Privileged Access Management (PAM) – Why It Is Important

privilege access management

What is privileged access management (PAM)?

Users with privileged access accounts can cause major damage to your organization. Privileged accounts have elevated access rights. These accounts could be used by humans or machines. Think of accounts like domain or local administrative accounts. Other types of privileged accounts may include accounts that have broad access to underlying company information that live in applications and databases.


To manage this risk, organizations need to have a privileged access management, or PAM, solution in place. PAM puts special controls in place to secure privileged access accounts and track their usage. Think of PAM as holding the keys to the IT kingdom. PAM is used to protect against the threats posed by credential theft and privilege misuse. PAM is different from identity and access management (IAM), but they are closely related.


Good PAM solutions provide just in time privileged access programs, and zero trust security architectures. A central goal is the enforcement of least privilege, defined as the restriction of access rights and permissions for users, accounts, applications, systems, devices (such as IoT) and computing processes to the absolute minimum necessary to perform routine, authorized activities.

What are the main features of a PAM system?

PAM systems are made up, but not limited to, the following five key features:

  1. Password Vaults – Password vaults are secure encrypted repositories that store passwords used to access sensitive accounts. With password vaults, nobody knows the passwords for the privileged accounts. Passwords are created automatically by the password vault. When a user needs to log into a privileged account, they log into the password vault and the password vault then logs into the target system. The security of the privileged account password is maintained, even when multiple users access the same privileged account.
  2. Command Proxying – PAM provides proxying of commands which eliminates the needs for direct server access. Instead of a user login into a remote system directly, the privileged account manager receives the command that the user wishes to execute, verifies the user is authorized, then issue the command to the target system on the user’s behalf.
  3. Monitoring – PAM provides enhanced monitoring capabilities that can log every action taken by a user in a privileged session. The logs are stored for later review. This gives auditors or investigators to retrace the steps taken with administrative privileges.
  4. Credential Management – PAM typically performs account management functions. This can include rotating passwords automatically which will create new and strong passwords.
  5. Emergency Access Workflow – This is necessary when a user needs to bypass the account manager and access a system directly with administrative rights. The is a “break glass” scenario. The account manager should allow this with the permission from a manager. The account manager would then log the emergency access and ensure the emergency password is changed after the disclosure.

Summary

Users with privileged access accounts pose a major risk to your organization. To manage this risk, you need to have a privileged access management (PAM) solution in place. PAM needs to be a critical component of your organization’s cybersecurity strategy.

Identity Access Governance Benefits Your Business in 4 Ways

Identity Access Governance

Identity and Access Management, or IAM, is a framework of policies and technologies within an organization that ensures the right people have access the right resources at the right time for the right reasons. IAM plays an important role in any organization’s security program. Today more than ever, organizations need to protect who has access to their applications and data. This can be achieved through identity access governance.

When we refer to identities, we are referring to digital identities. These include employees, contractors, partners, and customers. They could also include applications, devices, software bots and temporary identities that perform work in the cloud.

Without proper identity access governance, it is challenging for organizations to assign and keep track of the applications and resources that identities have access to. Some organizations have hundreds, even thousands of applications.

Here are four important ways that identity access governance benefits your business:

1 – Strengthen security and lower risk – Compromised identities caused by weak, stollen or default user credentials are a threat to organizations. With centralized visibility into access data, you can detect and address inappropriate access, policy violations or weak controls that put your organization at risk.

2 – Improve compliance and audit performance – Identity access governance allows organizations to verify that the right controls are in place to meet the security and privacy requirements of regulations like SOX, HIPPA and GDPR. You can establish more repeatable practices for a more consistent, auditable, reliable, and easier to manage access certification effort.

3 – Deliver fast efficient access to the business – By giving your users timely access to the resources they need to do their job, identity governance enables them to become more productive. It also empowers business users to request access and manage passwords, which reduces the workload on Helpdesk and IT operations teams. With automated policy enforcement, identity access governance allows you to meet service level requirements without compromising security or compliance.

4 – Reduce operational cost – Identity access governance automates labor intensive processes such as certifications and password resets. This can reduce the time IT staff spends on administrative tasks.

There are many identity access governance administration systems on the market to choose from. Gartner recently provided a list of top IAM systems for 2021.

If your organization needs help to select and put in place an identity governance system, MacIsaac Consulting can help. We have helped both large and small organizations succesfully deliver IAM programs. We help companies stay compliant and avoid access deficiencies related to risk and compliance audits.

