NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

Five Secrets of Enterprise Password Management

September 5, 2018

  • Blog
  • Archive

Despite the billions of dollars spent every year on IT security products, countless organizations still fail at basic cyber security tasks. One of the most commonly overlooked cyber security fundamentals is enterprise password management. Too many companies don’t properly manage their credentials, exposing themselves to untold risk.

The only way to attack these problems, which often stay hidden within the IT shop, is to expose them for what they are. So here are five secrets about enterprise password management.

Point-in-Time Security

Let’s start by looking at how some organizations achieve that all-important rubber stamp of regulatory compliance.

The problem with many audits is that they only test security at a single point in time. Think about it. On February 1 you pass your PCI-DSS audit. Then, on February 15 you bring in new systems that are not included in your password management processes. Are you still compliant? Until another security auditor comes in, indeed you are. The state of your overall security, however, is a different matter.

The IT environment is a dynamic ecosystem. There are always new systems coming in and new employees gaining access. Cybersecurity tends to fall apart if the tools and processes around privileged password management don’t account for change.

Shutting Off Access

When employees leave your company, you need to change your administrative passwords to keep them out of your systems. Here’s just one example of what can happen when a malicious ex-employee maintains her login credentials.

Former IT employees are potentially serious security threats. They know your password secrets. And odds are these ex-employees retain access long after their employment ends. Many organizations maintain static administrative passwords for months, if not longer, giving former employees plenty of time to access their old systems and business applications.

Blind Faith in Provisioning

This secret is in line with the previous one. Many companies rely on Identity and Access Management (IAM) products to provision and de-provision users. But they don’t necessarily think about the difference between user accounts and privileged accounts.

Conventional IAM products are great for managing individual user identities. But they don’t handle the privileged identities used to access systems, run programs and change configuration settings.

To keep your critical systems in check, you need a Privileged Identity Management (PIM) solution to secure your privileged account passwords, in addition to an IAM solution for your user account passwords.

Privileged Account Stasis

We’ve touched on privileged accounts, so let’s explore that topic further.

Privileged accounts are more prevalent than you might think. As an example, take your database infrastructure. You likely have dozens, if not hundreds, of applications making connections to your databases. These applications use their own credentials to access the databases. If your organization doesn’t have a product to automatically manage and secure those credentials, you face a security and compliance nightmare.

Not only can any old person who happens to come across those credentials access your most precious data stores, there is no way to tell the difference between an application accessing the database and an unauthorized user accessing the database with the same credentials.

And if these credentials rarely change, there’s no way to close this password Pandora’s Box. The passwords are out there and your people won’t unlearn them – unless you have a PIM product to continuously change privileged credentials.

Cumulative Access Rights

Without privileged password management controls, most long-term employees collect credentials like a janitor collects keys.

This is how it works. Bob starts out working in accounts receivable (AR). He’s provisioned with access to AR systems. Then he moves over to accounts payable (AP). His AR credentials are never revoked, but now he’s also given access to AP systems. A couple years down the line, Bob is temporarily assigned to a cross-functional accounting task force. In this role he needs credentials to some of other specialized systems. After the task-force completes its mission, Bob maintains his access rights to those special systems. Now the organization has a user with a toxic combination of access rights into its critical financial systems.

Here’s what you should do. Implement a strict policy curbing unlimited privileged access. Even when there is valid purpose for elevated access, there should still be an approval process to check out privileged credentials, along with time-limited access to those credentials. That way your users still get the access they need to do their jobs - but only the right level of audited access, and only for a restricted period.

What password secrets are lurking in your enterprise? Find out with the free Bomgar Discovery Tool. You’ll get a report about the privileged credentials being used to access endpoints and systems on your network, including the ages of the credentials.

Photograph of Chris Stoneff

Chris Stoneff, VP Security Solutions, Development

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Microsoft Vulnerabilities Report 2022

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.