Privileged Access Management

10 Questions To Ask Every PAM Provider

What questions should you ask a privileged access management provider (PAM) when demoing their PAM solution?

10 PAM Questions

If credentials are the key you your company’s kingdom of data, then privileged credentials are the master key. Privileged user accounts, such as domain admin accounts, are granted higher levels of access permissions. These permissions allow them administrative access to critical business systems and applications. This makes them an attractive target to cybercriminals who want to access the sensitive data stored in those systems, so they can steal it, ransom it, or sell it. 

To prevent this from happening, it’s critical that your business only elevates privilege when absolutely necessary, and only for the length of time necessary for a user to do their job. 

But managing privileged access manually can be a cumbersome task, particularly when your organization has lots of privileged users. Cloud accounts with pre-configured admin privileges make this task even more complex, and in many organizations the IT team doesn’t have the capacity to assign and revoke privileges on demand. 

Thankfully, privileged access management (PAM) solutions exist to make it easier for organizations to monitor and manage the activity of privileged users. With a PAM solution, IT teams can oversee what a user is allowed to access, when, and what they can do once inside a critical system.

There are a lots of different PAM solutions on the market, each offering different feature sets to help businesses achieve specific goals. Some focus heavily on credential vaulting and rotation; others on reporting and auditing; others on automation. And, given the sensitive nature of the data they’re protecting, some PAM solutions can take months to implement. So, it’s important that you know you’re investing in the right solution the first time around.

To help you do that, we’ve put together a list of questions that you should ask your prospective PAM vendor before making the final decision to invest. 

How Is The PAM Solution Deployed?

The first thing you should ask a PAM provider is how the solution can be deployed. After all, if it doesn’t offer a deployment option compatible with your environment, you’ll need to look elsewhere. 

PAM solutions are usually compatible with on-premises and cloud environments, and some can be deployed across hybrid environments too. When choosing your PAM solution, you need to consider not just how your environment looks now, but how you’re expecting it to grow in the coming years. Depending on the direction of your organization, you will have to ensure that your PAM solution will be able to adapt and scale as your company evolves.

As well as this, you need to make sure that the solution is compatible with the devices that your admins and end users will be using. This ensures they can easily assign privileges or access privileged systems using the device they already have. Many PAM vendors offer a web-based or desktop app, with some also offering a mobile app for on-the-go provisioning and access. 

How Easy Is Implementation?

Once you know how the solution is deployed, you need to find out how easy it is to carry out that deployment and get everything set up. This will help you work out whether your IT team have the capability and the resources to install, deploy, and manage the solution. You should also ask the provider how much support they offer throughout implementation. As you consider this, think about ongoing management—there’s no point implementing a solution that you won’t be able to manage effectively once the support stops! 

While discussing implementation, you’ll need to consider the following: 

  • How well will the PAM solution integrate with your other IT management and security tools? 
  • Can you start with a basic version of the solution, and add on other modules as you need to? 
  • If so, will you need to buy these other modules separately, or are all features included in the price, no matter which ones you’re using? 

How Much Automation Does The Solution Offer?

Now it’s time to start delving into the actual features offed by the PAM solution—starting from the moment you deploy it. Once you’re up and running, you’ll want the solution to be able to automatically identify and onboard existing privileged accounts—particularly if you don’t already have visibility into privileged access across your network. Most solutions will offer this functionality via an integration with your user directory. 

While you’re on the topic of automation, it’s a good idea to find out what other tasks the platform can take off you IT team’s plate. The best solutions will be able to automate the discovery of new devices, credential rotation, and password resets. Some even offer automatic remediation of potential account takeover threats by ending a privileged session if they identify suspicious activity. 

Think about how much resource your IT team has to dedicate to managing the solution, and how much automation they’ll need to help them. 

Is There A Password Management Vault? 

Some PAM solutions offer a secure vault in which they store privileged credentials and secrets such as SSH keys. Usually, users must verify their identify via multi-factor authentication (MFA) before being granted access to this vault, and credentials are automatically rotated after each use. 

Mid-size to larger organizations with lots of users requiring privilege access may need this level of security and automation – it would be cumbersome for the IT team to have to manually grant privileges upon request and revoke them once the session has ended. However, smaller organizations, and those with a lower number of privileged users, may not need this level of functionality. 

If you do want a password vault, you should also check whether the solution offers native multi-factor authentication, or an out-of-the-box integration with your existing MFA provider, for ease of use and configuration.