Reach out to us today for our free consultation and assessment.

About the Author: Mike MacIsaac is a principal IAM consultant for MacIsaac Consulting.

Trust Is the Key To Management in 2021

As an IT program manager, I have long felt that there is no better form of communication than two people face to face at a white board. I am an advocate of teams sitting close together to collaborate. The Agile way. While Agile teams usually sit together, there is another element of Agile more important than where people sit. Trust. Trust is the key to successful teams.

When the pandemic hit and everyone had to work from home, I thought it would crush team efficiency. Like many things in life that I made presumptions about, I was wrong. The remote program teams I have worked with have been productive and efficient. We use tools like MS Teams to collaborate throughout the day. In many ways, the remote work has brought about more efficiency. It has eliminated the time required to prepare and travel to the office.

Remote work provides companies with cost savings due to requiring less office space. This and the fact that work productivity remains high will make working from home permanent for many. This is especially true for those who work in technology. For this reason, the task for managers in 2021 is to improve and promote trust.

Once Covid-19 took hold in 2020, many in management had difficulty adjusting to a new way of working from home. They did not empower and trust their staff, they micromanaged. This combined with kids being home from school drove stress and burnout through the roof for many. Work life balance got way out of whack.

The key to managing those working from home is trust. Towards the second half of 2021 things will start to return to some level of normalcy. In the meantime, let us trust employees to do their jobs, whether they are in the office or not.

About the Author: Mike MacIsaac is a principal IT consultant for MacIsaac Consulting, providing IT Agile and cyber security consulting.

Happy Holidays from MacIsaac Consulting!

Our purpose at MacIsaac Consulting is to create long term relationships built on trust. Although 2020 has been a challenging year, we are grateful for our clients, friends and family.

Looking ahead to 2021 we are optimistic! The right set of circumstances are in place for companies to gain tremendous value through digital projects. Optimizing and securing data should be top priority across industries.

We are ready to help companies along their digital journey and we also hope to provide consulting opportunities for those who were out of work due to the pandemic.

We wish you and your family a safe and healthy holiday season!

Kind regards,

Mike & Tere MacIsaac

MacIsaac Consulting provides IT delivery, cyber security and agile transformation consulting. Connect with us or subscribe to the MacIsaac Consulting blog.

5 Ways To Improve Agility and Adapt a Product-Driven Mindset

The concepts of improving agility and adapting a product driven mindset are not new. Yet many companies struggle to make any meaningful change. Why do they struggle? In short, they invest in Agile training and focus on processes but fail to address culture, roles, and talent skills. They slap new labels onto old roles without changing organizational structure.

Below are five adjustments companies can make to have success changing to a product-driven model with measurable results:

Form stable cross functional teams. A stable cross functional team is made up of people from different areas within the company (IT, business, operations…etc.). This is a shift away from functional silos where resources are farmed out to various projects. Allocating resources to projects follows the outdated Taylorism philosophy that people are replaceable. 

Within cross functional teams, experts work together to achieve a common goal. Over time the team develops synergy and becomes high performing. The team synergy exceeds the productivity of individual efforts.

Work is brought to teams instead of “bringing people to work”. Teams that stay intact allow for expertise and relationships to build over time, improving velocity and moral.

The picture below represents the product team model made popular by Spotify. The squads are teams, and the chapters represent skillsets.

Hold business and technology organizations accountable. Agile delivery is not only an IT practice. The business needs to be committed and held accountable for the success of product outcomes. In a recent study conducted by Deloitte of companies that implemented Agile methods, they found that 31% of the business still did not understand Agile. The business must have skin in the game, and they must go through Agile training.

Hire and train for emotional intelligence. Tech skills are essential, but interpersonal skills and business knowledge are more critical than ever. Since the product driven model is team based, team members need to be able to collaborate. This is all dependent how well the team can harmonize, which requires emotional intelligence or EQ.

What is Emotional Intelligence? | OneDayU
EQ represents self-awareness, self-regulation, motivation, empathy, and social skills.

When a team is made up of people with high IQ and EQ, the team has a strong group IQ. Group IQ is the sum of the talents and skills on the team. In Daniel Goleman’s book “Emotional Intelligence”, he writes: “The single most important element in group intelligence, it turns out, is not the average IQ in the academic sense, but rather in terms of emotional intelligence. The key to a high group IQ is social harmony.”

Managers need to empower and coach, not command and control. In a product model there is a shift away from command and control towards trusting teams to make decisions. This removes the organizational bottleneck of decision making and enables work to get done faster. Management hold teams accountable for results, but teams are empowered to make decisions.

Agile training can help managers understand their role in an agile product-driven organization. They will learn how to let go of control and start coaching. Sir John Whitmore, author of coaching for performance, defines coaching as “unlocking people’s potential to maximize their own performance” (Whitmore, J, 2017).

Develop technical acumen for business leaders. Business leaders today must have technical acumen, this is the new normal. Business and technology work together as one. Technology leaders also need to have strong business acumen. More and more we are seeing the need for technology leaders to step up and lead beyond their role in IT. Leaders with strong technical and business acumen are best positioned to lead their organization towards increased agility.

*********

There has never been a greater need for agility than our current era of digital transformation. By shifting to a product-oriented approach, companies can stay competitive and deliver value early and often to their customers.

About the Author: Mike MacIsaac is a principal IT consultant for MacIsaac Consulting, providing IT Agile and cyber security consulting.

MacIsaac Consulting is Proud To Be Minority Owned

Tere MacIsaac – Owner, CEO & President

MacIsaac Consulting is proud to be certified as a minority owned business by the North Central Minority Supplier Development Council (NCMSDC). We are also proud to be certified as a woman owned business  by the Women’s Business Enterprise National Council (WBENC).

Our Capabilities

MacIsaac Consulting is an IT consulting firm that specializes in Agile consulting and Digital Security.

Agile Consulting – We teach companies how to deliver products to market faster by using Agile frameworks such as Scrum, SAFe and Kanban. Our certified Agile consultants can provide coaching at the enterprise or team level. We also provide Agile Scrum Masters, Program/Project managers, delivery leads and developers.

Digital Security – We provide digital security consulting, specializing in Identity and Access Management (IAM). Our consultants are have delivered large scale IAM projects for large financial services organizations. We have specific expertise with SailPoint IIQ implementations. In the wake of Covid-19, we recognize the importance of digital security and we help companies safely secure their user access and data.

Company History

Since 2016 we have supported many companies with their Agile IT and digital security needs. Our consultants show companies how to break down barriers that impede agility. We teach our clients how to deliver value early and often through small cross-functional teams. Our core values are trust, commitment and results.

Our Leadership Team

Tere MacIsaac – Owner, CEO & President
BS, Mathematics
University of Philippines
Mike MacIsaac – Vice President
MBA, PMP, A-CSM, Bethel University
Business Certificate of Excellence, Carlson School of Management,
Ryan Shea
Agile & DevOps Delivery Lead
BA, CPPM, PMI-ACP, University of Minnesota
Kerry Ann MacIsaac
Board Member & Adviser
​BA, Business Administration, Villanova University

Reach out and connect with us. We are more interested in building relationships founded in trust than trying to sell services.

Contact Information

MacIsaac Consulting

5201 Eden Ave Suite 300, Edina, MN 55436

info@MacIsaacConsulting.com

Phone: 612-670-9204

Office Space in Grandview Square - Serviced Offices | Regus US
Company Office Location in Edina MN

How To Destroy an Agile Transformation In 3 Easy Steps

Getty Images

Agile transformation continues to be a goal for many organizations. The old sequential approach to product delivery (Waterfall) is no longer adequate. To respond to change and compete with the speed of globalization, companies must move to an Agile model. The goal to improve agility is not limited to the tech industry. Financial services, retail, healthcare, and many others are all on board with Agile.

Many companies find the shift to Agile difficult. As a consultant, I know the challenges firsthand. Some of the problems are more difficult than others. For example, companies with a culture at odds with Agile values is a major problem. No number of Agile consultants will be able to come in and change a company’s culture. Other, more avoidable problems are due to managerial decisions.

This article is about how management can destroy an Agile transformation in three easy steps. To be clear, this is what not to do.

1- Put a non-Agile person in charge of the Agile transformation

I know this sounds ridiculous, but I have seen it happen many times. A CEO, who does not understand Agile, provides a bucket of money to a senior leader, usually in IT. The CEO says, go off and do that Agile thing you keep talking about. Unfortunately, the CEO does not realize that they put the wrong person in charge. It is difficult for people who spent their whole career working in a traditional Waterfall setting to change their mindset. They might claim on the outside that they are for Agile, but often their behavior conflicts.

There is no surer way to destroy an Agile transformation than to put a Waterfall person in charge. My recommendation to companies is to create a new position for the role of the Agile leader. Look within the company to find the right person, someone with an Agile mindset, to fill the role. If the right person does not exist within the company, then hire one from outside.

2 – Keep using a balanced matrix organizational structure

The balanced matrix organizational structure is suitable for Waterfall, not Agile.  Agile is about using stable cross functional product delivery teams. Work gets flowed through the teams, as opposed to forming teams around work. Agile organizations use a Product delivery model, not a Project model. For more on how the balanced matrix organization conflicts with Agile, see my post “Why Middle Management Is The Ultimate Agility Killer“. For more on the importance of changing from a Project to Product model, see my post “Why Product Focus Is So Important“.

3 – Force teams to use specific tools and processes

In Agile, individuals and interactions are valued more than processes and tools. The traditional PMO mindset loves processes and tools. Some of the clients I have worked with would have meetings upon meetings discussing processes. You need processes but PMOs bogged down with processes and bureaucracy kill agility. The same is true with tools. Forcing all teams to use the same tool, like Jira or VersionOne, is not good. Often management will want teams to use the same tool for reporting purposes. This is wrong because Agile teams need to be empowered and have autonomy.

Summary

If you want to improve your chances of having a successful Agile transformation, do the following. 1) Put someone in charge of the transformation who has an Agile mindset. Do not use someone who has worked their whole career using Waterfall. 2) Do away with the balanced matrix organizational structure. Put in place stable product delivery teams with single line management structures. Start delivering using a product model instead of a project model. 3) Let teams be autonomous, do not impose rigid compliance to processes and tools.

About the Author: Mike MacIsaac is the principal consultant for MacIsaac Consulting. Mike provides leadership as an IT Project and Program Manager as well as an Agile Scrum Master. You can follow Mike on Twitter@MikeMacIsaac or subscribe to Mike’s blog.

3 Ways To Improve Cyber Security In Wake of Covid-19

From an increase in online shopping to entire workforce’s working from home, cyber security if more important than ever. The Covid-19 pandemic has forced corporate technology executives to focus on protection.

Shankar Arumugavela, CIO of Verizon’s Communications Inc states “The three things that keep me up at night are credential thefts using phishing attacks and malware, the threat of social-engineering attacks to manipulate customers and employees into divulging confidential or personal information, and third-party risk management to prevent malicious actors from infiltrating our network via our partners’ systems.”

Shankar’s concerns are well founded. In response to Covid-19 there have been major spikes in fraud and online scams. Consumers are being targeted using phishing. IT systems have been under increased hacking attacks. The FBI has reported a 300% increase in cybercrimes since the beginning of the Covid-19 Pandemic (The Hill).

To deal with these increased threats, here are three ways to improve cyber security:

  1. Review and communicate data security policies and practices. Employees are your companies first line of defense. Review and update data security policies to ensure they are compatible with a remote work setup. Communicate data security policies to your employees and send frequent reminders to employees about data security best practices while working from home. Remind employees to be diligent in their review of emails before opening links or attachments, and to report phishing attempts as soon as possible once discovered.
  1. Tighten up IAM (Identity and Access Management). Limit access to protected and confidential information. Consider restricting employee access to confidential and protected information on a role-specific basis. This will ensure employees have access to only the information needed to complete their specific duties. It is important not only to protect the perimeter of systems, but also the underlying data. You must be asking the who, what, where, why and how for every attempt to gain access to your critical data. This requires relentless authentication. For more on the importance of identity and access management, see my post “IAM is more important than ever
  1. Use strengthened VPN access. To the extent possible, encourage employees to work using a virtual private network (VPN). This will provide an extra layer of protection to your company’s information. Put in place multifactor authentication for VPN access, IP address whitelisting, limits on remote desktop protocol (RDP) access and added scrutiny of remote network connections.

In the wake of Covid-19, improved cyber security needs to be top priority. CIO’s and technology executives must lead the effort to protect their systems, users, and data. All it takes is one breach to compromise an entire system and cause a crisis.

About the Author:Mike MacIsaac is a principal IT consultant for MacIsaac Consulting. MacIsaac Consulting, based out of Minneapolis MN, provides IT Agile delivery consulting and staffing.

