Top-Down Password ProtectionNew tools can corral administrator-level access, but plan ahead to avoid costly downtime.
They're Here To Help
Enter a new breed of privileged account management systems. These systems promise to control access to high-level systems and automate password safeguards. While these systems are effective so far, adoption is slow, in part because of price. Access control system pricing typically starts at around $15,000 to $25,000.
At first glance, management of privileged accounts and passwords seems like a problem that an identity management system could solve. Sometimes it can, but identity management is aimed at a different problem: managing the life cycle of accounts tied to actual humans. User accounts need to be created and destroyed as users are hired and terminated, with their access to resources granted or denied based on job roles.
Identity management tools are typically tied to ERP or human resources systems, so changes in employment status trigger matching changes to computer access. They typically implement single sign-on via connectors to applications and directories but can't interface with the more limited systems that form the infrastructure of a network. These tools are built to handle large numbers of users with similar access needs and thus aren't suited to the more specialized needs of accounts that aren't tied to individual employees.
Where identity management systems provide a one-size-fits-all approach to user passwords, privileged account managers provide a custom-fit match to the needs of nonidentity accounts. The standard privileged account management feature set includes generation of a unique, complex, random password for each account and the ability to automatically log in to the client system and change the password.
Nearly all privileged account management systems employ an agentless design, where they use the server's native protocols, such as SMB, Telnet, or SSH, to interactively log in and make password changes, with no preinstallation or configuration of the managed systems required.
When authorized users need access to a privileged account, they can log in to a Web portal and request the password for a particular system. After verifying the user's right to view that password, the system provides it and logs the fact that the user has accessed the password. After the user has finished with the password, the system generates a new password, logs in to the client system, and resets the password (see diagram, "A Stronger Front Line", below). In this way, the user no longer has access without again requesting it through the privileged account manager.
The most secure setup comes from using identity-managed single sign-on to authenticate the individual's access to the privileged account management system, combining the identity-based access control of identity management with the tight control and auditing of privileged account management.
Besides controlling access to servers and accounts, privileged password managers provide enhanced accountability. Since high-privilege accounts aren't tied to individual users--often just to "root" or "Administrator"--there normally isn't a way to tell who actually accessed a system and made a particular change. By logging every time an administrator requests a password, privileged account managers provide an independent log of all access to servers using the administrative accounts.
A Stronger Front Line
The privileged account manager discovers all systems (desktops, servers, routers, etc.) on the network and sets unique passwords for them. System admins use the privileged account manager to access administrator accounts. The privileged account manager logs the details of each session and creates a new unique password when the admin has finished.
To further enhance accountability, the systems can be configured so that no other user can access a specific password while it's checked out to another admin. The password is only made available for use after the first user has checked it back in or a specific time has elapsed, and the password automatically changed.
This can be especially useful to meet audit requirements, and most applications can produce extensive reports suitable for presentation to auditors. The logs also can be useful for demonstrating that corporate password policies are being followed in areas of complexity and change intervals.
2 of 3