7 best practices when selecting a PAM solution

The right PAM solution will enable security and compliance teams to define and enforce robust privileged account policies. So how do you pick the right PAM solution?

access management / access control / user connections / identities
DEM10 / Getty Images
best practices selecting a pam solution IT Central Station

Click here to download the full report.

Privileged Access Management (PAM) creates an extra security layer that helps to reduce risk, eliminating unnecessary local admin privileges. It takes the credentials from admin accounts and puts them in a secure repository, minimizing the endpoints that can be accessed via local administrators and reducing potential access by unauthorized users.

IT Central Station's PeerPaper based on real user reviews of One Identity Safeguard, highlights the best practices when selecting a PAM solution. These benefits include its ease of deployment and use, its transparency, scalability, and an ability to work with existing IT and business operations.


Delivers core PAM functionalities

Common selection factors for PAM solutions based on the PeerPaper include these functionalities:

  • Password and session management
  • Monitoring
  • Privilege delegation
  • Session recording and analytics.

This may seem obvious, but overly-complicated systems make it compelling nonetheless. For example, an Information Security Manager at a large financial services firm said, "We went from a state where privileged accounts were being used and not being monitored or even audited to our situation now where we are starting to monitor these privileged accounts more closely." Adding, "That's where we show value in the product. Whenever a change is happening, we know because we find it in the logs."

Password resets are a basic PAM functionality, according to the real PAM users quoted in the PeerPaper. By making password changes easy, security improves. An Expert Systems Architect at a large manufacturing company shared, "It has greatly helped improve our security posture."

Ease of use, management, and deployment

Users explain that PAM solutions need to be easy to manage:

  • Taking too many man-hours (to support) will result in the IT team not being pleased.
  • They have to be simple, or even totally invisible, to end users.
  • Given the budget and personnel constraints, the less effort they require, the better off everyone is. An IDM Architect liked that his solution enabled his team to take an environment where they had several hosts managed by different people and consolidate them into a single, centrally managed solution.

For a financial services Information Security Manager, the solution's functionality, use cases, and usability were straightforward. Also, an Expert Systems Architect at a large manufacturing company added, "It's really easy to use. Security guys are able to identify, 'Why is this person logging into spots on the weekend when historically they've never accessed it on the weekend whatsoever?' We're able to keep watch as there is a lot better visibility of our environment."

PAM solutions need to be easy to set up. If a PAM is overly time-consuming or requires excessive external consulting to set up, it may fail to launch.


To the point of avoiding "shelfware" and circumvention of PAM by users, IT Central Station members quoted in the PeerPaper expressed the view that transparency should be a factor in selecting a PAM solution.

"The transparent proxy is the most valuable feature," said a Chief Information Security Officer at a small tech services company. He added, "When you are connecting to a server inside the platform, the user doesn't need to change their habit. They just have to make small configurations to their workstation, then it is transparent for them. Our users like the solution because it's transparent. It's interesting for the users because they don't have to think, 'I have to note all what I've done during the incident to remember it.'"

[ Insider Pro product reviews ]

Operations and automation ready

By its very nature, a PAM solution must interact with a wide range of IT systems, because if compromised, a lot of damage could be done to organizational operations. Users thus prefer solutions that can be automated. "It has reduced operational costs as well as providing services 24/7 with a platform that can be used anytime and anywhere for investigation in case we have a requirement," explained a Chief Information Security Officer at a small financial services firm.

A VP Risk Management at a large financial services firm noted the value of integration came from being in a position where they can identify and detect as well as prevent any type of privilege act that's being used as a threat at their bank.


Effortless scalability of PAM solutions is critical to ensure organizations can address and control cyber risk. A financial services Information Security Manager noted, "It doesn't matter what size of organization you have. If you have an organization of 1,000 or 100,000, the product is going to be scalable to your needs."

A Security Consultant at a large tech services company points out, "Because of the nature of the connections being monitored, you can load balance it quite well. It is easy to shift the load from one appliance to another."

Flexible, consistent approvals

A PAM solution should support flexibility in granting privileged access requests, according to the real users quoted in the PeerPaper. This is because approvals of access need to be universal in order for PAM to work as a security countermeasure. If users can get privileged access without a knowledgeable person in a position of authority saying yes, there will be serious risk exposure. Admins who approve such requests may be out of the office, so an effective PAM solution offers approvals from anywhere.

IT Central Station real users shared their insights regarding what to look for in a Privileged Access Management (PAM) solution. They stressed basic efficacy along with ease of deployment. Transparency, scalability, and ease of use also factored into the selection. A good PAM solution is able to keep up and not stand in the way of change, which is why scalability is important as corporate organizations grow and evolve over time.

As PAM is an increasingly important mandate for security managers, the right PAM solution will enable security and compliance teams to define and enforce robust privileged account policies. The right PAM solution should be easy to deploy as well as integrate with other security and operational systems.

Learn more by reading IT Central Station's PeerPaper:

PAM solutions have become essential for compliance and security. This paper outlines how to assess a potential PAM solution for ease of deployment and use, transparency, and scalability. IT Central Station