As Work Becomes More Distributed and Remote, Password Management Has Never Been More Important
By: Ali Gomulu
With new software-based approaches and cybersecurity automation, organizations can protect themselves from one of the primary causes of breaches – adversaries taking control of privileged accounts by being able to “crack the code” on privileged users’ passwords.
By securely storing credentials in a password vault and initiating secure connections into critical systems, services and infrastructure, employees and contractors can obtain access without the usual log in and password routine, while the Privileged Access Management (PAM) platform controls and records the initiation and closure of all sessions, automatically.
Rather than trusting privileged users to set up “unbreakable” passwords, those users’ credentials are securely stored within a vault where access is determined by Role-Based Access Controls, and passwords are encrypted with algorithms. Advanced Password Vaults also update passwords across the IT infrastructure, ensuring the protection of networks, servers, applications, and data, and secure end-point devices from being compromised even if credentials are lost, shared or stolen.
What should organizations look for when reviewing their options for which password vault to use? Here are ten questions decision-makers should pose:
- Will the password vault manager broker connections with all relevant systems (including remote desktops, virtual desktops, web and browser-based applications, across all mobile devices, including smartphones and laptops)?
- How complex is the installation and configuration for end-users?
- Is auto-discovery included to minimize configuration for end-users and IT staff?
- How complex is the experience of IT workstations, and how much manual maintenance and monitoring will be required?
- What kind of filtering is included to help prevent accidental or malicious disruption?
- Does the solution include automated updates of credentials at the beginning and end of every session?
- Does the solution interoperate with third-party vendor products (web servers, app servers, routers, and other networking equipment)?
- Does the solution work seamlessly with ITSM solutions for change management and governance control?
- Is 100% keylogging and recording included to support compliance and audit requirements?
- Is real-time reporting, including alerts and notifications in the event of unusual behavior included?
Ironsphere’s Dynamic Password Controller is a password vault that stores and rotates SSH keys and passwords of privileged accounts (admin, system, root, etc.) centrally and securely.
Users log in with their personal accounts, check-out the credential of a privileged account, and then use it to connect to target end-points.
The Dynamic Password Controller generates searchable log records and audit trails to meet security and compliance requirements and takes control of device and database passwords, providing security while sustaining efficiency.
Our advanced solution supports local users accounts on:
- Operating Systems: Windows/Linux/Unix
- Databases: Oracle, PostgreSQL, MsSQL, etc.
- Devices and Appliances with CLI interface
- Applications with password change API
Passwords generated by Ironsphere ensure maximum strength and eliminate the usage of non-expired passwords by changing the password after every usage with a one-time-password.
Passwords are not shared among employees because nobody knows/sees the password, and while passwords are stored securely in a vault, our Dynamic Password Controller can randomize shared passwords, making all passwords expire within 300 seconds.
The auto-lock user account feature kicks in automatically when an employee is terminated (integration with enterprise Active Directory or LDAP is required).
With the right password vault technology, organizations prevent unauthorized access to critical systems and ward off attacks using stolen privileged credentials. For compliance and auditing, a unified password usage history documenting which individual users accessed where, when, and why is easily generated and analyzed.
And with our unique feature, embedded passwords can be generated and placed in application source code, configuration files, or databases – completely invisible to users.
Over the past two decades, with the rise of the Internet and the growth of cloud services, enterprises, and organizations, including government agencies, have transformed the way they do business and serve their constituents.
Depending on the nature of their work, IT superusers have or need root access to be efficient and productive. Creating a team of superusers makes sense, especially for large organizations, with thousands of servers under management. With a well-managed sysadmin team, their work can be streamlined, and mistakes can be reduced when the team shares the same root accounts on all servers.
Weak passwords have long been the Achilles heel of IT teams, and despite all the best intentions, corporate policies, education, and workarounds, passwords aren’t going away any time soon. There is some buzz around password-less access, but there are good arguments to suggest that passwords should play a fundamental role in authenticating access.