Whether you’re in a small business, a not-for-profit organization or large commercial enterprise, it’s virtually a guarantee that you are connecting to technologies that require a logon ID and a password. If there’s more than one person in your organization, it’s also likely there’s at least one password that’s shared among your team.
Passwords themselves are a challenge. Many websites, applications and online corporate services require complex passwords. You probably have seen when registering for a new website or application requirements such as “minimum 14 characters, at least one uppercase character, and at least one digit or special character.” It also seems to be the case that the requirements of each site or application are different enough from one another that it’s impossible to use the same password across them all – not that that would be a good idea even if it were possible since using the same password for different services creates its own set of vulnerabilities.
As a result, the number of accounts and passwords to manage can become so overwhelming that you may (and I hope that you do not) succumb to the classic “password on a sticky note” solution.
Of course, it’s not just sticky notes; people often store passwords in notebooks, text files or spreadsheets. It gets more “interesting” when some of these passwords are shared among your colleagues.
Then there’s the matter of “privileged accounts” – that is, accounts that are used to authenticate and access critical components in your organization. These privileged accounts typically involve administrative (or “superuser”) access to sensitive data in your IT infrastructure, including:
- Network devices (Wi-Fi routers, switches , firewalls, load balancers)
- Servers (UNIX/Linux, Microsoft Windows)
- Databases, financial, HR applications
It’s also not just people who have passwords. When one software application or service must connect or integrate with another, often a password is required to ensure that access is granted only to authorized applications. Some client applications may contain hard coded passwords. Developers may try to “hide” the passwords by obscuring them in their code. They may try to limit read access to a parameter file containing the credentials. Nonetheless, the password is there, exposed to malicious attackers.
Complicating matters further, you may have regulatory compliance requirements (SOX, PCI, HIPAA) regarding access to privileged accounts and password management. For example, passwords for administrative accounts may need to be changed every ninety days or changed after every time the password is used. Your organization may require separation of duties (SoD) limiting who can use a privileged account to access a production system and prescribing what oversight must be in place to ensure that changes to your infrastructure are approved and can be audited.
The good news is that these security concerns and regulatory requirements have spurred an entirely new discipline designed to address the issue: Privileged Identity Management (PIM). PIM addresses these requirements by providing a robust password management service to protect your data and resources.
PIM technologies typically include features such as:
- Encrypted repository, to store passwords for privileged accounts.
- Shared account management (SAM).
- Password policies – for example, scheduling password changes every 90 days.
- APIs to eliminate the use of embedded passwords in code and scripts.
- Session recording, to capture remote desktop sessions, executed programs or processes, and keyboard logging.
- Reports and analytics for auditing and identifying malicious behavior.
Depending on your requirements, PIM solutions can be deployed on premise, in the cloud or in hybrid infrastructures. At Simeio, we offer Privileged Identity as a Service, which makes it fast and easy to take control of your passwords without having to install or manage any special software. You can read more about it here.
Privileged Identity – Practice Leader