Internal Considerations

Topics to reflect on internally when considering a new product or solution.

Top 5 Prerequisites – Technical

Privileged Access Management cannot be isolated from other areas of IT Security. Thus, there are some technical prerequisites that should be met before any PAM project is started.

Audit of all affected IT systems and services

If PAM is to be effective across an organization, a technical audit of all IT should be undertaken to see how and where privileged accounts interface with other IT components and other parts of the organization. This will encompass all types of computing devices, operating systems, and platforms and enterprise uses, including mobile, virtual, cloud, and IoT.

Deployment platform choice

PAM can be deployed on-premises (including as a virtual appliance), in a private or public cloud or delivered as a service from the cloud (PAMaaS). Before deployment, organizations should decide on which platform suits the organization best – choices here will be influenced by industry sector, size of company, level of technical resources in-house and likely future demands and cost.

Big picture of cybersecurity

Detection and remediation of threats to privileged accounts is a critical component for an overall cybersecurity strategy and architecture. However, these tools must complement and interoperate with other cybersecurity tools. Additionally, adding PAM to your security architecture may require bringing in knowledgeable security analysts to administer it.

Defined roadmap of deployment

IT architects must create a plan and schedule for deployments. Depending on the size of the organization in question, a phased approach may work best.

Technical expertise in PAM and related tools

Organizations must ensure that they have technical expertise for PAM if they are to run it fully in house and on-premises. Like any IT tool, PAM solutions vary in ease of deployment and usage. Therefore, organizations need to balance the needs and size of the organization with cost, availability of technical resources when choosing a PAM solution. For some organizations, a PAMaaS may be the best route forward.

Top 10 Prerequisites – Organizational

Success in PAM rollout depends not only on the technology selected; there are also various organizational prerequisites.

Defined responsibilities for PAM development

In large organizations, members of the IT security team may go on to become internal “product managers” for PAM solutions and policies. Smaller organizations may rely on an IT leader or MSP.

Technical ownership defined

Those PAM solutions that are managed and operated in-house will need administrators appointed as well as technical leaders to authorize usage and product lifecycles.

Business case

There must be valid business cases for the project. For privileged access management, avoiding costs associated with lost data via privileged accounts is the primary driver.


There must be sufficient budget approved.

Central IT security organization in place with sufficient power to achieve goals

To be effective, PAM deployed across many types of computing devices, operating systems, and platforms that the enterprise uses. The project must be backed at the C-level. It needs both technically knowledgeable people as well as people with business knowledge to determine which are the most important assets to succeed.

Guidelines and policies

Ensure that guidelines for Information Security in general and PAM in particular are defined and mapped to policies.

Incident response team

Each organization needs a group dedicated to handling breaches and other security incidents. Each team member should have specific roles and responsibilities. This team handles initial responses, investigations, containment, remediation, and communication. A PAM expert should be part of this process.

Defined processes

Define the Incident Response processes – who reacts? What are the recommended steps to be taken for different kinds of incidents? What kinds of automated responses will be acceptable to the organization? Who is informed? Who communicates with executives and other users? Who communicates with external parties, such as partners, customers, and perhaps the media?

Risk rating of systems (and information)

Understand the risks to systems and, better, information assets. Base security policies on risks and appropriate mitigation techniques.

Security Awareness Training

Train users to avoid suspicious emails and attachments that are targeted towards users of privileged accounts. Train responders how to investigate incidents, contain damage from events, and restore to fully operational state.