The identity management software field is proliferating. More and more organizations need secure, authenticated access into their critical systems, to combat the growing number of cyber attacks causing headline-grabbing data breaches.
But identity management is also a segmented market, with different types of products that do vastly different things. Identity and Access Management (IAM) is not the same as Privileged Identity Management (PIM).
In this post, we look at both IAM and PIM. We examine what each one does and how they differ. And, we make a case for why most organizations need both IAM and PIM to ensure that all of the identities in their environments are properly managed and secured.
Each time you login to your computer, you’re required to enter your password to validate your identity.
You probably also follow some rules to make sure that your password cannot be easily compromised. For example, your password might need to have a minimum length, contain numbers and special characters, and be different from passwords you’ve used in the past.
Your organization likely uses an Identity and Access Management (IAM) system to enforce these rules for password security, and to determine what information and services you can access.
And, because you login with your personal credentials, the logs that are created as you access information and services can make you accountable for your actions.
Personal logins aren’t the only type of credentials on your network.
The IT employees who maintain the computers, devices, and software in your workplace use special passwords with elevated permission to install new hardware and software, configure services, and maintain the infrastructure.
Called privileged identities, these powerful logins grant the access needed to view and change data, alter system configuration settings, and run programs on just about every hardware and software asset on your network, including:
- Computer operating systems
- Network and backup appliances
- Directory services
- Line-of-business applications
- And more…
But, unlike your personal login credentials, privileged identities are not typically linked to any one individual. And, it’s not only people who use privileged identities. Business applications and computer services must also use privileged identities to authenticate with databases, middleware, and other application tiers when requesting access to sensitive information and computing resources.
Privileged identities are not systematically managed in many organizations. This means that in all likelihood:
- No one knows where all the privileged account logins exist on your network.
- There is no record of which privileged login credentials are known to different individuals, including your IT staff, application developers, outside vendors and contractors.
- There is no proof of who used privileged logins to gain access to each IT resource, when, and for what purpose.
- And, there is no way to verify that each privileged account password is cryptographically strong, sufficiently unique, and changed often enough to be secure.
Also, as organizations grow, they face increased challenges to manage their privileged identities. Over time, new hardware and software deployments, personnel changes, and other planned and unplanned events increase the difficulty to control these powerful credentials.
The Fallacy of Managing Privileged Identities Manually
Many IT groups try to address the problem through an improvised approach.
They try to keep track of privileged passwords on their own using:
- Manual processes to try and change the passwords by hand
- Scripts that individuals must write, test and maintain
The trouble with an improvised approach is that there are so many privileged passwords on most networks that many of these passwords can easily be overlooked and never secured. And, those passwords that are tracked are often so seldom changed, that when people leave the company they can take password secrets with them.
Also, for convenience, many IT personnel re-use the same password on multiple privileged accounts. If an outsider compromises just one system on the network, he can take advantage of shared privileged passwords to gain access all over the network.
That’s why the news is full of stories about organizations that failed to take control of their privileged identities, and suffered costly data breaches at the hands of cyber criminals or maliciousinsiders. The Edward Snowden affair is a perfect example. The massive Equifax data breach is, too.
The Privileged Identity Management Solution
Fortunately, our Privileged Identity Management solution can automatically find and secure your privileged identities for you.
You can enforce accountability so you’ll know precisely who had privileged access to each IT resource, when, and for what purpose. And, you can allow rapid, secure access whenever IT staff need privileged logins to perform routine maintenance or emergency repairs.
Your privileged passwords will automatically and continuously change, with unique passwords for each system. That means there are no static or shared passwords that can be exploited. If an attacker manages to harvest one of your privileged passwords, it’s only good for a short period of time before it changes – and it can’t be re-used on other systems.
Even better, our Privileged Identity Management solution integrates with today’s leading IAM solutions, like SailPoint. That way, both your regular accounts and your privileged accounts are all seamlessly managed through one unified solution.
If you like this topic, please subscribe to our Cyber Defense Newsletter for a monthly roundup of our blog posts.