What Are The Solution’s Session Monitoring Capabilities?

Session monitoring is a critical part of privileged access management because it helps you identify suspicious activity that could be linked to an account takeover attack. All PAM solutions will offer some form of session monitoring, but the level of detail provided will vary between solutions. 

Some solutions will offer detailed activity logs, showing what users interacted with during their session with timestamps. Others will take this a step further by using machine learning techniques to compare real-time actions with historical actions so that they can identify any anomalous behavior. Some solutions offer keystroke and clipboard action logging; others still offer full video recordings of all privileged sessions.

It’s up to you to decide what level of monitoring you need—this will likely be influenced by the sensitivity of the data your privileged users will be accessing, and whether your company is bound by strict data protection and auditing requirements for compliance. 

What Are The Solution’s Reporting Capabilities? 

Session monitoring ties in directly with reporting. You need to know whether your prospective PAM solution produces reports into session activity, but you also need to know if it can generate reports into privileged access and permissions outside sessions, i.e., when credentials are assigned, to whom, and how often they’re used. 

This will be really important when it comes to proving compliance with data protection standards, but it will also help you to create a full audit trail for accountability and forensics should a breach occur. 

How Does Alerting Work?

Speaking of breaches, if there is any unusual activity within your privileged accounts, you’re going to want to know about it. It’s important to ask your PAM vendor what level of alerting they offer around abnormal use of credentials, and abnormal activity within privileged sessions. 

You should find out how alerts are delivered—will you be notified instantly by email or a pop-up notification, or will you have to periodically sign into the management portal? You could also ask whether alerts are triaged, and whether the platform offers automatic remediation options for certain incidents, to help reduce alert fatigue.  

Does The Solution Support Just-In-Time Access?

“Just-in-time” access is a method of granting privileged access permissions as and when a user needs them. This is in line with the principle of least privilege, which states that users should only be granted elevated privileged in the moment they need them, and only for as long as they need them to do their job. 

Granting elevated privileges “just-in-time”, and revoking them when no longer needed, helps limit your attack surface by eliminating standing privileges (continuous, unmonitored elevated privileges) and instances of users with higher privileges than they need. It’ll also prevent repeat attacks as cybercriminals won’t be able to sign into an account more than once using the same credentials. This restricts how long they can access your critical systems for, which greatly limits the amount of damage they’re able to do. 

No matter what PAM solution you choose, it must enable you to enforce just-in-time access and eliminate standing privileges if it is to improve your security hygiene.

For more information on granting access and standing privileges, read our article: What Is The Principle Of Least Privilege?

Can The PAM Solution Help With Compliance?

As well as implementing privileged access management to address security concerns, you might be looking for a PAM solution to help you achieve (and prove) compliance. Many data protection standards—including PCI-DSS, HIPAA, FISMA, and SOX—require organizations to apply least privilege access policies to critical accounts that store sensitive data, such as personally identifiable information (PII) and financial information. The consequence of not complying with this mandate can be a hefty fine. 

If your business is required to comply with a standard such as this, you should ask your potential PAM provider how their solution can help you do that. Some PAM solutions, for example, come with out-of-the-box support for granting just-in-time privilege. 

And as well as achieving compliance, you need to be able to prove compliance—so double check that your chosen PAM solution provides the reporting and auditing capabilities you need. 

What Is The Product’s Roadmap?

Implementing a new cybersecurity tool is an investment—not only financially, but also in terms of time and resource as your IT team deploy it and learn how to manage it. When you invest in a PAM solution, you want to be sure that it’ll continue to serve your business needs well in the coming years. To gain that assurance, you should ask your prospective PAM vendor what the product’s roadmap looks like. Do they have plans to expand the platform? Will they be introducing new functionality? Will the pricing change?

This isn’t only important in terms of your investment, but also in terms of security. It’s important to find out how often the product is updated and patched, to ensure it’s running effectively, and you’re not left with any vulnerabilities in your privileged access security. 

Summary

Privileged access management should be a key component of any organization’s identity and access security strategy. But it’s not enough to implement the first solution you stumble across—you need to make sure you’re choosing the best one to fit your business’ needs. 

Armed with the questions in this article, you’ll be in good stead to find which solution best fits your way of working. Now, you just need to decide which sales teams to quiz. 

To help you get started with your research, we’ve put together a guide to the top PAM solutions on the market, with information on their key features and what types of company they’re best suited for. You can find that guide below: