member sign-in
Forgot password? Create new account Close

Privilege Account / Password Management

Definition

Privilege Account / Password Management is a policy based technology that secures, manages and monitors all privileged accounts and activities associated with datacenter management whether on - premise or in the cloud:

  • Control access to privileged accounts
  • Monitor and record privileged sessions
  • Manage application and service credentials
  • Grant granular control to the commands super-users can run
  • Comply with audit and regulatory requirements
  • Streamline policy management of privileged accounts
  • Seamlessly integrate with enterprise systems

User Benefits

  • A privileged account manager allows controlling computer network access by managing local and domain accounts.
  •  Privileged account manager is based on the client-server architecture which allows working with the product from any computer on the network.
  • Due to web-based philosophy SSL, Host-Headers and other Internet Informational Services options can be configured separately.
  •  Privileged account manager can provide accounts audit – distributing passwords among users, adding/deleting accounts.
  • Privileged account manager can also provide advanced reports which results in information on currently used accounts, unused accounts, rarely used accounts.
  • It can manage automatic application of a new password for all services and tasks, launched under managed accounts on all affected computers.
  • The password generation rules configuration implies password policy accordance.
  • Immediate revocation: As administrators and developers change positions or leave the organization it is important to rapidly revoke their access privileges.
  • Breach avoidance: The longer that a password remains unchanged the greater the risk of the password being compromised if under attack.
  • Elimination of default passwords: Many devices, operating systems and applications include default passwords that if left unchanged represent a significant vulnerability and compliance concern.
  • Reduced knowledge: The fewer people that know a password the greater the control over the possibility of negligent or malicious damage. Eliminating password knowledge entirely, until needed, greatly enhances this position.
  • Unattended accessibility: Scripts and programs that include passwords are an obvious risk. Eliminating embedded passwords in favor of run-time access to credentials provides a significant increase to a company’s security profile.

Business Impact

  • Business continuity: In the case where all the passwords must be changed manually the process will suffer from human errors in the form of mistyping, missed accounts and timing mistakes all resulting in service outages. Automation avoids this issue.
  • Reduced costs: The quantity of accounts, frequency of change and distribution of systems on a system environment has a significant impact on the potential cost.  Automation reduces these costs.
  • Improved compliance: Regulation is becoming far more prescriptive on the issue of passwords and ability to regularly prove the appropriate controls over the protection, release and management of these privileged accounts will be very difficult when using manual controls. Automation helps with compliance efforts.
  • Simplification: Other approaches like PKI and Kerberos require a significant shift in authentication type and re-configuration of infrastructure and systems. These solutions also do not provide 100% coverage thus forcing  to maintain a percentage of systems under password control. Password automation allows a system to obtain the same password type while meeting audit and compliance demands.

Products supporting this technology

Cyber-Ark

Latest researches have shown that over a half of the successful computer attacks take advantage of badly configured systems such as using default configurations on user accounts that have privileged rights, simple configuration errors or unscrupulous system administrators.

Additionally it is well known the fact that up to 75% of system breaches and unauthorized accesses are caused by internal users, and mostly users that have privileged access and nevertheless are familiar with the system. Poor access controls increase the risk of accidental damage and deliberate abuse. The main reasons for breaches were due ineffective policies, and the failure to enforce policies and procedures.

Usually a privileged user in an organization is anonymous. This privileged user can have management functions or undertake critical business tasks regarding electronic information. The paradox is that no organization would allow an anonymous user to take actions on their servers and yet the same organization will allow an anonymous privileged user to manage the file server or have access to all information on the server.

There are accounts that are created by the systems such as the Windows Administrator, Cisco enable or UNIX root and other application pre-defined accounts which are usually created by organizations.

Shared accounts are generally created by organizations for allowing a group of users to carry out privileged tasks. IT Security officers are realizing that batch jobs, database applications, scripts, service accounts which are defined as embedded accounts represents one of the greatest risks for organizations.

Identity Management is a key requirement for any organization today but Identity Management goes beyond the individual and must include the Privileged User that’s why a Super User is also a high risk that must be taken into account when we talk about Risk Management. The Super User is the individual who has been given personal privileged User rights.

Privileged Account Management allows organizations to manage, monitor and audit their most privileged identities, avert insider threats, and prevent the loss of sensitive information.

In order to fulfill this objective the problem with IT personnel must be solved. The problem with IT personnel consists of having too many privileges and insufficient separation of duties. These identities are often neglected, their session activities are difficult to monitor, and passwords are never changed.

Privileged accounts and passwords are extremely powerful, allowing a privileged user to log on anonymously and have complete control of the target system with full access to all of the information on that system.This can cause tremendous financial losses and reputational damage for businesses. The most difficult to manage for enterprises is the insider threat. That is why companies go to great lengths to secure their digital assets.  Also they are increasingly aware of the fact that the complexities multiply when the privileged accounts are likely to be up to three times the end user accounts.

Disregarding this kind of security issues like privileged access and control of shared administrative accounts can bring organizations being left open for compliance violations, privacy breaches and fraud.  

For organizations to have a closed security and compliance loop, part of the overall strategy must include a process for monitoring and managing high privileged accounts.

An efficient Privileged Account Management should perform the following:

  • Identify and Discover privileged policies and accounts
  • Centralize and Secure privileged identities and accounts
  • Apply Policyto these privileged identities based on the requester / role
  • Personalizeaccess to these privileged identities
  • Automatically Resetaccess to these privileged identities
  • Log and Recordall activities associated with these privileged identities

Privileged Account Management unique values:

  • Minimize loss of business and costly outages by enforcing an enterprise policy that protects the most critical systems.
  • Ensure accountability of every access to most sensitive data with advanced out of the box monitoring and reporting tools.
  • Improve workforce productivity with a simple access control interface for managing privileged identities and automatic discovery capabilities for new or removed machines.
  • manufacturer