The identity and access management (IAM) software field is proliferating. Today’s organizations need secure access to their critical systems to combat the growing number of cyberattacks causing headline-grabbing data breaches.
But IAM is also a segmented market, with distinct products that do different things. For example, Privileged Access Management (PAM) and conventional identity management serve different purposes.
Conventional identity management deals primarily with user accounts associated with personal logins. Most organizations utilize these products to provision and de-provision users. But these same organizations don’t always think about privileged logins. That’s where PAM comes in. It covers the privileged identities that grant elevated access throughout an enterprise.
Privileged identities aren’t managed by standard identity management systems. Unlike user identities, privileged identities aren’t typically provisioned. Instead, they appear on the network whenever physical and virtual IT assets get deployed or changed.
Managing and Securing All Identities
At a fundamental level, a regular user and a privileged user are different. If user identities are the keys that employees carry to access the front door of the office, privileged identities are the keys used by security guards to get into every door in the office building.
A regular user – like, say, Bob in accounting - has a digital identity in an IT environment. Everything in the IT infrastructure connected to Bob is traced to that identity. Perhaps Bob is part of a certain Active Directory group because he needs access to a particular file system. Or maybe Bob needs to get into SharePoint, or any of the multitude of IT assets in an environment that employees may need to use.
Privileged identities, on the other hand, are not mapped to a single person. They can be used by many people. But sometimes they’re not even used by people, like the identities created to run service accounts. PAM must account for the fact that the people using a privileged identity may be different at any given time. Therefore, it’s essential to have a way to track who has privileged access, and control what they are doing with that access.
While user identities and privileged identities serve different functions, they share the need for control and oversight. Consider this - what are the consequences of not managing your identities? For user identities, the implications are well known. They include a lack of insight into who has access to what, and users who have too much access to too many systems.
The consequences for ignoring PAM may not be as well known, but they’re arguably more severe. Cyberattacks that beat perimeter security can exploit unmanaged privileged identities and gain elevated access on the network. And insiders with privileged access can cause serious problems — whether by accident or design.
Such severe consequences call for a solution that can manage and secure all types of identities to gain a complete view of identity context for access-related decisions.
The Identity Governance Layer
Identity governance allows modern enterprises to see a complete view of identity-related risk. The identity governance layer offers a tightly integrated approach to the lifecycle of all identities, including employees, partners, vendors and even botsdriven by business-minded choices made from the top down.
A policy that enforces how and when an authorized administrator has access to a privileged identity is the realm of PAM. But how does that administrator become “authorized?” This is a business decision, and it’s exactly the type of choice that an identity governance system can manage and track. As employees change job roles, and eventually leave the organization, governance allows the business to keep security intact at every lifecycle decision point.
Historically, PAM and identity governance solutions existed as silos – separate solutions that did not work together to mitigate cyber threats. As a result, identity governance lacked visibility into powerful privileged accounts. At the same time, PAM lacked the comprehensive oversight and visibility provided by identity governance.
Reducing this siloed approach into enterprise identity management required the next step: an automated solution that could seamlessly provision and control access for end users, IT administrators, and other types of users based on business governance policies and attestation.
The BeyondTrust-SailPoint Integration
A new technology integration between BeyondTrust PasswordSafe and SailPoint IdentityIQ gives organizations the visibility and centralized control they need to govern access for both privileged and non-privileged accounts.
The integration leverages the System for Cross-domain Identity Management (SCIM) API built into the SailPoint IdentityIQ PAM Module, which permits privileged account vaults and associated entitlements to be visible and managed throughout the identity governance process. This allows the automated provisioning of privileged accounts to new end users that require them based on their job function, group memberships, or business role. And it lets managers recertify or remove unnecessary privileged accounts on a periodic and/or event-driven basis.
It starts with two key pieces of information – who is the user, and which groups does the user belong to? When users are part of a particular group, they are granted permissions to access data for that specific group. This gives IT a view into role assignments and user access, as well as ongoing role changes. Adding and removing access is automatically provided when employees change roles, ensuring that each user only has appropriate access at all times.
Here’s a real-world scenario: Jan is a new employee. That means Jan gets onboarded by IT. There’s an automated process that puts Jan into IdentityIQ as an identity. From there, depending on which department Jan works in, who her manager is, and other decision points, Jan is given accounts in various systems. Suppose Jan needs an account to authenticate to BeyondTrust Password Safe. IdentityIQ gets information about Jan from the various data points and then provisions Jan an account in Password Safe. It will also tell Password Safe the groups that Jan belongs to. That will give Jan the permissions she needs to work with Password Safe.
Another scenario: A security auditor wants to see all the accounts that exist, and all the users enabled to access those accounts. IdentityIQ can report on the access permissions for various systems, whatever they may be – Service Now, SharePoint, Password Safe. In the case of Password Safe, it would tell SailPoint, when asked - what are all the accounts and what are all the privileges that come with those accounts? Consider it a detailed view into important identity information. You told me about the users in the groups, let me tell you what that group membership lets them access.
Essentially, the SailPoint – BeyondTrust integration provides IT with visibility into all identities and access under one identity governance platform. That makes it easier to detect users with excessive identity-related risk. Meanwhile, management gains the oversight they need to ensure IT is making rational choices that align proper access with business needs.
It’s a double advantage. The privileged access security risk is mitigated, while IT operational efficiency is increased.