Day after day we see the evidence of an increased number of breaches (ie. The DNC email hack) and as a Privileged Account Management (PAM) provider, we are seeing a similar increase in requests for proposals on our Core PAM solution. Don’t get me wrong, I’m not complaining. But what I think is the most interesting is the number of people who write in and say “I’m not even sure what my privileged accounts are, how can I manage them?”
What are “Privileged Accounts?” Privileged accounts are any account that holds “keys to the kingdom” access to your network. These can be in the form of admin, root, SYS, or other credentials that would give administrative all-access passes to your applications. With a growing number of accounts, environments, devices, applications, etc., manual managing of these accounts are not enough which is what has led to so many breaches.
Why is this so challenging? Enterprise networks are constantly evolving. Employee access roles change often, making it difficult for your IT staff to keep all privileged accounts under control. Privileged credentials, computer operating systems, databases, and network devices are highly regulated, causing more confusion and obstacles when managing these accounts. In order to comply with mandatory regulations provided by SOX, PCI-DSS, HIPAA, FISMA, BASEL III, and others, your IT staff must have the proper tools to secure and monitor these accounts. Privileged identities must be detected and tracked at all times. Service and application account passwords must be safely secured and recorded. These passwords must be able to change on a set schedule without disrupting the productivity of the company. User access to privileged logins must be audited to meet corporate requirements. All of these steps are very difficult to accomplish effectively without an automated solution.
Why do I need a management solution? In a word, scalability. PAM software has the ability to scale economically over many departments and systems to provide large cost savings should your company ever need to change. Also, your PAM solutions performance will not be impacted, no matter how much your organization grows. Ideally, you would want a multi-threaded application. This way your company is able to simultaneously change passwords on multiple machines in a reasonable amount of time. Also, it should be able to process simultaneous requests without decreasing productivity. To make sure that these needs are met, you must pick an architecture that can prevent and size-up fail-over and still increase performance. This architecture should be an n-tiered architecture. This way you have the option to deploy the password database, management console, web server, and reporting database on multiple machines. Your PAM solution should have the ability to deploy individual zone processors on remote machines to reliably handle password changes at distant locations and on multiple isolated (DMZ) networks. It should also have a console design and password change architecture, including a back-end database and highly tuned, multi-threaded password change algorithm. This should provide increasingly responsive console interaction and reporting even when processing large password changes across multiple devices and accounts. A privileged access management solution can help you do more than maintain compliance, it prevents data loss by protecting your most valuable assets.