Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

Five Secrets of Enterprise Password Management

September 5, 2018

  • Blog
  • Archive

Despite the billions of dollars spent every year on IT security products, countless organizations still fail at basic cyber security tasks. One of the most commonly overlooked cyber security fundamentals is enterprise password management. Too many companies don’t properly manage their credentials, exposing themselves to untold risk.

The only way to attack these problems, which often stay hidden within the IT shop, is to expose them for what they are. So here are five secrets about enterprise password management.

Point-in-Time Security

Let’s start by looking at how some organizations achieve that all-important rubber stamp of regulatory compliance.

The problem with many audits is that they only test security at a single point in time. Think about it. On February 1 you pass your PCI-DSS audit. Then, on February 15 you bring in new systems that are not included in your password management processes. Are you still compliant? Until another security auditor comes in, indeed you are. The state of your overall security, however, is a different matter.

The IT environment is a dynamic ecosystem. There are always new systems coming in and new employees gaining access. Cybersecurity tends to fall apart if the tools and processes around privileged password management don’t account for change.

Shutting Off Access

When employees leave your company, you need to change your administrative passwords to keep them out of your systems. Here’s just one example of what can happen when a malicious ex-employee maintains her login credentials.

Former IT employees are potentially serious security threats. They know your password secrets. And odds are these ex-employees retain access long after their employment ends. Many organizations maintain static administrative passwords for months, if not longer, giving former employees plenty of time to access their old systems and business applications.

Blind Faith in Provisioning

This secret is in line with the previous one. Many companies rely on Identity and Access Management (IAM) products to provision and de-provision users. But they don’t necessarily think about the difference between user accounts and privileged accounts.

Conventional IAM products are great for managing individual user identities. But they don’t handle the privileged identities used to access systems, run programs and change configuration settings.

To keep your critical systems in check, you need a Privileged Identity Management (PIM) solution to secure your privileged account passwords, in addition to an IAM solution for your user account passwords.

Privileged Account Stasis

We’ve touched on privileged accounts, so let’s explore that topic further.

Privileged accounts are more prevalent than you might think. As an example, take your database infrastructure. You likely have dozens, if not hundreds, of applications making connections to your databases. These applications use their own credentials to access the databases. If your organization doesn’t have a product to automatically manage and secure those credentials, you face a security and compliance nightmare.

Not only can any old person who happens to come across those credentials access your most precious data stores, there is no way to tell the difference between an application accessing the database and an unauthorized user accessing the database with the same credentials.

And if these credentials rarely change, there’s no way to close this password Pandora’s Box. The passwords are out there and your people won’t unlearn them – unless you have a PIM product to continuously change privileged credentials.

Cumulative Access Rights

Without privileged password management controls, most long-term employees collect credentials like a janitor collects keys.

This is how it works. Bob starts out working in accounts receivable (AR). He’s provisioned with access to AR systems. Then he moves over to accounts payable (AP). His AR credentials are never revoked, but now he’s also given access to AP systems. A couple years down the line, Bob is temporarily assigned to a cross-functional accounting task force. In this role he needs credentials to some of other specialized systems. After the task-force completes its mission, Bob maintains his access rights to those special systems. Now the organization has a user with a toxic combination of access rights into its critical financial systems.

Here’s what you should do. Implement a strict policy curbing unlimited privileged access. Even when there is valid purpose for elevated access, there should still be an approval process to check out privileged credentials, along with time-limited access to those credentials. That way your users still get the access they need to do their jobs - but only the right level of audited access, and only for a restricted period.

What password secrets are lurking in your enterprise? Find out with the free Bomgar Discovery Tool. You’ll get a report about the privileged credentials being used to access endpoints and systems on your network, including the ages of the credentials.

Chris Stoneff

VP Security Solutions, Development

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Webcasts | February 09, 2021

Customer Webinar: Remote Support 21.1 Released!

Webcasts | February 24, 2021

Your PAM 2021 Blueprint: Securing Privileged Accounts for On-Premises and Cloud Assets

Whitepapers

Evolving Privileged Identity Management (PIM) In The 'Next Normal'

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.