PAM: High Impact, High Failure Rate

by | Jul 1, 2019

(PAM) Priviledged Access Management: High Impact, High Failure Rate

Privileged Account Management (PAM) is a critical function in a modern cyber security program.  PAM programs have a high fail rate for a variety of reasons, including:

  • Lack of understanding of key risks around privileged accounts
  • Resistance from system administrators due to (perceived or actual) onerous workflows for common tasks
  • Workflow design compromises to accommodate user requests
  • Failure to bench test implementation against common attack techniques through penetration testing or Purple Teams

One key challenge in successfully selecting, implementing, and operating a PAM platform is the lack of explicit guidance from common security frameworks.  PAM “best practices” have for many years been a mishmash of guidance from PAM vendors – some good, some aimed at quick and easy implementations (aka not in the best interest of security).  Recently, an effort to address these shortcomings was undertaken in the document series NIST SP1800-18, Privileged Account Management for the Financial Services Sector.  Reading this you might think, well I’m not in the Financial Services sector, so this isn’t for me.  However, the details of this framework have no specific relevance to any industry; the only thing related to Financial Services is a mapping to FFIEC controls (there is also NIST CSF, SP800, and ISO 27001).  Be aware that in its current state as of this writing, the framework is in a draft state, though a very complete draft.

One of the key strengths in the SP1800-18 framework is the communication and visualization of different acceptable architectures.  These can assist significantly in helping cyber security professionals understand how effective PAM workflows should look.

Effective PAM workflow

The modeled workflows in SP1800-18 are not the only effective mechanisms available, because every implementation is unique.  Another excellent resource for PAM architecture and approach is the Microsoft PAWS methodology (  The PAWS (Privileged Account Workstation Solution) is a representation of “The Microsoft Way” of PAM, and excels in that it is highly pragmatic and largely vendor and tool agnostic.    It provides a phased approach that walks through a real-world way to go from nothing to the desired level of control in a reasonable period of time.  Interesting concepts here include:

  • Use of privileged accounts through an Administrative Jump Server, usually paired with a password management system and multi-factor authentication
  • Local Administrative Password single-time use with randomization
  • Recommending use of the “Clean Source Principle”, meaning that users are not able to even reach the Administrative Jump Server, unless they are coming from a specific, hardened and secured device.
  • Most interesting about the “Clean Source Principle” is that the recommendation is to give administrators a second workstation, often bound to a different domain, segmented from general network traffic, and with no access to common attack vectors, including the internet or email.
  • An alternative to providing a second physical workstation is to use a virtual machine setup, where high risk computing (internet, email, etc) is accessed using a virtual machine on the physical host, while the physical host serves as the administrative PAW.  This containerizes high risk actions within the realm of the VM.
  • Advanced domain architectural designs, known as Enhanced Security Administrative Environment (ESAE), sometimes referred to as a Red Forest design.  This design implements a single AD forest with downward trust and several layers (Tier 0/1/2) that represent Domain Administrative functions, Server Administrative functions, and Workstation Administrative functions, respectively.  These effectively create “blast zones” that makes it significantly harder to gain widespread access to a user environment.

At SRA, nearly all of our penetration tests and Purple Teams include some level of domain compromise, which demonstrates widespread access to internal systems and resources.  From an attacker standpoint, one of the single most critical things an organization can do to improve in this area is to implement the people, processes, and technology to properly protect privileged credentials.

There are many tools and vendors on the market, and it can be highly confusing; tools often do some, but not all of the functions outlined within, and some of the most effective mechanisms you can put in place require cultural and process change.  As part of our H24 Cyber Security Framework, we created a CMMI based maturity scoring mechanism to stitch together key criteria for enhancing the maturity of your PAM program, including many of the technical controls outlined in NIST SP800-53, NIST SP1800-18, and MS PAWS.   We have included this framework here below for your reference, as a way to assess your own maturity level and start to plan to enhance your overall maturity scale.   We’d love to hear your feedback

[table id=4 /]


About the H24

The SRA H24 Framework provides a similar level of maturity evaluation detail across 24 different cyber security topics, and is aligned with NIST, ISO, HITRUST, and FFIEC frameworks. Each tile contains a detailed maturity scoring system that helps assess current state and prioritize items for future implementation.  It provides a visual and quantitative means for communicating about your security program and is used by many of our clients for everything from board level reporting to the backbone of their tactical security program.

H24 Honeycomb Framework by Security Risk Advisors

H24 “Honeycomb” Framework by Security Risk Advisors



  • Mike is nationally recognized as a leader in the field of cybersecurity, has spoken at conferences including HITRUST, H-ISAC, RSS, and has contributed to national standards for health care and public health sector cybersecurity frameworks. Mike focuses on security architecture, cloud security, data protection, purple teams and electronic medical record protection programs. Mike joined Security Risk Advisors in 2018 was formerly the first CISO at University of Rochester Medical Center, has served as CTO in two roles, and as adjunct faculty at Rochester Institute of Technology.