Privileged Access Management - Back Then & Now

10 years ago, I still remember when I was trying to promote Privileged Access Management solution to my customers in early days, literally shared the concept of "invisible eye" (session recording) to them, the reactions were "Wow, that's amazing technology but - no way, you know what..."

• All our employees are good people, they are here for long, trust is never an issue here
• I can't find any reason why do we need to monitor them

Here's what we understood the WHY during those days:

• Was there even a security team since infra team run the IT show
• Weak awareness in cybersecurity
• Convenience is the top priority in the operation. Security? Way no.

As soon as we understood the market driver, we changed our strategy. This time, I knocked my customer's door, shared with them this solution, here's the conversation.

Me: hey Mr. Customer, I was observing the situation on the ground where your IT team was really busy taking out the envelop from the physical safe several times in a day and going right in front of users helping them to login to the server. The process is repeating, I feel empathy to them looking at how they operate this, many of them required to be standby or stay in the office late just to handle this operation - everyone looks so tired.

Customer: Yes, spot on! Due to compliance requirement, we have no choice. Administrator passwords are not supposed to be exposed to anyone.

Me: What if I tell you I have a solution to automatically grant the administrator rights to your users at any point of time when it is needed. How does that sounds to you?

Customer: Is there such solution? Tell me how.

Me: We would use privilege escalation mechanism to automatically elevate user's permission to the administrator rights. Users login to the server using their own ID (least permission), based on the authorization rules, our program can temporarily grant the administrator rights to the user over a specific duration. The privilege will be automatically revoked by our program once the permitted time is over. The entire process does not require administrator password which literally you don't have to trigger the envelop process anymore, no additional ID required to be created. (oh my god, I was selling the concept of just-in-time access during that time!)

Customer: That's a brilliant solution. You should have tell me this solution way long back.

Me: Well, that's not too late to implement this, let's do it. I believe this would solve your nightmare and make everyone in your team happy and productive. Oh yeah by the way, there is a bonus to you, just in case if you wanted to monitor & record the user activities, the "CCTV" is always there actively and patiently waiting your instruction to enable it. (Happily ended the conversation with my original objective to sell the "invisible eye" concept, ha!)

Today, customers come to me for Privileged Access Management (PAM) solution. The first & primary objective is to protect the organization's crown jewels and gain visibility of privileged user activities to mitigate the risks of unauthorized access and insider threat. That's like a default statement. Without the "invisible eye" capability, it is not even a PAM solution! The market demand for identity security has been growing rapidly. Horizontally, several topics are actively discussed today such as identity proofing, decentralized self-sovereign identity, identity intelligence, identity threat detection & response, etc. Vertically, market is looking to converge the identity components into a single stack of platform. Check out my article here to find out more what is Identity & Access Management (IAM) and why it is important to business.

"Focus on solving the problem, not selling the product feature."

That's how the evolution of business landscape changes the market demand. Still blaming the market not right for your solution? Ask the other way - does your solution fits the market demand today?