PPM, PUPM and SAPM — Automating the management of privileged password accounts
Password management falls into the broad category of Identity & Access
Management (IAM). The need to manage the passwords
of privileged user accounts comes from the unique
challenges these accounts present, compared to those of isolated privilege
accounts as shown in the following table.
Differences between isolated privilege, elevated privilege administrator accounts and elevated privilege application-to-application accounts
|
Isolated Privilege
End user accounts (attended)
- Individual usage
- Monthly changes
- Self-reset/renew
- Admin revocation
- Memorized
|
|
Elevated Privilege
Administrator accounts (attended)
- Shared usage
- Infrequent changes
- Admin-reset/renew
- Admin revocation
- In spreadsheet
|
|
Elevated Privilege
Application-to-application accounts (unattended)
- Shared usage
- Rare (or no) changes
- No reset/renew
- No revocation
- Hard-coded
|
PPM, PUPM and SAPM — Managing administrator and application password accounts
The market terms Privileged Password Management (PPM), Privileged User
Password Management (PUPM) and Shared/Service Account
Password Management (SAPM) all refer to managing
the elevated privilege accounts shown in the middle and right columns
of the table.
To date, most IAM projects in business and government IT departments
have focused on managing the isolated privilege
accounts of human end-users. There are many available
solutions to this problem, such as single sign-on
(SSO). Cloakware does not focus on this particular
segment of the IAM market but rather complements it by enabling organizations
to begin managing their elevated privilege accounts.
Elevated privilege account management
Most organizations are only now discovering and trying to resolve the
unique challenges of managing elevated privilege accounts. Increasingly
strict audit and compliance requirements drive the need. Meeting the
requirements is tough and requires new solutions. Cloakware delivers
these solutions to some of the largest IT operations in the world.
To learn more about how Cloakware can help you meet specific GRC regulations, visit
our Resource Center for white papers, podcasts
and more.
One challenge relates to attended administrator accounts. These are
the accounts that human administrators use to install,
configure and maintain servers, databases, storage
networks, enterprise applications, mainframes,
network gear and so on across datacenter operations. The
challenge is that human administrators often share
their account IDs and passwords to simplify password
management. The resulting security and accountability
gaps fail audit.
Unattended accounts pose a larger password management problem
Most IT organizations first tackle managing attended administrator
accounts. However, a second—and much larger challenge relates
to managing unattended privileged accounts. These
are the accounts that applications and scripts use to access other applications
in the datacenter. The challenge is that application-to-application
(A2A) passwords are known by developers and are often hard-coded in
the clear into scripts and applications where any employee or contract
developer can view them. Since changing these passwords requires rewriting
and redeploying code, they are rarely—if ever
changed. Again, the resulting security and accountability gaps fail
audit and create audit exceptions.
The multiplier effect of regulation on password management
Compliance regulations can magnify the scale of the problem of managing
privileged passwords. Often there's a requirement
that privileged accounts cannot be shared. It multiplies
the total number of passwords required, such that
if you have 1000 servers and 30 administrators,
you may need to have 30,000 unique administrator
accounts! The same goes for A2A privileged accounts: each application
that calls another application needs its own unique, managed account.
When you consider how many applications and scripts are in your datacenter,
you may be surprised to learn that you have many more A2A accounts to
manage than all other types combined.
Additional requirements to update passwords frequently, limit account
span of control, and restrict entitlements to the lowest level make
it impractical to manage privileged passwords manually—especially
A2A passwords.
In fact, managing A2A accounts is usually the biggest password management
challenge and therefore the hardest to solve. It
requires a highly scalable, reliable, secure and automated solution.
Cloakware Password Authority™ is
the only enterprise-grade PPM, PUPM or SAPM solution
designed from the ground up to solve the thorny A2A problem which is
so vital to meeting GRC requirements.
How big is your password management problem?
Consider one of Cloakware's customers in the banking sector who has
4,000 IT administrators and datacenters in London, Hong Kong, New York
and Switzerland. The customer identified at least 550,000 privileged
accounts across their operations. Of these, about 20% were attended
(human administrator) and the rest were unattended (A2A). To manage
all of these accounts, Cloakware worked with the customer to implement
a unified and centrally-controlled password management solution running
on over 40 virtual server instances installed at multiple sites.
Whether you have hundreds of thousands of privileged
passwords to manage or just a few hundred, you need to justify the ROI.
We've built a tool based on customer input to help you calculate the
scale and cost of the password management problem in your own datacenter.
Learn more
