Skip to content

Why Do PAM Deployments Take (almost) Forever To Complete “9 Ways to Improve Your Reading Comprehension” “Nine Strategies to Enhance Your Reading Understanding”


Privileged Access Management (PAM) solutions are the common practice for preventing identity threats to administrative accounts. In theory, the PAM concept makes sense: place admin credentials in a vault, rotate passwords, and closely monitor their sessions. However, many PAM projects become a long and complex onboarding process that can take years to complete and prevent them from delivering their promised security value. This article explores why service accounts are a key obstacle in PAM onboarding and how Silverfort enables identity teams to overcome these challenges and streamline the PAM onboarding process in mere weeks.

First, we will examine the promise of PAM and why it is important for protecting administrative users. Next, we will discuss the harsh reality of PAM projects and how service accounts are the biggest hurdle in successful PAM deployment. We will then look at the visibility gap that makes it impossible to discover service accounts and map their activities. Finally, we will explore how Silverfort solves this issue with automated service accounts’ discovery and activity mapping, allowing identity teams to protect service accounts and streamline the PAM onboarding process.

The Promise of PAM: Protection for all Administrative Users

The concept of PAM is straightforward. Since adversaries seek to compromise admin credentials to employ them for malicious access, the natural thing to do is to place hurdles in their attempts. PAM provides an additional security layer that includes both close monitoring of admin connections via session recording and a proactive prevention layer in the form of vaulting admin credentials and subjecting them to periodic password rotation. This greatly reduces the risk of a successful attack, because even if an adversary does manage to compromise admin credentials, the password rotation would render them invalid by the time they are used.

The Reality of PAM: Long and Complex Onboarding Process that can Take Years to Complete

In reality, identity and security teams find that deployment of PAM solutions is one of the most resource-exhausting processes. The fact is that very few PAM projects go to the full length of protecting all the administrative accounts within the environment. What usually happens instead is that challenges occur sooner or later, with no easy solution. At best, these challenges just slow down the onboarding process, stretching it over months or even years. At worst, they bring the entire project to a halt. That way or the other the implications are grave. On top of the heavy investments of time and efforts, the core purpose of PAM is not achieved, and admin accounts don’t get the protection they require.

The Biggest Hurdle: Service Accounts

Service accounts are user accounts that are created for machine-to-machine communication. They are created to automate repetitive monitoring, hygiene, and maintenance tasks instead of performing them manually, and as part of the deployment of a software product in the enterprise environment. Since they must be highly privileged to be able to establish the machine-to-machine connection for which they were created, they require the same protection as any human admin account.

Unfortunately, onboarding service accounts to a PAM solution is a close to impossible task, making them the biggest hurdle in the way of successful PAM deployment. There is no easy way to get visibility into service accounts’ inventory, and even if the discovery challenge is resolved, there is still a more severe challenge that remains unaddressed, which is mapping the purpose of each account and its resulting dependencies.

The PAM Implication: Rotating Service Account’s Password Without Visibility into its Activity can Break the Processes it Manages

The typical way service accounts connect to different machines to perform their task is with a script that contains the names of machines to connect to, the actual commands to execute on these machines, and the service account’s username and password that are used to authenticate to these machines. The clash with the PAM onboarding happens because while the PAM rotates the password of the service account inside the vault, there is no way to automatically update the hardcoded password in the script. So, in the first time the script will execute after the rotation, the service account will attempt to authenticate with the old password – which is no longer valid. The authentication will fail, and the task the service account was supposed to perform will never happen, breaking also any other processes or applications that rely on this task.

The Catch: Caught in Between Operational and Security Concerns

Most identity teams will, considering this risk, avoid vaulting service accounts altogether. And that’s exactly the impasse – vaulting service accounts creates an operational risk, while not vaulting them creates a no lesser security risk. Until now, there hasn’t been an easy answer to this dilemma. This is why service accounts are such an inhibitor for PAM onboarding.

Overcoming the Challenge with Automated Service Accounts’ Discovery and Activity Mapping

Silverfort pioneers the first Unified Identity Protection Platform that natively integrates with Active Directory to monitor, analyze, and enforce an active access policy on all user accounts and resources in the AD environment. Leveraging this visibility and analysis of all authentications, Silverfort can easily detect all the accounts that feature the repetitive and deterministic behavior that characterizes service accounts. Silverfort produces a detailed list of all service accounts within the environment, including their privilege level, sources, destinations, and activity volume. This allows identity teams to easily identify the dependencies and applications of each service account, locate the scripts that run it, and make an informed decision regarding the service accounts and protect them accordingly.

In this way, Silverfort shortens PAM onboarding process to mere weeks, making it an achievable task even for an environment with hundreds of service accounts. Silverfort enables identity teams to protect all their privileged accounts, service accounts included, with adaptive access policies that enforce MFA protection on all on-prem and cloud resources and streamline PAM onboarding process.

This article explored why service accounts are a key obstacle in PAM onboarding and how Silverfort enables identity teams to overcome these challenges and streamline the PAM onboarding process in mere weeks. With Silverfort, identity teams can protect service accounts and ensure their privileged accounts are not compromised.

Leave a Reply

Your email address will not be published. Required fields are marked *