5/13/2021 Minimize User Impact When Implementing Privileged Access Management | BeyondTrust

There are two types of people in this world: Those who embrace change and the
potential benefits, and those who resist change and emphasize the potential
negative effects. When operating in the next generation economy, information
technology changes can drastically impact productivity to streamline tasks or
improve security. Rarely is the intent designed to complicate or slow processes
down, but even the best of intentions can add extra steps, mouse clicks, or
processes in the name of security. If you take a deep look as to why these
changes are necessary, the extra steps benefit the entire environment and should
be embraced rather than dismissed as a nuisance. If you consider the basic
security changes we take for granted today like logging into your computer or
even using a key to unlock a door, you recognize that additional steps are
necessary to secure an asset and the information it contains. When considering
and deploying a privileged access management (PAM) solution, the changes
required are analogous to adding a pin to your phone verses always being
unlocked. A simple step that almost everyone can embrace as a worthwhile
change for the security it provides in the long run. To that end, PAM has a similar
impact within an organization.
What is privileged access management, and how do
you minimize resistance?

By definition PAM, is comprised of 4 primary disciplines:

Privileged Password and Session Management

Privilege Elevation and Delegation Management
Active Directory Bridgin for Unix, Linux and Mac
Privilege Auditing and Reporting

When implementing any of them, there will be changes to the environment, a

user’s workflow, internal processes, and potentially be met with end user (or
administrator) resistance. So how do you adopt the solution and address the
concerns of those averse to change? Appoint an Internal Champion A key
component for any successful project is to have a trusted advisor or internal
evangelist promote and champion the project internally. They can train on the
benefits, field questions, and help temper any resistance. No one likes changes
being forced upon them but having a well-planned deployment, educating on the
changes presented to the teams, and soliciting feedback to help teams feel
empowered goes a long way to the success of any project that requires a change.
While this may seem rudimentary, it is surprising how often these premises are
missed and staff is sent a memo with new procedures with no rhyme or reason
https://www.beyondtrust.com/blog/entry/minimize-user-impact-implementing-privileged-access-management 1/3
5/13/2021 Minimize User Impact When Implementing Privileged Access Management | BeyondTrust

for the new policy and workflow. Start with a Pilot Second, start small and test
regularly. Any deployment changes that will impact the masses or key trusted
individuals need to be introduced methodically. Start small, demonstrate the
benefits and solicit feedback. Many of the changes required for PAM are just a
few extra mouse clicks. The security and compliance gained is measurable and
should be a part of the education process. For example, the new procedure
requires checking out a root password for PCI and SOX compliance using
multifactor authentication and a PAM solution. These steps ensure it is done
securely, and the session is being recorded for auditors to demonstrate
compliance, and to catch hackers that might try the same thing to infiltrate your
environment. That makes the extra steps understandable if the teams have the
best interests of the company in mind. Determine What to Focus on First Third,
something that many organizations consider the first step, is determining which
PAM project to embrace first and which one will be the most successful with
minimal resistance. To aid in this process, BeyondTrust has created a reference
document called “The 7 Steps to Privileged Access Management”. It helps
address the privilege problem by recommending solutions in order that maximize
success, in minimal time, and ultimately with the least resistance.Steps to
Implementation Based on these recommendations, the first step in implementing
PAM is generally password management. In order to deploy the solution with
minimal friction, consider the most sensitive accounts in your environment, age of
passwords, difficulty in managing password changes manually, embedded
passwords, etc. This leads to implementing privileged password management in
the following order:

1. Domain Administrators or Root on non-Windows assets

2. Service Accounts
3. Infrastructure
4. User Administrator Accounts
5. Application to Application (API) Coding

As you work down the list, you can theorize which teams will be the most
understanding to the change and which will need more educating or need time to
implement (i.e. code changes). Operations teams and security analysts will
understand the reasons why the changes are best and can become your
advocates if they are introduced into the process first For least
privilegeimplementation of Unix, Linux, Windows, and Mac – similar to managing
passwords – consider your highest risk users that have administrator accounts.
This can be everyone from server admins to helpdesk staff all the way through
end users that have admin rights or a secondary x-admin account.
While removing admin or root rights away from servers logically seems like the
best first step, it is much easier to do on Unix and Linux than Windows. This is
https://www.beyondtrust.com/blog/entry/minimize-user-impact-implementing-privileged-access-management 2/3
5/13/2021 Minimize User Impact When Implementing Privileged Access Management | BeyondTrust

simply due to the process changes needed on the different platforms in order to
be successful. Therefore, for least privilege consider the following order:

1. Removal or root privileges on Unix Linux

2. Removal of secondary administrator or root accounts for all end users
3. Elimination of needed accounts per department like the helpdesk
4. Windows Server administrators

The removal of privileges is generally the highest resistance for any PAM
implementation. Team members will try and justify reasons why they still need
these privileges and why changing the workflow hurts them. This is where
education and feedback are critical for the success of the project and the
workflow must be as close to the current process as possible. Least
privilegesolutions are designed to do this but users may not be accustomed to
two factor authentication or right clicking on an application, verses double
clicking, in order to accomplish the same administrative task based on how the
policy is configured. This is where education and trusted advocates help the
most.Consider an FAQ Doc for Teams Finally, consider a Frequently Asked
Question (FAQ) document for teams impacted by process changes. As simple as
it sounds, it can address many of the common questions like:

Will I still be able to administer servers while I am working from home or on

the road?
Will I be able to change the clock or add printers on my laptop?
If a program is no longer working, who should I call?
Why are you removing my x-admin account?
I am a developer. How can I compile code or access test servers?

If you need help with this type of document, BeyondTrust has guides for end
users, administrators, and even helpdesk staff. These guides are designed to
help create a model for a successful PAM implementation with known best
practices from years of experience. For more information on how to get started on
your PAM project, realize the additional security and compliance that a PAM
project can bring to your organization, contact us today.

Morey J. Haber,
Chief Technology Officer and Chief Information Security Officer
at BeyondTrust

https://www.beyondtrust.com/blog/entry/minimize-user-impact-implementing-privileged-access-management 3/3