Privileged Access Management
to allow production, not to prevent it - that's the real challenge
My Capabilities
My experience in short:
I've been developing through IT production applications to the current level of being a quite decent Senior security architect.
I developed a model to implement a production and operations oriented PAM solution.
My team developed and deployed a software solution following this principle into production and drove its maturity grade.
My team integrated a heterogenous vendor environment into a central PAM solution.
I managed regulatory PAM findings on their downgrade path.
Detailed problem statement:
Principle to mitigate the risk und operations perspective
Role modeling including segregation of duties checks
Tool selection to implement preventative and detective controls
Data quality analysis and improvement of ITSM tools
Review procedures under efficiency aspects
Adaption of deployment and operations procedures
Support of risk management while in implementation phase
Consistent demonstration of risk reduction to stakeholders
My Proposition
I will support you with knowledge and experience in designing or selecting a PAM solution, integrating it and transferring it into production.
Although you and me are considered to be focused on IT security and regulatory topics, I stubbornly stick to the position that we have to ensure that
the production rules while avoiding to break the "production rules".
Attached to this area I'm also prepared to support you in interpretation, amendment, or development of principles and policies to fulfill regulatory requirements, IT audit findings, - most sensible - to manage the operational risk related to privileged access.
Specifically for the financial sector my experience with BAFin, ECB, and MAS is proven, while there is some more experience on FED, CSSF, BCRA.
The aim is not to prevent malicious or in-compliant activities, but to enable ...
...
the "right people" to implement
the "demand" under
consideration of "restrictions"
as long as they are "entitled" and
will use the methods they are "certified on" and that
fit to the "job's objective".