Solutions for Privileged Account Management

The need to protect digital information will be in existence for as long as digital information exists.

Every day we’re seeing exponential growth in the creation and distribution of data. The more dependent we become on electronic data in our business and personal lives, the more digital data we create. And the more digital data we create, the higher the risks of compromise to that that data as a result of malicious, negligent or even unintentional activity.

While companies go to great lengths to secure their digital assets, the complexities multiply when you realize that there are likely to be three times as many privileged accounts on a network than there are end user accounts. This is due to a lot of factors, not the least of which is the ever-expanding infrastructure and the privileged accounts associated with devices, servers, databases, and more. Along with this is the fact that many devices, operating systems and applications include hard-wired default passwords.

Managing all of these accounts can become unwieldy and frequently changing them is expensive and time consuming. Yet the longer a password remains unchanged, the more vulnerable it becomes to compromises to the business in terms of hacking as well as violating compliance regulations.

Are you managing your most critical passwords?

Are you aware that you likely have more privileged accounts on your network than you have end user accounts? Just add up all your device, server, database, local administrator and service accounts and you’ll be surprised.

You’re here because you know that your elevated privilege accounts are currently unmanaged, or at best are being changed infrequently. Do you consider the embedded accounts known by your developers as privileged accounts? You should. Are your auditors raising the issue of changing all of your critical passwords yet or are you trying to stay ahead of them?

While this sounds like a simple problem to solve you understand the complexities of your environment, the teams that will need to be involved and the processes that will need to change to accommodate regular privileged account password changes.

Gaining control of your critical passwords and placing them under management will provide you with several obvious benefits:

Immediate revocation: As administrators and developers change positions or leave the organization it is important to rapidly revoke their access privileges.

  • Breach avoidance: The longer that a password remains unchanged the greater the risk of the password being compromised if under attack.
  • Elimination of default passwords: Many devices, operating systems and applications include default passwords that if left unchanged represent a significant vulnerability and compliance concern.
  • Reduced knowledge: The fewer people that know a password the greater the control over the possibility of negligent or malicious damage. Eliminating password knowledge entirely, until needed, greatly enhances this position.
  • Unattended accessibility: Scripts and programs that include passwords are an obvious risk. Eliminating embedded passwords in favour of run-time access to credentials provides a significant increase to a company’s security profile.

You will find that other benefits can be recognized through the automation of privileged account management:

  • Business continuity: If you attempt to change all of these passwords manually you will inevitably suffer from human errors in the form of mistyping, missed accounts and timing mistakes all resulting in service outages. Automation avoids this issue.
  • Reduced costs: The quantity of accounts, frequency of change and distribution of systems in your environment has a significant impact on the potential cost that you may incur to maintain these passwords. Automation reduces these costs.
  • Improved compliance: Regulation is becoming far more prescriptive on the issue of passwords and your ability to regularly prove the appropriate controls over the protection, release and management of these privileged accounts will be very difficult when using manual controls. Automation helps with your compliance efforts.
  • Simplification: Other approaches like PKI and Kerberos require a significant shift in your authentication paradigm and a re-architecture of your infrastructure and systems. These solutions also do not provide 100% coverage thus forcing you to maintain a percentage of your systems under password control. Password automation allows you stay in the password paradigm while meeting your audit and compliance demands.

Passwords have served us well for many years and will continue to do so. Automating the process of creating strong passwords, securely storing those passwords, releasing them under granular policies on-demand to administrators and at run-time to programs while changing those passwords regularly relieves us of a potentially expensive and error prone process to a problem that is gaining significant auditor attention: Privileged Account Management.

Privileged Account Management Infrastructure

The increasing pressure of the audit environment has created two types of buyers for PAM solutions:

  • Strategic Buyer: These individuals and teams think beyond their current password challenge to their long term needs, integration requirements, scalability and growth plans, performance demands, cost reduction opportunities, service level improvements, new application opportunities as well as improved audit and compliance reporting. These are the buyers who choose Cloakware.
  • Tactical Buyer: These individuals feel the audit pressure and are so under-resourced or overwhelmed that they make a rapid purchasing decision in order to receive an audit checkmark and perhaps buy themselves more time to look further into the issue. These are the buyers who struggle to deploy a mis-matched solution and then come back to choose Cloakware.

Let’s face it, Privileged Account Management (PAM) is core to your operations and must be treated as a critical component of your infrastructure. Selecting a PAM solution and vendor should follow a similar selection process as any other critical component of your infrastructure like your database, CRM or Identity Management system.

A Privileged Account Management infrastructure is compromised of many interconnected working parts that deliver the functionality need to securely store, release and manage these critical accounts. Selecting a vendor that packages the solution that supports your platform choices, works with your existing devices, operating systems, databases and applications, works with your directory infrastructure and Identity management tools and more while providing you with the ability to broadly deploy the system components in order to meet your performance, scalability, availability, redundancy and geographic demands appeals to the strategic buyer.