Netwrix and Stealthbits merge to better secure sensitive data. LEARN MORE

Top 5 Things People Hate About PAM

Blog >Top 5 Things People Hate About PAM

Privilege Account Management (PAM) has been around in some shape or form for decades now. Whether that’s vaulting passwords, session management, reducing privilege, or any combination of privileged management workflows, there’s been no shortage of vendors to choose from.

Then why, with such a rich history and breadth of software to choose from, does the term PAM still make admins shudder? Surely it should be enjoyable to have a PAM solution humming along, reducing your organization’s risk while you, the admin, focus on your other duties.

Unfortunately, that’s not the case. PAM solutions, while essential, have been a pain point for organizations looking to reduce their risk and attack surface for as long as they’ve existed – and the issues compound themselves over time.

So why is that? Today, we’re going to address the Top 5 Things People Hate About PAM.

Complex, With Lots of Parts

Privileged Account Management (PAM) originally revolved around the concept of the password vault. Traditional PAM providers focused on controlling access to accounts and passwords, rather than on the activities administrators need to perform. This met the compliance needs of the time, however as regulation evolved so did the solutions used to secure privileged accounts. As these solutions evolved, more features were added on top of the password vault to achieve session management, least privilege, and more.

As a result of this reactive approach to building PAM software, older, traditional PAM solutions have become a complex web of moving parts, often with software installation requirements that require separate virtual machines – or even separate hardware.

What’s worse is that because all privileged accounts are essentially controlled via the same vault and access policy, the use cases between super user accounts and personal admin accounts have combined, blurring the distinction between Privileged Account Management and Privileged Access Management.

This results in:

  • Increased attack surface from additional accounts and standing privileges.
  • Privileged accounts vulnerable to lateral movement attacks (e.g., left behind Kerberos ticket).
  • Overly complex access control rules.

Vaults map people to accounts, accounts to systems, and systems to applications. It’s a many-to-many approach that’s resulted in increased complexity that could break at a moment’s notice (while also leaving privilege on accounts, which increases an organization’s attack surface).

Expensive to Buy, Implement, Maintain, & Update

When purchasing a PAM solution, users often only look at the sticker price. They need to purchase a PAM solution, and they’re on a budget. However, traditional PAM can end up costing much more once you consider per-seat licensing, potential hardware provisioning costs during implementation, man hours to oversee the software and keep it running, and costs associated with updating.

Take a new installation of a traditional PAM solution – organizations will soon realize they need to spin up additional servers to handle the various PAM services required to be installed on separate machines. They may also soon realize they have to provision even more servers than originally thought, based on their scale and any limits to the number of concurrent users (or sessions), per server, enforced by the PAM software.

With large, complex implementations, organizations now need to have more administrators overseeing the install, managing the day-to-day workflows, and troubleshooting. When those admins are tied up working on the PAM software all day long, then they can’t focus on other tasks. Ultimately, this results in cost to the organization as more admins may need to be hired to manage existing duties and keep the PAM software afloat.

Hidden Costs

In addition to the software, hardware, internal management, and update costs, there’s also hidden costs that aren’t immediately obvious. With regard to how complex these traditional PAM solutions can be, organizations may end up purchasing far more professional service hours than expected. This includes service hours to help with implementation, adding new workflows, maintenance and troubleshooting, and assistance with updates.

For example, after months of implementation an organization finally has their PAM solution up and running. However, a few weeks later they realize they have a new use case, and then another new use case a few days after that, and that cycle goes on and on as organizational needs evolve.

With each new workflow, if it’s not obvious how to integrate it with the PAM solution then professional service hours will need to be purchased from the vendor to get their assistance. And this may repeat itself indefinitely, as internal workflows are constantly changing.

Hidden cost can come at scale as well. Take a Privileged Session Management (PSM) server as another example, which often uses Remote Desktop Services with per-seat licensing. These servers usually also have a seat limit, meaning at scale you’ll need to add more servers and licenses, just to get more concurrent PAM sessions. This can add up, and quickly!

What this comes down to is that the complexity we’ve already discussed always leads to one thing – more cost.

Difficult to Use

With so many moving parts, a single PAM administrator typically won’t understand how the entire solution works. From Windows, to Linux, to Active Directory, and databases, there often ends up a separation of duties within the PAM environment. However, this can result in confusion if users run into issues with their workflows and aren’t sure who can resolve it. Where did the breakdown occur, and who should fix it?

Speaking of end users, any software that seems overly complicated will typically be resisted. What good does implementing a PAM solution do if your users push back and don’t want to use it? The fastest route toward achieving security and compliance via PAM is for the software to get up and running quickly and be widely adopted by end users – both of which traditional PAM misses the mark on.

Additional features like integration with SIEM also need to be considered, which is often not a trivial task with traditional PAM. Yet in the modern day, this should be plug-and-play (implement a PAM solution and connect it to an existing SIEM – no strings attached).

The bottom line is that too many things that feel like they should be easy, whether it’s installation, end user workflows, integrations, etc., are difficult with traditional PAM.

Prone to Failure

With complexity comes more opportunities for software to fail. With services built on top of each other over time, the result is layered dependencies that can cause the whole thing to come crashing down when only one part fails.

Take the password vault, for example. In traditional PAM solutions this is the core the rest of the software has been built on for decades. If it experiences any downtime, then the rest of the software grinds to a halt.

An organization’s PAM solution is critical to day-to-day operations and should not be prone to failure. While high availability options are available for many traditional PAM solutions, they’re typically just as complex and difficult to implement as the rest of the product.

SbPAM to the Rescue

Stealthbits, now part of Netwrix, takes a modern approach to Privilege Access Management with SbPAM, to directly address each of these problems as a 3rd generation PAM solution. It’s quick to install, has a small footprint, doesn’t require client-side software, and is simple to use for end users.

SbPAM is built around the workflows that everyday admins need to have – privileged access to various resources in their organization. Access is the key, rather than the password vault, and everything else is built around it through modular microservices – session management, audit, federation, account management, password rotation, and more.

Just-in-time PAM While Reducing Attack Surface

SbPAM facilitates secure administrative access using 3rd generation technology that is both intuitive and easy to deploy. SbPAM automatically generates ephemeral accounts for each administrator then dynamically provisions and deprovisions just-in-time permissions that are appropriate for the requested activity. This action removes the “standing privilege” attack surface, when accounts are at rest, and removes the overhead of complex access control groups.

  • Ensure Authorized Access – Adaptive Zero Trust security architecture with multi-tier approval capability ensures all privileged access is authorized.
  • Zero Standing Privileges – Rights dynamically provisioned at the time required, and then removed on completion.
  • Meet Best Practices – Support the separation of privileged access accounts for admin vs. productivity tasks.
  • Gain Proof – Record and playback all administrative activity (e.g., accidental, or malicious) over RDP and SSH.
  • Just-in-Time Access – permissions can be dynamically provisioned to single user, dual (ephemeral or namesake) and shared service accounts.
  • Reduce Future Attacks – Auto-purge Kerberos tickets after session access to mitigate pass-the-hash and golden ticket attacks.
  • Real-time Service Account Management – See updates and status changes as they happen. Immediate alerting if issues discovered with options to pause and roll-back changes.

You can learn more about how SbPAM can reduce standing privilege and protect your organization’s most important accounts and resources by clicking here.

Featured Asset

Leave a Reply

Your email address will not be published. Required fields are marked *




© 2021 Stealthbits Technologies, Inc.

Start a Free Stealthbits Trial!

No risk. No obligation.