How to Close the Security Gap Between Identity and Access Management (IAM) and Shared Accounts
By Maurice Côté, Vice President of Business Solutions, Devolutions
For more than half a century, passengers of London’s underground (a.k.a. The Tube) have been warned to “mind the gap” when crossing the small, but potentially dangerous openings between train doors and station platforms.
Well, organizations these days need to mind the gap as well: the virtual gap that exists between their Identity and Access Management (IAM) system and their various shared accounts. Otherwise, much like unwitting tube passengers, they could find themselves rather badly injured — not physically, but financially.
Of course, the issue here is not that IAM systems are somehow ineffective or unnecessary. On the contrary, given how vast the attack surface has become in recent years with the explosive popularity of cloud services and remote workers, IAM systems are highly valuable. Rather, the problem is that a chasm exists between IAM systems and devices that do not use a federated identity, such as networking equipment and specialized appliances. What’s more, out of practical necessity, most of these devices are managed using shared accounts, which means they are coveted by hackers who are highly motivated to steal “the keys to the kingdom” (i.e. privileged accounts that provide access to sensitive, confidential, and proprietary data).
Clearly, all organizations — and we are not just talking about large enterprises, but SMBs as well — need to close the gap between their IAM system and shared accounts. That is where a Privileged Access Management (PAM) system enters the picture and makes a game-changing difference.
A PAM system extends the robust protection offered by an IAM system into the non-federated identity space, and enables eight key functions and features:
- A secure vault that safely stores credentials and other sensitive data that is shared between multiple end users (e.g., software license keys).
- Account checkout, which allows SysAdmins to approve or reject an access request on a case-by-case basis; and in the event of approvals, SysAdmins can set a time limit.
- Customized notifications that alert SysAdmins when certain events or actions take place regarding specific end users, roles, vaults, etc.
- Automated mandatory password rotation upon check-in.
- Automated mandatory password rotation at a scheduled time/date.
- Account discovery, which automatically scans and identifies privileged accounts from an Active Directory provider so they can be updated, monitored, or deleted.
- Behind-the-scenes account brokering, which automates workflows (e.g., open a VPN client, launch a remote access protocol, and access a privileged account) without ever having to provide end users with passwords in the first place.
- Session activity recording, which is highly valuable for organizations that have contractors and third-party vendors, as well as organizations that want to monitor employee performance and productivity.
Organizations should make it a top priority to implement a PAM system, and in doing so close the security gap between their IAM system and shared accounts when access cannot be federated. Frankly, this is more than a best practice. Given that the average cost of a data breach has surged to a staggering USD 4.24 million per incident, it is a necessary requirement.
About the Author
Maurice Côté is vice president of business solutions at Devolutions, a provider of best-in-class privileged access management, password management, and remote connection management solutions to all organizations—including SMBs.
For more information about Devolutions, check out their Twitter @DevolutionsInc or their website https://devolutions.net/