any system credentials that
aren’t connected out of the gate.

You can also create templates that automatically generate strong

passwords (the longer the better!) and include custom fields for
impact ratings that determine access levels.

Manage and Session Particularly important for organizations that allow third-party access
Protect Protection to privileged accounts, advanced PAM programs include monitoring
and recording privileged session activity as well as workflows that
allow for multiple levels of approvals to grant or deny exceptional
access to sensitive data or critical systems.

19 thycotic.com | sales@thycotic.com
 Customer Spotlight

TrendMicro

Continuous discovery allows TrendMicro’s team

to scan its network and find all service accounts
and dependent services, tasks, and app pools,
determine where each service account is being
used (including new usage since last scan), and
import all service accounts into its central PAM tool
for ongoing management and auditing.
Their process eliminates manual errors managing service accounts,
sets up an audit trail, and increases accountability. The team set up
permissions and powerful security control features such as Request
Access to monitor and approve users who are trying to access privileged
accounts. They record privileged sessions users launch using service
accounts and keep track of any keystrokes during those sessions.

20 thycotic.com | sales@thycotic.com
PAM Security How To Put The Control In Place
Lifecycle Technology
Stage Control
Monitor Audit/ Session monitoring increases oversight of privileged account use and
Monitoring allows for in-depth analysis of privileged session activity in real time or
after the fact.

With “four-eyes” capability you can tune in live to watch sessions,

oversee remote connections, modify privileges, or even terminate
connections.

Detect Behavioral Certain activities, systems, applications, cloud services, containers, etc.
Analytics represent relatively low risk, while others are responsible for sensitive
data or business-critical operations and thus represent higher risk.
Advanced PAM programs integrate threat analytics and risk rankings
from your SIEM solutions or other risk criteria to help guide decisions.

In addition, behavior analytics can track privileged account activity,

recognize patterns, and identify suspicious behavior.

Respond Event Response Based on the analytics you set up, you can trigger alerts or perform
& Recovery automatic responses. For example, when alerted of suspicious
behavior, administrators may wish to lock down accounts, rotate
credentials immediately or terminate or suspend sessions. Once the
event is investigated and cleared, administrators can reset to baseline.

When configured for geo-redundancy and High Availability, advanced

PAM systems provide manual failover, disaster recovery, and break
glass scenarios.

Review & Audit/ Advanced PAM programs include logging privileged activities with an
Audit Monitoring immutable audit log that allows playback for reporting, auditing and
event forensics.

In your log, ensure employees are entering a comment as to why they

need access to a privileged account. This can help determine if a
particular task can be delegated.

Set up alerts or emails to managers, team leads, or InfoSec when

Domain Admin membership group and other privileged groups change.

Forward your log to a SysLog server or, if logging in AD, use Windows
Event Forwarding.

Automate and share reports to increase visibility and continuously

improve your PAM program.

21 thycotic.com | sales@thycotic.com
 Customer Spotlight

Adobe

As Adobe began to automate and orchestrate its complete build

environment in the cloud, their PAM solution needed to evolve and
scale.

As we moved to the cloud we

needed provisioning capabilities
without human interaction, where
we can store credentials and
share them. Privileged credential
management gives us the same
level of security on these build
machines as we would have on
other individual machines.
Adobe’s security team

22 thycotic.com | sales@thycotic.com
Putting PAM in Context - Multi-Dimensional PAM
The controls list provided highlights the main activities to implement over
the PAM lifecycle. But it’s not until you can implement those activities at scale
that you’re truly a PAM expert. It’s important to consider how your PAM program
secures privileged credentials in different states, across your entire attack surface,
and in the context of different environments.

State of your Unlike consumer password vaults that store credentials

credentials. at rest, enterprise credentials move throughout the
organization—in memory or in a token—and need to
authenticate with other people and systems. To do so
securely, privileged credentials should be encrypted and
use Multi-Factor Authentication (MFA). You also need
to monitor credentials when they are in use, during a
privileged session or an API call.