Leadership

Tech Companies are Pioneering How to Work Remotely

In the wake of the coronavirus, Facebook and Twitter have announced plans to enable their entire work force to work remote. These tech companies are pioneers for a new model of work in a post coronavirus world. Companies in all industries should take note. The pandemic is forcing an accelerated adoption of remote work. Paul Daugherty, chief technology for Accenture said that “This will be an electric shock to the system. Companies are on the hook to rethink the work experience, and the work tools, for their cocooning employees”.

Most companies treat their current remote work as a temporary solution to deal with the coronavirus pandemic. This mindset needs to change. Companies need an intentional work from home model, not temporary mitigation. IT executives must reassess priorities to ensure the right IT tools are in place for their organization.

Darren Murph, head of remote at GitLab inc says “IT leaders should be setting up tools and processes as if everyone at their company is remote, with clear explanations of how tools should be used”. The focus needs to be on the employee digital experience. Network monitoring is also crucial to ensure that IT systems and applications are performing well.

This new model of sustained remote work is not all about technology. We also need to focus on employee well-being. Since the start of the pandemic, more employees are suffering from meeting fatigue. Christie Struckman of research firm Gartner Inc, states “Many employees say they are having at least double the number of meetings compared with before the pandemic”. Leaders must trust and empower employees to get work done, without micromanaging or having constant meetings.

In the coming months, we should see companies begin allowing some percentage of their work force return to the office. Hopefully, it will not be long before a vaccine is in place. Yet, it is important that company leaders not treat remote work as temporary. What is to say that a second wave of the virus will not occur? Or what if some other pandemic or external crisis hits us down the road? The future of work is here and leaders from all industries should take note from Twitter and Facebook. An intentional remote work model may be required for survival.

About the Author:Mike MacIsaac is a principal consultant for MacIsaac Consulting. MacIsaac Consulting, based out of Minneapolis MN, provides IT Agile delivery consulting and staffing.

5 Tips For Managing Projects During the Pandemic

The Coronavirus pandemic has changed the way we live. People are doing everything they can to adjust to the challenges of working from home. Distracted by kids and dealing with video connection issues is part of everyday life. Across the country, people working from home are dealing with stress and anxiety overload.

For project managers, this way of working is particularly challenging. Project management is all about fostering collaboration and communication. Not having the ability to meet in person is a killer. To add to this dilemma, most project managers are expected to hit their original project goals.

To help navigate these challenges, here are 5 tips for project managers:

  1. Trust your team members – The natural tendency for project managers during this crisis is to grip down on team members. It may feel counter intuitive but give your team members space and trust that they will complete their tasks. If you foster a sense of trust within the team people will deliver results.
  1. Use team working agreements – If your project team doesn’t have a working agreement, now is the time to create one. As a team you should agree and commit to how you will work together during this difficult time. You may agree that everyone should be available and working online by 9AM. You may agree that between 2-4PM, there will be no meetings to allow heads down working time. These are examples. It’s important that everyone on the team commits to a working agreement. For more on team agreements, check out this video.
  1. Use a tool like Hipchat or Slack – Chat tools like Hipchat or Slack are great for times like this. A chat tool gives you a virtual way to collaborate with your team. These tools go beyond instant messaging. Having a dedicated chat room for your team is like being in an agile pod with your team. The chat room is open all day for anyone to pop a question out to the team.
  1. Call and text people, but only when necessary – For project managers, having the ability to call or text people is critical, but use caution. Unless it’s critical, try not to call or text your team members. Instead, schedule times for calls or use email. People are under a lot of stress and having a project manager hound them with text messages and calls is only making matters worse.
  1. Only deliver high value scope – Put a hyper focus on backlog prioritization. Work with your product owner to ensure you are only working on the highest priority items. Now is not the time to be working on low value bells and whistles. Only commit to the high value items only during this difficult time.

Summary – We are going through an unprecedented time and everyone is under stress. Do what you can to empathize with your team and allow them to work at their own pace. Put a team working agreement in place and use chat tools to collaborate online. Do not micromanage. If you promote a healthy culture on your team and lead with empathy, you and your project will get through this.

About the Author:Mike MacIsaac is a principal consultant for MacIsaac Consulting. MacIsaac Consulting, based out of Minneapolis MN, provides IT Agile delivery consulting and staffing.

Page 1 of 15

Powered by WordPress & Theme by Anders Norén