Hey everyone! We're in the process of implementing a Privileged Access Management (PAM) solution across a mix of our Windows and Linux servers, and I could use some guidance. Currently, users from different teams log directly into servers with their regular Active Directory accounts and have admin privileges either through local admin rights, sudo, or AD memberships. The goal is to have users authenticate solely through a PAM portal using their existing accounts, with server access managed through privileged accounts controlled by the PAM system.
Before we allow user access to this new PAM solution, we need to:
1. Assess who currently has access to which servers and the reasons why.
2. Define and get approval for Role-Based Access Control (RBAC) roles.
3. Assign access based on these RBAC roles.
We definitely want to solidify RBAC first before giving everyone access to PAM.
So, I'm looking for advice on a few things:
1. How should we practically start the transition?
2. What's the best way to review existing access?
3. What RBAC roles would you recommend creating?
4. How can we effectively map current access to the new RBAC roles?
Any tips on sequencing to prevent any disruptions would be greatly appreciated!
4 Answers
You might want to look into a cloud provider for this, like CyberArk, especially their privileged session manager (PSM). You're at a crucial point where deciding on your approach will greatly affect the timeline. Going with a cloud solution can help you skip a lot of potential hurdles and could have it implemented really quickly—definitely the way to go if you have a smaller team of less than 250 privileged users!
If you're a smaller team, I recommend Devolutions PAM. It's affordable and works seamlessly with their Remote Desktop Manager app. Plus, their support is stellar and they're very receptive to feedback.
Definitely consider hiring a consultant to streamline this process. They can guide you through all the complexities involved and ensure you’re on the right path.
I've had mixed feelings about CyberArk, but once deployed correctly, it really shines. Just a heads up though, the onboarding process for new devices isn't the fastest unless they're standard RDP or SSH connections to Linux boxes. Ideally, I think we should prioritize proper RBAC for non-admin roles and rely on PAM for admin tasks. This keeps the process clean and manageable.
I totally agree! I implemented CyberArk where I work, and after a rough start that saw only a handful of people onboarded over three years, I finally got to onboard all our Windows servers myself in just one year! Linux has been more challenging since I haven't automated that yet, but honestly, once the setup is good, people give much less negative feedback about usability.