Scale of Enterprises may have thousands or hundreds of thousands

your attack of privileged accounts, including service accounts for
servers, databases, applications, network devices, and
surface.
endpoints (Windows, MAC and Linux/Unix). Many privileged
credentials are shared among people and/or systems and
can easily fall off your radar. As your PAM program expands,
you’ll discover, enroll and manage more platforms.

Context Are privileged credentials in your organization used within

of your IT a DevOps toolchain, to connect cloud-based systems, files
within scripts, or as part of an integrated IoT environment
environment.
that passes data back and forth? These environments are
highly dependent and changeable. Breaking connections
in these instances could result in shutting down
operations and thus carries more risk. Extending PAM to
these types of emerging environments is an important
step in the advancement of your program.

23 thycotic.com | sales@thycotic.com
 Customer Spotlight

IPC Subway

To harden thousands of servers, IPC

Subway relies on its PAM solution to ensure
Two-Factor Authentication and changes
passwords weekly, with alerts to ensure
the changes happen correctly. To ensure
availability and mitigate risk, each service
on each server has its own independent
password.

24 thycotic.com | sales@thycotic.com
Customizing PAM to Match Your Organization
PAM programs typically begin with Similarly, PAM programs begin by
changing default or out-of-the-box tapping into basic discovery sources
passwords for common products and such as Active Directory, Unix, and
devices. However, every organization is VMware. Your organization, however,
different and may have custom-built or may need to go beyond these sources
legacy systems and applications that to find and manage privileged
also need to be protected. These unique accounts from Cisco, Oracle, SQL
applications require granular testing Server, or MySQL databases. As a PAM
to identify where in-code password expert, you can discover and automate
changes may be failing. Advanced PAM the management of those credentials
programs extend privileged protection as well, by creating rules to pull in
to unique applications with custom those accounts and turn credentials
password changers. into secrets that can be generated and
changed automatically.

Expert Integrations Improve Collaboration

and Efficiency
IT operations, security, and development teams must form a united
front to protect against cyber attack. The better coordinated these
teams, the fewer gaps you leave in your attack surface and the more
quickly you can respond if an incident does occur.

Just as PAM operations can’t exist in a silo, neither can the tools that support them.
PAM programs are most successful when PAM controls are integrated with other IT
and security solutions. With tight integration, information stays up to date, reports take
less time to create, and decisions can be made more quickly. Your PAM program gains
more visibility throughout the organization and with executives and board members.

PAM solutions may offer out-of-the-box integration with third-party tools and provide
access to APIs and scripts, which you can customize to match your own solution and
workflow.

25 thycotic.com | sales@thycotic.com
 Improve Governance Throughout the
PAM Lifecycle
PAM + IAM/IGA
While PAM secures access to key system and admin accounts, Identity & Access
Management (IAM) is for every user account in your organization. IAM enables
the right individuals to access the right resources at the right times for the right
reasons. For example, IAM allows you to provide a salesperson with access to
his or her account and provides higher level access for certain individuals to
log into sensitive systems, such as finance and Human Resources, that require
elevated privileges.

An integrated IAM/PAM system will help track user account ownership, flag user
accounts that aren’t being used, automate the provisioning of new user accounts,
simplify the assignment of privileged accounts, and make it possible to regularly
prune access. Integration will enable you to meet compliance and regulatory
reporting requirements efficiently and with minimal overhead.

Some IAM solutions, such as Identity Governance and Administration (IGA),

provide monitoring and reporting capabilities that are required for a compliance
program. These solutions are helpful in ensuring broad compliance with security
protocols and identifying outliers. They help with separation of duty control,
access request handling, and recertification of access (continuous or
trigger-based recertification throughout a lifecycle, rather than requiring manual
periodic review).

