Privilege Access Management and its effect on enterprise GIS

AlisonGaiser1 · ‎06-04-2019

We are about to embark on a project to implement Privileged Access Management (PAM) in order to improve the control, reporting and audit capabilities related to administrator/privileged accounts. This will include service level accounts that are used to run background tasks on our servers. Has anyone had any experience with the use of a PAM in relation to their enterprise GIS System? What impact has the PAM had on python scripts or other scripts that you might run using a service level account? Would appreciate any feedback you might have.

Thanks,

Alison

RandallWilliams · ‎07-30-2019

In 10.8, we're moving to an option to support gMSA out of the box. While PAM and gMSA serve very different functions, gMSA is a good solution for service accounts - especially when paired with a PAM solution for auditing. ArcGIS Enterprise currently supports GMSA, but only after the installation process is complete. Beyond that, I don't have specific customer experince to share regarding PAM and ArcGIS impacts.

https://support.esri.com/en/technical-article/000021125

Eric_JS · ‎05-24-2021

Alison: Our IT dept is implementing PAM thru SecureONE. Any problems with your implementation? Any advice?

Thanks,

Eric

KevinHofmann · ‎03-25-2022

Our IT is considering a PAM solution as well. Anyone have advice and/or using it successfully.

Thank you,

Kevin

BryanGillis1 · ‎08-01-2023

I've recently been made aware that our new cyber security chief is going to be pushing PAM (via BeyondTrust) on all developer machines. I am a one stop GIS shop for an organization of about 15k. I utilize AGOL and enterprise depending on target audience/data sensitivity. I have only been able to keep pace with demands via near-constant automation of processes. I am concerned about the new cyber security methods impacting that automation. I was wondering if anyone in the community has had success navigating a PAM implementation while still pushing and pulling through a plethora of external and internal sources in an automated manner. Or am I just the next in line to hear the chorus of crickets? 😅

Thanks,

Gillis

RandallWilliams · ‎08-07-2023

In a future release, we'll be offering a headless token approach that should ease some of this challenge. That will allow for mandatory MFA for user accounts along with the ability to use "service accounts". ArcGIS Enterprise now supports gMSA out of the box.