About password management

Understanding PPM, PUPM and SAPM...

Password management falls into the broad category of Identity & Access Management (IAM). The need to manage the passwords of privileged user accounts comes from the unique challenges these accounts present, compared to those of isolated privilege accounts as shown in the following table.

Different types of accounts requiring password management

Isolated Privilege End user accounts (attended) Individual usage Monthly changes Self-reset/renew Admin revocation Memorized

Elevated Privilege Administrator accounts (attended) Shared usage Infrequent changes Admin-reset/renew Admin revocation In spreadsheet

Elevated Privilege Application-to-application accounts (unattended) Shared usage Rare (or no) changes No reset/renew No revocation Hard-coded

 

PPM, PUPM and SAPM — Managing administrator and application password accounts

The market terms Privileged Password Management (PPM), Privileged User Password Management (PUPM) and Shared/Service Account Password Management (SAPM) all refer to managing the elevated privilege accounts shown in the middle and right columns of the table.

To date, most IAM projects in business and government IT departments have focused on managing the isolated privilege accounts of human end-users. There are many available solutions to this problem, such as single sign-on (SSO). Cloakware does not focus on this particular segment of the IAM market but rather complements it by enabling organizations to begin managing their elevated privilege accounts. 

Elevated privilege account management

Most organizations are only now discovering and trying to resolve the unique challenges of managing elevated privilege account passwords. Increasingly strict audit and compliance requirements drive the need. Meeting the requirements is tough and requires new solutions. Cloakware delivers these solutions to some of the largest IT operations in the world.

To learn more about how Cloakware can help you meet specific GRC regulations, visit our Resource Center for white papers, podcasts and more.

One challenge relates to managing attended administrator accounts. These are the accounts that human administrators use to install, configure and maintain servers, databases, storage networks, enterprise applications, mainframes, network gear and so on across datacenter operations. The challenge is that human administrators often share their account IDs and passwords to simplify password management. The resulting security and accountability gaps fail audit.

Unattended accounts pose a larger password management problem

Most IT organizations first tackle managing attended administrator accounts. However, a second—and much larger challenge relates to managing unattended privileged accounts. These are the accounts that applications and scripts use to access other applications in the datacenter. The challenge is that application-to-application (A2A) passwords are known by developers and are often hard-coded in the clear into scripts and applications where any employee or contract developer can view them. Since changing these passwords requires rewriting and redeploying code, they are rarely—if ever changed. Again, the resulting security and accountability gaps fail audit and create audit exceptions.

The multiplier effect of regulation on password management

Compliance regulations can magnify the scale of the problem of managing privileged passwords. Often there's a requirement that privileged accounts cannot be shared. It multiplies the total number of passwords required, such that if you have 1000 servers and 30 administrators, you may need to have 30,000 unique administrator accounts! The same goes for A2A privileged accounts: each application that calls another application needs its own unique, managed account. When you consider how many applications and scripts are in your datacenter, you may be surprised to learn that you have many more A2A accounts to manage than all other types combined.

Additional requirements to update passwords frequently, limit account span of control, and restrict entitlements to the lowest level make it impractical to manage privileged passwords manually—especially A2A passwords.   

In fact, managing A2A accounts is usually the biggest password management challenge and therefore the hardest to solve. It requires a highly scalable, reliable, secure and automated solution. Cloakware Password Authority™ is the only enterprise-grade PPM, PUPM or SAPM solution designed from the ground up to solve the thorny A2A problem which is so vital to meeting GRC requirements.

How big is your password management problem?

Consider one of Cloakware's customers in the banking sector who has 4,000 IT administrators and datacenters in London, Hong Kong, New York and Switzerland. The customer identified at least 550,000 privileged accounts across their operations. Of these, about 20% were attended (human administrator) and the rest were unattended (A2A). To manage all of these accounts, Cloakware worked with the customer to implement a unified and centrally-controlled password management solution running on over 40 virtual server instances installed at multiple sites.  
 
Whether you have hundreds of thousands of privileged passwords to manage or just a few hundred, you need to justify the ROI. We've built a tool based on customer input to help you calculate the scale and cost of the password management problem in your own datacenter. 

 

• Best Practices Guide to Privileged Password Management
• Attaining FISMA compliance
• Attaining PCI compliance
• Attaining SOX compliance
• Attaining HIPAA compliance
• Attaining FERC compliance

• Cloakware Password Authority

• Solving the Other Two Thirds of your Identity Challenge
• Complimenting Your PCI Compliance Efforts
• The Future of Banking Enterprise Access Management and Authentication - Emerging Technologies Insights

• Password Management FAQs
• Password Management Cost Savings Calculator
• How Insiders Steal Credit Card Data