What is Application Password Management? | BeyondTrust

What is Application Password Management (APM)?

Application Password Management (also called application-to-application password management) refers to the practice of identifying, controlling, and securely storing application credentials.

Application-to-application password management solutions are designed to automate the identification, security, and distribution of application passwords and credentials in an auditable fashion. In turn, this approach reduces the risk of a breach where an exposed application password is used, either to gain access to sensitive information or to move further into the network. Application password management tools relieve the manual burden of managing application passwords, approving credential requests, and other tasks subject to human error or negligence.

Privileged credentials are typically required for authentication in application-to-application (A2A) and application-to-database (A2D) communications and access requests. These requests typically occur autonomously. The application will request (or call) for credentials to log in and the controlling application, database, or server will authenticate and grant the credential request if defined requirements are satisfied.

What are the Risks of Unmanaged Application Passwords?

Lack of Visibility into Existing Credentials

As they are a type of non-human/machine credential, application credentials may be difficult to track, as they may not be directly associated with a user.

Hard-Coding

Hard-coding, or plain text storage, refers to the practice of storing credentials and passwords in source code as plain text. These embedded secrets are easily accessible once discovered by a malicious party, and often exist beyond the scope of the IT and security team’s visibility.

Default Credentials

Many applications, systems are deployed with default credentials embedded into accounts. Within DevOps toolchains, secrets, scripts, test servers, and production builds may also have credentials embedded. These types of non-human privileged credentials and secrets are also frequently stored in plain text—perhaps within a script, code, or a file.

Third Party Accounts

Vendors, contractors, and other third party accounts could be retaining privileged access to application accounts beyond the scope of their engagement. These credentials have a higher chance of being hard-coded or stored in plain text and may exist outside the scope of an organization’s password management tools.

What are the Benefits of Application Password Management?

The benefits of an application password management solution typically include:

  1. Centralized and secure application credential storage: Password hardcoding is eliminated. All application credentials are identified and securely vaulted, so credential security best practices can be consistently enforced.

  2. Encryption and authorization protocols: All password requests made by applications are reliably authenticated

  3. Granular authentication controls: Allows unique policies per application or per credential request

  4. Audit trails: A clean audit trail of session activity that can be used for compliance and forensics

Best Practices for Application-to-Application Password Management

Identify Application Credentials

Pinpoint where application accounts, keys, and credentials are being used across your environment to understand where the weakest points in your credential perimeter are—this will help you zero in on the correct course of action.

Tools like the Privileged Account Discovery Application can quickly scan for existing privileged accounts and bring them to your attention.

Utilize an Application Password Manager

Application password manager solutions are designed to automate the entire application password management lifecycle. This includes finding and eliminating hardcoded / embedded application credentials and replacing them, such as with API calls.

Implement API Calls

Implementing API calls is another useful tactic for controlling scripts, files, codes, and keys across non-human and machine application credentials. This further eliminates the risk of exposing hardcoded or embedded credentials, especially in application-to-application communications.

Dynamic Secrets Generation

Instead of embedding static credentials into accounts, utilize tools and password management solutions that generate dynamic and policy-based credentials automatically on account creation and access.

Risk-Based Password Changes

Passwords can be rotated (changed) based on policies related to the sensitivity of the application and its access. Changes can also be made based on increased risk factors—such as a potential breach or a vulnerability. The solution can make sure these changes are synchronized where needed to ensure business continuity.

Audit Session Activity

The more integrated and centralized your password management, the more easily you will be able to generate reports on accounts, keys, and systems exposed to risk that are being utilized A2A or AD2.

Figure 1: An example of an API call replacing hardcoded credentials.

Privileged Password Management & Privileged Access Management

Application password management (APM) or application-to-application password manager tools comprise one component of Privileged Password Management (PPM). While some limited application password management capabilities may be available in standalone tools, more complete capabilities are typically offered as part of enterprise privileged password management products.

Privileged password management is the secure storing, sharing, creating, and handling of privileged passwords. Ideally, a privileged credential management strategy automates privileged account and credential discovery, onboarding, access control, centralized protection and storage, rotation, alerting, reporting, and oversight of all the enterprise’s privileged credentials—human, machine/application, employee, and vendor—across the organization.

Privileged password management itself is one of the core pillars of Privileged Access Management (PAM). Privileged access management consists of the cybersecurity strategies and technologies for exerting control over privileged access and permissions for users, accounts, processes, and systems across an IT environment.