Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

Managing User Access for Both Privileged and Non-Privileged Accounts with BeyondTrust and SailPoint

April 15, 2019

  • Blog
  • Archive

The identity and access management (IAM) software field is proliferating. Today’s organizations need secure access to their critical systems to combat the growing number of cyberattacks causing headline-grabbing data breaches.

But IAM is also a segmented market, with distinct products that do different things. For example, Privileged Access Management (PAM) and conventional identity management serve different purposes.

Conventional identity management deals primarily with user accounts associated with personal logins. Most organizations utilize these products to provision and de-provision users. But these same organizations don’t always think about privileged logins. That’s where PAM comes in. It covers the privileged identities that grant elevated access throughout an enterprise.

Privileged identities aren’t managed by standard identity management systems. Unlike user identities, privileged identities aren’t typically provisioned. Instead, they appear on the network whenever physical and virtual IT assets get deployed or changed.

Managing and Securing All Identities

At a fundamental level, a regular user and a privileged user are different. If user identities are the keys that employees carry to access the front door of the office, privileged identities are the keys used by security guards to get into every door in the office building.

A regular user – like, say, Bob in accounting - has a digital identity in an IT environment. Everything in the IT infrastructure connected to Bob is traced to that identity. Perhaps Bob is part of a certain Active Directory group because he needs access to a particular file system. Or maybe Bob needs to get into SharePoint, or any of the multitude of IT assets in an environment that employees may need to use.

Privileged identities, on the other hand, are not mapped to a single person. They can be used by many people. But sometimes they’re not even used by people, like the identities created to run service accounts. PAM must account for the fact that the people using a privileged identity may be different at any given time. Therefore, it’s essential to have a way to track who has privileged access, and control what they are doing with that access.

While user identities and privileged identities serve different functions, they share the need for control and oversight. Consider this - what are the consequences of not managing your identities? For user identities, the implications are well known. They include a lack of insight into who has access to what, and users who have too much access to too many systems.

The consequences for ignoring PAM may not be as well known, but they’re arguably more severe. Cyberattacks that beat perimeter security can exploit unmanaged privileged identities and gain elevated access on the network. And insiders with privileged access can cause serious problems — whether by accident or design.

Such severe consequences call for a solution that can manage and secure all types of identities to gain a complete view of identity context for access-related decisions.

The Identity Governance Layer

Identity governance allows modern enterprises to see a complete view of identity-related risk. The identity governance layer offers a tightly integrated approach to the lifecycle of all identities, including employees, partners, vendors and even botsdriven by business-minded choices made from the top down.

A policy that enforces how and when an authorized administrator has access to a privileged identity is the realm of PAM. But how does that administrator become “authorized?” This is a business decision, and it’s exactly the type of choice that an identity governance system can manage and track. As employees change job roles, and eventually leave the organization, governance allows the business to keep security intact at every lifecycle decision point.

Historically, PAM and identity governance solutions existed as silos – separate solutions that did not work together to mitigate cyber threats. As a result, identity governance lacked visibility into powerful privileged accounts. At the same time, PAM lacked the comprehensive oversight and visibility provided by identity governance.

Reducing this siloed approach into enterprise identity management required the next step: an automated solution that could seamlessly provision and control access for end users, IT administrators, and other types of users based on business governance policies and attestation.

The BeyondTrust-SailPoint Integration

A new technology integration between BeyondTrust PasswordSafe and SailPoint IdentityIQ gives organizations the visibility and centralized control they need to govern access for both privileged and non-privileged accounts.

The integration leverages the System for Cross-domain Identity Management (SCIM) API built into the SailPoint IdentityIQ PAM Module, which permits privileged account vaults and associated entitlements to be visible and managed throughout the identity governance process. This allows the automated provisioning of privileged accounts to new end users that require them based on their job function, group memberships, or business role. And it lets managers recertify or remove unnecessary privileged accounts on a periodic and/or event-driven basis.

It starts with two key pieces of information – who is the user, and which groups does the user belong to? When users are part of a particular group, they are granted permissions to access data for that specific group. This gives IT a view into role assignments and user access, as well as ongoing role changes. Adding and removing access is automatically provided when employees change roles, ensuring that each user only has appropriate access at all times.

Here’s a real-world scenario: Jan is a new employee. That means Jan gets onboarded by IT. There’s an automated process that puts Jan into IdentityIQ as an identity. From there, depending on which department Jan works in, who her manager is, and other decision points, Jan is given accounts in various systems. Suppose Jan needs an account to authenticate to BeyondTrust Password Safe. IdentityIQ gets information about Jan from the various data points and then provisions Jan an account in Password Safe. It will also tell Password Safe the groups that Jan belongs to. That will give Jan the permissions she needs to work with Password Safe.

Another scenario: A security auditor wants to see all the accounts that exist, and all the users enabled to access those accounts. IdentityIQ can report on the access permissions for various systems, whatever they may be – Service Now, SharePoint, Password Safe. In the case of Password Safe, it would tell SailPoint, when asked - what are all the accounts and what are all the privileges that come with those accounts? Consider it a detailed view into important identity information. You told me about the users in the groups, let me tell you what that group membership lets them access.

Essentially, the SailPoint – BeyondTrust integration provides IT with visibility into all identities and access under one identity governance platform. That makes it easier to detect users with excessive identity-related risk. Meanwhile, management gains the oversight they need to ensure IT is making rational choices that align proper access with business needs.

It’s a double advantage. The privileged access security risk is mitigated, while IT operational efficiency is increased.

Kevin Franks

Marketing Communications Manager

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Webcasts | February 24, 2021

Your PAM 2021 Blueprint: Securing Privileged Accounts for On-Premises and Cloud Assets

Whitepapers

Evolving Privileged Identity Management (PIM) In The 'Next Normal'

Webcasts | January 21, 2021

Welcome to 2021: A BeyondTrust Global Partner Update

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.