Scalable PAM: adapting the control level to the context of the interventions

pam évolutif

Privileged Access Management (PAM) is a major security issue for organizations insofar as it allows the IT department to control who does what on its information system and to ensure the total security of privileged accounts. However, some PAM solutions offer a wide range of functionalities that are sometimes not suitable for some organizations that may have limited use of these privileged users. For this reason, deploying a scalable PAM product that adapts to the organization’s current context and can evolve according to its needs is essential for organizations that want to ensure an adequate control of privileged users while maintaining a margin of evolution in the security level that can be quickly activated in case of evolving needs.

Why deploy a scalable PAM product?

The main benefit of a scalable PAM product is that it allows an organization that may not have a privileged monitoring solution in place to control its privileged access with a product that is adapted to its needs when deploying the solution. Needs are different depending on whether the organization has internal administrators, on its premises or remotely, or external service providers, for routine or sensitive tasks or in a highly regulated environment.

The objective is the same in all cases: the control of privileged users’ access and actions. A standard level of PAM will allow to achieve this objective when the organization employs internal administrators, operating on routine administration tasks from the organization’s premises. In particular, the PAM product must be able to secure access to the privileged account and track and record the user’s actions.

An advanced level of PAM will address these internal administrators who are potentially mobile and who perform sensitive tasks on the information system. The challenge for the PAM product is first of all to be able to secure connection flows, given that the administrator may be connected from a network not controlled by his organization. Password rotation mechanisms and automatic and real-time blocking of certain administration actions will be essential given the criticality of the intervention level.

Finally, a level that can be described as “full” and dedicated to privileged access of IT service providers and/or in highly regulated contexts such as those of OVI and OES will offer a higher level of security. This will be achieved by providing, for example, a sterile and disposable virtual workstation to administrators, or by associating the PAM with third-party solutions such as hardened thin-client terminals or by integrating a CDS (Cross Domain Solution) appliance to secure exchanges between two networks of different sensitivity levels.

A scalable PAM product also has a financial interest for the company, as it allows advanced security features to be activated only when the organization needs them. Thus, a scalable PAM product limits the impact on the budgets allocated to information system security compared to a non-scalable PAM product.

What level of control to choose?

Three elements mentioned above should be taken into account when defining the appropriate level of control of the scalable PAM product: the profiles of privileged users (internal administrator within the organization’s premises, internal administrator on the move and external administrator / provider), the level of criticality of the administration tasks (routine or sensitive tasks) and the type of company (its activity field or its belonging to a regulated sector).

The PAM level chosen will be determined according to these elements but will always have to adapt to the strictest variable in terms of security. For example, a standard level may be sufficient for a regional agri-food company employing only its own internal administrators on its own site, whereas a national electricity supplier should choose a “full” level even if it employs only its own internal administrators on its own site, since its strategic sector of activity is subject to strict cybersecurity regulations.

Systancia Cleanroom, Systancia’s scalable PAM product, allows organizations to adapt the level of control of their privileged users to the context of the interventions but also to the intrinsic specificities of the organization.