Save Time with Controlled Authentication

PAM + Active Directory
Privileged user accounts are typically located in a central authentication
system running in Active Directory (Windows) or in another central identity and
authentication system that manages accounts, groups and permissions for
employees. Password changes can be challenging in one system; when you
attempt to keep multiple systems in sync, there’s a very high chance that errors
will fall through the cracks.

It’s important that your account management process, from creation to rotation
and deprovisioning, stays coordinated every step of the way.

26 thycotic.com | sales@thycotic.com
PAM + Connection Management
Privileged credentials used when making remote desktop connections provide
access to critical infrastructure, data, and applications. When configuring remote
sessions, IT teams must navigate complex networks, cloud services, and user
needs. They typically have multiple sessions active at once, using different
connection protocols and a variety of privileged accounts.

Integrated connection management solutions provide a unified environment to

manage and interact with multiple remote sessions for both Remote Desktop
Protocol (RDP) and SSH. As a result, IT teams save time and lower risk. Admins
can launch remote connections using multiple protocols, authenticate, and gain
access to critical resources with appropriate permissions. Additionally, they
can monitor and record multiple, simultaneous remote sessions to increase
accountability and provide an audit trail to demonstrate compliance.

Improve Visibility and Workflow Between

Security and IT Ops
PAM + IT Service Management
Consider the numerous For example, asset management systems track
service management approved endpoints and applications in use
systems your throughout the organization. As you roll out your
organization has in place least privilege and application control policies,
to support workflow connecting with these systems will improve your
and IT processes. A
discovery process and help you keep your inventory
PAM program will be
up to date. You can set up a least privilege policy
implemented more
rapidly for new endpoints by integrating with
quickly and completely
– and will be more solutions IT uses for configuration and deployment
sustainable over time – if of new devices. Additionally, you can integrate
it shares information application control with helpdesk ticketing systems
back and forth with the IT operations uses to address user requests for
systems IT operations applications and endpoint support. Application
relies on to do their jobs. elevation requests can be managed directly in the
system, so there is continuous communication and
event tracking.

27 thycotic.com | sales@thycotic.com
 Customer Spotlight

State of Indiana

The State of Indiana has developed a highly advanced PAM

implementation. By integrating its PAM solution with Active
Directory, the State of Indiana ensures service accounts are set up
correctly, with appropriate privileges, and are managed securely
from Day One.

We've eliminated all kinds of

mistakes by centralizing and
automating PAM, and not having six
different people creating accounts
in Active Directory by hand and
possibly making mistakes.
The State has expanded its use of PAM from managing service
accounts to protecting applications used by third parties and
software developers. According to the State’s PAM expert, “We
used to have shadow sessions that could take four or five hours.
There were times in the middle of the night where we had to get up
and share our screen with a developer so they can fix a problem in
production. Now I’m able to go in and elevate applications using their
user group and it just automates the process.”

28 thycotic.com | sales@thycotic.com
 Identify Design Flaws More Rapidly and
Accurately
PAM + Vulnerability Scanning
Integration of PAM solutions and vulnerability testing and management solutions
helps ensure that vulnerability scans have the correct credentials to scan
systems for missing patches and when a patch is being applied to ensure it is
installed correctly.

This deep credential scan allows for a more thorough vulnerability assessment
than you would be able to achieve with penetration testing alone.

Automatically Add Known Malware to

Application Control Policies
PAM + Threat Analytics
Integrating PAM solutions with threat analytics helps you keep pace with cyber
criminals as they develop new malware and advanced strategies for attack.
Threat intelligence databases such as VirusTotal form blacklists you can build
into your PAM solutions to block known malicious applications from running.
Artificial intelligence and machine learning from solutions like Cylance help you
anticipate and detect malicious activity.

29 thycotic.com | sales@thycotic.com
 Customer Spotlight

AmericaFirst

Integrating PAM with AmericaFirst’s

vulnerability tools provided a more accurate
understanding of the organization’s network’s
security.
For example, with unauthenticated scanning on a PC test system
QualysGuard found no network vulnerabilities. After adding
authenticated scanning using PAM, QualysGuard returned 33
vulnerabilities that the InfoSec team took action to fix.

