NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Videos
    • Glossary
    • Infographics
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

Managing User Access for Both Privileged and Non-Privileged Accounts with BeyondTrust and SailPoint

April 15, 2019

  • Blog
  • Archive
  1. Home
  2. Blog
  3. Managing User Access for Both Privileged and Non-Privileged Accounts with BeyondTrust and SailPoint

The identity and access management (IAM) software field is proliferating. Today’s organizations need secure access to their critical systems to combat the growing number of cyberattacks causing headline-grabbing data breaches.

But IAM is also a segmented market, with distinct products that do different things. For example, Privileged Access Management (PAM) and conventional identity management serve different purposes.

Conventional identity management deals primarily with user accounts associated with personal logins. Most organizations utilize these products to provision and de-provision users. But these same organizations don’t always think about privileged logins. That’s where PAM comes in. It covers the privileged identities that grant elevated access throughout an enterprise.

Privileged identities aren’t managed by standard identity management systems. Unlike user identities, privileged identities aren’t typically provisioned. Instead, they appear on the network whenever physical and virtual IT assets get deployed or changed.

Managing and Securing All Identities

At a fundamental level, a regular user and a privileged user are different. If user identities are the keys that employees carry to access the front door of the office, privileged identities are the keys used by security guards to get into every door in the office building.

A regular user – like, say, Bob in accounting - has a digital identity in an IT environment. Everything in the IT infrastructure connected to Bob is traced to that identity. Perhaps Bob is part of a certain Active Directory group because he needs access to a particular file system. Or maybe Bob needs to get into SharePoint, or any of the multitude of IT assets in an environment that employees may need to use.

Privileged identities, on the other hand, are not mapped to a single person. They can be used by many people. But sometimes they’re not even used by people, like the identities created to run service accounts. PAM must account for the fact that the people using a privileged identity may be different at any given time. Therefore, it’s essential to have a way to track who has privileged access, and control what they are doing with that access.

While user identities and privileged identities serve different functions, they share the need for control and oversight. Consider this - what are the consequences of not managing your identities? For user identities, the implications are well known. They include a lack of insight into who has access to what, and users who have too much access to too many systems.

The consequences for ignoring PAM may not be as well known, but they’re arguably more severe. Cyberattacks that beat perimeter security can exploit unmanaged privileged identities and gain elevated access on the network. And insiders with privileged access can cause serious problems — whether by accident or design.

Such severe consequences call for a solution that can manage and secure all types of identities to gain a complete view of identity context for access-related decisions.

The Identity Governance Layer

Identity governance allows modern enterprises to see a complete view of identity-related risk. The identity governance layer offers a tightly integrated approach to the lifecycle of all identities, including employees, partners, vendors and even botsdriven by business-minded choices made from the top down.

A policy that enforces how and when an authorized administrator has access to a privileged identity is the realm of PAM. But how does that administrator become “authorized?” This is a business decision, and it’s exactly the type of choice that an identity governance system can manage and track. As employees change job roles, and eventually leave the organization, governance allows the business to keep security intact at every lifecycle decision point.

Historically, PAM and identity governance solutions existed as silos – separate solutions that did not work together to mitigate cyber threats. As a result, identity governance lacked visibility into powerful privileged accounts. At the same time, PAM lacked the comprehensive oversight and visibility provided by identity governance.

Reducing this siloed approach into enterprise identity management required the next step: an automated solution that could seamlessly provision and control access for end users, IT administrators, and other types of users based on business governance policies and attestation.

The BeyondTrust-SailPoint Integration

A new technology integration between BeyondTrust PasswordSafe and SailPoint IdentityIQ gives organizations the visibility and centralized control they need to govern access for both privileged and non-privileged accounts.

The integration leverages the System for Cross-domain Identity Management (SCIM) API built into the SailPoint IdentityIQ PAM Module, which permits privileged account vaults and associated entitlements to be visible and managed throughout the identity governance process. This allows the automated provisioning of privileged accounts to new end users that require them based on their job function, group memberships, or business role. And it lets managers recertify or remove unnecessary privileged accounts on a periodic and/or event-driven basis.

It starts with two key pieces of information – who is the user, and which groups does the user belong to? When users are part of a particular group, they are granted permissions to access data for that specific group. This gives IT a view into role assignments and user access, as well as ongoing role changes. Adding and removing access is automatically provided when employees change roles, ensuring that each user only has appropriate access at all times.

Here’s a real-world scenario: Jan is a new employee. That means Jan gets onboarded by IT. There’s an automated process that puts Jan into IdentityIQ as an identity. From there, depending on which department Jan works in, who her manager is, and other decision points, Jan is given accounts in various systems. Suppose Jan needs an account to authenticate to BeyondTrust Password Safe. IdentityIQ gets information about Jan from the various data points and then provisions Jan an account in Password Safe. It will also tell Password Safe the groups that Jan belongs to. That will give Jan the permissions she needs to work with Password Safe.

Another scenario: A security auditor wants to see all the accounts that exist, and all the users enabled to access those accounts. IdentityIQ can report on the access permissions for various systems, whatever they may be – Service Now, SharePoint, Password Safe. In the case of Password Safe, it would tell SailPoint, when asked - what are all the accounts and what are all the privileges that come with those accounts? Consider it a detailed view into important identity information. You told me about the users in the groups, let me tell you what that group membership lets them access.

Essentially, the SailPoint – BeyondTrust integration provides IT with visibility into all identities and access under one identity governance platform. That makes it easier to detect users with excessive identity-related risk. Meanwhile, management gains the oversight they need to ensure IT is making rational choices that align proper access with business needs.

It’s a double advantage. The privileged access security risk is mitigated, while IT operational efficiency is increased.

Kevin Franks, Marketing Communications Manager

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

IDSA Report: 2022 Trends in Securing Digital Identities

Whitepapers

Microsoft Vulnerabilities Report 2022

Whitepapers

Cybersecurity Insurance Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Infographics
  • Podcast
  • Videos
  • Webinars
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.