Privileged Access Management: What is Privilege and How is it Changing?

What does the concept of privileged identity mean to the Enterprise? The phrase used to refer to a narrow scope of systems administrators within an organization’s IT department. But now that definition is changing. In my most recent blog I wrote about how new customer challenges are driving an exponential increase in the number of users that are considered to be privileged. We’re also no longer just talking about people — we’re talking about services and bots — often driven by automation and DevOps.

In many organizations today, business users have access to sensitive data and now require the same kinds of privileged access management capabilities that were formerly only needed by IT. Companies using marketing automation systems, for example, need to consider that designated business users now have access to customer names and account information that could lead to a serious data breach if this data is leaked.  These users need to be managed by a privileged access management solution to prevent accidental or malicious activity given the sensitive nature of the data they can access.

With these changes, is it time to redefine the meaning of privilege? I had the opportunity to discuss this question with Merritt Maxim, VP, Research Director, Forrester, during the second of our recent Symantec, a division of Broadcom (NASDAQ: AVGO), webchats centered on the topic of “Privileged Access Management: Are you where you need to be?” In this discussion we addressed the changing nature of privilege and the growing convergence between the identity access management (IAM) and privileged identity management (PIM) markets. 

Here are some key takeaways from our conversation:

1. The Concept of Privilege is Changing:

The concept of privilege is changing as privilege itself expands to a broader spectrum of use cases. Merritt argues that this expansion applies not only to C-suite executives who might have greater access to internal systems but also to new use cases, such as DevOps, with its twin needs for speed and broad access to enterprise information.  These requirements often come at the expense of security and governance. Another key driver is the growing range of privacy regulations, such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Privileged identity management is increasingly seen as the best way to stay compliant with these new regulations. 

2. Privilege Management Enhances Security:

The more that organizations understand the need for expanding privilege, the better their security. This understanding is helping enterprises drive greater value out of their existing solutions as they extend them to broader sets of users. This is the real value that all organizations should seek to unlock, even if they don’t have an existing PAM solution. Enterprises should look to their security vendor to help them uncover emerging use cases outside the traditional IT universe. 

3. The PAM and IAM Markets are Complementary:

Although the privileged and identity security markets are still separate, they are beginning to converge. The identity market remains distinct because it involves the whole workforce. The two markets also have different buying cycles and workflows. However, while they remain distinct, they are becoming more complementary. Merritt points out that there is definitely a value in having a supplier, like Symantec at Broadcom, which offers both IAM and PAM solutions. 

4. Expanding the Control of Privilege First Creates Practical Experience in Implementing a Least Privilege Strategy for the Entire User Community:

Because privileged access management is more limited in scope and easier to control than a full IAM implementation, enterprises can gain valuable experience by implementing zero trust and least privilege policies for privileged users before doing it for the general user community.  This strategy will help organizations create a template for applying these principles to their next projects.  Implementing a PAM solution first also makes it easier for customers to get quick wins faster because there’s a lot fewer business processes and stakeholders involved. The PAM project can be the inspiration needed for the confidence to take on the larger task of implementing these principles for the entire user community, one group at a time.  

New privileged access management systems, such as Symantec Privileged Access Management, that are based on principles of least privilege and Zero-Trust, and that redefine privilege and how it is changing allow customers to:

• Maximize your investment: Symantec PAM combines the benefits of privileged access to new business use cases across the entire enterprise with the lowest cost of ownership.
   
• Protect hybrid enterprise: By expanding privilege, Symantec PAM drives greater value out of your existing solutions as it extends them to broader sets of users, controls privileged access across all IT resources, from cloud to mainframe, and compliments Symantec Endpoint and Network Security solutions.
   
• Address Regulatory Compliance: Symantec PAM provides many of the controls governing privileged access that are mandated by emerging data privacy laws and regulatory and industry compliance mandates.
   
•  Build your confidence and expertise: Symantec PAM serves as a template for applying principles of least privilege and Zero-Trust and makes it easier for customers to get quick wins faster.

In my next blog in this series, the topic I will cover is “Building a Zero-Trust Organization.” Please join me as I look forward to sharing more of our conversations and learnings around the areas of Privilege Access Management.