30 thycotic.com | sales@thycotic.com
 Log Events, Aggregate Cyber Security Data
and Trigger Alerts
PAM + SIEM
Many IT and security teams rely on Security Information and Event Management
(SIEM) and log management solutions, such as ArcSight, Splunk, and LogLogic, for
centralized reporting and coordinated incident response. As part of a risk-based
approach, use these solutions to classify and score a wide range of events to prioritize
business and technical risk.

Events associated with privileged accounts can be correlated with your overall risk
ranking process and workflow, so administrators receive alerts in the systems they use
most regularly. As long as these systems use Syslog format they should be compatible
with PAM solutions. Then, when an administrator sets up a filter for certain activities
associated with privileged accounts, those events are logged with different alert levels
depending on their potential risk. For example, administrators may want to act quickly
if users are locked out, if “unlimited administration” mode gets turned on, heartbeats
fail, or secrets expire.

SIEM solutions can also generate consolidated reports that are presented to company
leadership and auditors to demonstrate cyber security progress. Integration ensures
that your PAM program shares the same goals as the overall cyber security program.
When PAM becomes a core element of ongoing reporting, awareness and adoption
grows throughout your organization.

Build Privilege Security Into the

Development Process
PAM + DevOps Tools
DevOps teams rely on a set of tools throughout the Continuous Integration
and Deployment toolchain to improve development velocity and maximize
collaboration with operations. When PAM solutions are embedded within the
toolchain they allow for a high level of privileged access protection without
slowing down the DevOps process.

31 thycotic.com | sales@thycotic.com
 Customer Spotlight

Telstra

Telstra’s CI/CD platform connects to

its PAM tool via API to pull privileged
credentials at runtime, while reducing the
impact when passwords need to change.
For example, Telstra stores SSL Certificates
as secrets in its PAM vault, setting expiry
and alerts to ensure the appropriate
governance.

32 thycotic.com | sales@thycotic.com
 CHAPTER 5
CONCLUSION AND NEXT STEPS:
The Ongoing PAM Journey

Even the most mature PAM deployments are on

a journey of continuous improvement. You can help IT and
security teams boost
As privilege is recognized as the new perimeter, their PAM skills with free,
everyone in the organization has to become a online technical training
PAM “expert” to some degree. That will require thycotic.com/
e-learning-tools/
ongoing education.

You can build awareness

Your organization will grow and evolve, which
and understanding
means business and technical requirements
of the importance of
will change. For example, new development
PAM across your entire
processes or cloud-first policies may generate organization by sharing
new types of privileged accounts that need to PAM for Dummies
be protected. Or, you may acquire or merge thycotic.com/
with another company and need to integrate cybersecurityfordummies/
new people and systems quickly and securely.
You can be ready for these new situations by
choosing an extensible solution that can adapt to
new situations and grow with you.

There is no doubt that cyber criminals will

become more sophisticated and develop new
strategies to achieve their goals. With the
fundamentals in place, you’ll be able to build from
a position of strength to keep pace with changing
threats, tighten your attack surface, and reduce
risk for your organization.

The Forrester Wave™: Privileged Identity Management, Q4 2018 Report thycotic.com/privileged-accesssecurity-leader

1

33 thycotic.com | sales@thycotic.com
ABOUT THYCOTIC
Thycotic is the leading provider of cloud-ready privilege management
solutions. Thycotic’s security tools empower over 10,000 organizations,
from small businesses to the Fortune 500, to limit privileged account risk,
implement least privilege policies, control applications, and demonstrate
compliance. Thycotic makes enterprise-level privilege management
accessible for everyone by eliminating dependency on overly complex
security tools and prioritizing productivity, flexibility and control.
Headquartered in Washington, D.C., Thycotic operates worldwide with
offices in the UK and Australia.

For more information, please visit www.thycotic.com

34 thycotic.com | sales@thycotic.com