PAM pans out: Why Gateway Financial Holdings dumped VPNs for privileged access management
After years of struggling to woo another, employees at Gateway Financial Holdings of Florida loved PAM at first sight. Or, as group vice president for information technology, Jim O’Brien puts it, “People were over the moon.”
Not that PAM is human or even a humanoid chatbot: PAM—short for privileged access management—represents a new breed of technology. Its aim is to make remote access to corporate networks safer as it improves worker experiences. And while PAM journeys take many forms, the experience of Daytona Beach-headquartered Gateway serves as a guide for small and mid-sized institutions.
The timing for such technologies couldn’t be more crucial. A recent Gartner study reports that prevention of breaches and insider attacks are the major drivers for PAM, followed by regulatory compliance and operational efficiency. Further, some organizations also use PAM tools to manage shared access to non-administrative shared accounts, such as official social media accounts.
Gateway’s PAM engagement began with the winding down of its legacy virtual private network (VPN). The closer it inched to the end of its useful life, the more the VPN became a Very Profound Nuisance. And is often the case elsewhere, Gateway’s solution required entering multiple sets of credentials to gain access to corporate systems.
“Between our three charters and nine branches, we have about 75 employees, managers and executives who login remotely,” explains O’Brien. “I’d get at least one or two calls every day from people who became locked out at some point in the lengthy login process.”
He adds: “Beyond frustrating workers, constantly addressing reset requests creates real headaches when you (have) an IT department of two.”
As if that weren’t enough, the dominance of VPNs as a go-to for securing remote connections was crumbling. In the wake of high-profile vulnerability disclosures by major players such as Cisco and Juniper Networks, Gartner notes that enterprises of all sizes across the industry spectrum now turn to PAM as an alternative.
A winner by storm: PAM beats Matthew
Like many of his banking peers, O’Brien began to investigate PAM solutions for a number of critical reasons. PAM not only satisfied regulatory requirements for encrypting and securing data but also promised to streamline user access and reduce operational burdens.
Of the three vendors considered, O’Brien agreed to test a unit by Bomgar: “We’d experienced five years of success with the vendor’s remote support tool to service our remote capture merchants, but were unfamiliar with their new PAM solution,” he says.
When the PAM arrived, O’Brien plugged it into Gateway’s network and configured it in less than two hours, including the addition of five test users. “Training consisted of a 10-minute conference call,” says O’Brien. “Everyone was excited by how easy it was to use.”
Convinced he’d located the needed solution, O’Brien approached Gateway’s CFO in mid-summer. There, he hit a wall.
“The solution was more expensive than I’d anticipated, so I wasn’t adequately prepared to support the request,” he recalls. “This caused a slight delay until I could assemble the needed documentation.”
While figures on Gateway’s investment aren’t available, PAMs can generate cost savings that see the outlay recouped in five years or less. In a 2014 article citing the example of a large bank with 12,000 employees, The Info-Tech Research Group noted that an initial investment of $55,750 resulted in savings of $69,565—a return of roughly 25 percent, driven by efficiencies in help desk time and security incidence reporting.
Once O’Brien secured the needed approvals and purchased the site licenses, he quickly added and trained the balance of Gateway’s remote users by early September. There, he hit a wall of water—and won.
Two weeks later, Hurricane Matthew slammed into Daytona Beach head on. “For three days our headquarters employees stayed home,” O’Brien says. “But all three of our charters remained open for business because we could remote in using the PAM.”
No flash in the PAM, but still a work in progress
Like many new technologies, some PAMs lack maturity. For Gateway, an unanticipated downside its to PAM lies in the lack of a remote printing capability. “Although we expected our employees could print documents locally, from wherever they logged in, that proved incorrect,” O’Brien says.
Until the PAM vendor provides a fix down the road, Gateway implemented a workaround by adopting a 3rd party screen capture tool, which enables local printing of any on-screen content.
As for the results banks can expect, PAM benefits both users and IT to improve efficiencies all around. Despite the remote printing challenge Gateway’s users say they are pleased it no longer takes 10 minutes to complete the various log in layers just to spend two minutes reviewing a report.
What’s more, lock-out phone calls to Gateway’s ultra-lean IT department have become nearly non-existent, which enables resources to be dedicated elsewhere. “I’ve gained back at least two hours a week that I can dedicate to more business-critical tasks,” O’Brien says.
Meanwhile, it’s a sure bet Gateway will carry the torch for PAM as it becomes part of a larger institution, CenterState Banks of Davenport, Florida. With the merger scheduled to close in the second quarter of this year, expect PAM to continue proving its worth as Practical And Meaningful.
A contributing writer to BAI Banking Strategies, Anne Rawland Gabriel has spent more than 20 years writing about business and business technologies as a journalist and marketing communications consultant. She is based in the Minneapolis/St. Paul, Minn. metropolitan area.