Privileged Access Management

to allow production, not to prevent it - that's the real challenge

My Capabilities

My experience in short:

  • I've been developing through IT production applications to the current level of being a quite decent IT (security) architect.
  • I developed a model to implement a production and operations oriented PAM solution.
  • My team brought a software solution following this principle into production and drove its maturity grade.
  • My team integrated a heterogenous vendor environment into a central PAM solution.
  • I managed regulatory PAM findings on their downgrade path.

Detailed problem statement:

  • Principle to mitigate the risk und operations perspective
  • Role modeling including segregation of duties checks
  • Tool selection to implement preventative and detective controls
  • Data quality analysis and improvement of ITSM tools
  • Review procedures under efficiency aspects
  • Adaption of deployment and operations procedures
  • Support of risk management while in implementation phase
  • Consistent demonstration of risk reduction to stakeholders

My Proposition

I will support you with knowledge and experience in designing or selecting a PAM solution, integrating it and transferring it into production.

Although you and me are considered to be focused on IT security and regulatory topics, I stubbornly stick to the position that we have to ensure that

the production rules while avoiding to break the "production rules".

Attached to this area I'm also prepared to support you in interpretation, amendment, or development of principles and policies to fulfill regulatory requirements, IT audit findings, - most sensible - to manage the operational risk related to privileged access.

Specifically for the financial sector my experience with BAFin, ECB, and MAS is proven, while there is some more experience on FED, CSSF, BCRA.

The aim is not, to prevent malicious or in-compliant activities, but to enable ...

...

  • the "right people" to implement
  • the "demand" under
  • consideration of "restrictions"
  • as long as they are "entitled" and
  • will use the methods they are "certified on" and that
  • fit to the "job's objective".