The Importance of Password Vaulting in IAM & PAM
In the previous article, Part 1 – Access Control was discussed as the first step in setting up a successful Privileged Access Management (PAM) program. Many people see Password Vaulting as the first step in a PAM program, but controlling the access can help reduce the most organizational risk the fastest. Password Vaulting is added as the next step in the maturity curve because it too can significantly reduce organizational risk. As with phase 1, the Password Vaulting phase of a PAM program’s maturity can often overlap with functionality provided by Identity Access Management (IAM) aka Identity Governance Administration (IDG) tools.
Most systems have accounts that are not owned by individuals. This includes service accounts, built-in accounts and other accounts that are not technically owned by a single individual. These accounts have their passwords set to strong values that are not known by any person and stored in a digital vault.
Policy can be set to ensure they have very complex requirements and that they are changed at a higher frequency.
Accounts stored in the vault are the most sensitive accounts in an organization. Regulatory compliance, good security posture, and best practices all require that these accounts are unknown to anyone. The functionality of PAM programs will allow for these accounts to have their passwords set to very complex values, encrypted and stored. When they are needed, workflows can be used to enable proper controls to be enforced; all usage can be audited and logged, then the password can be changed again.
By combining the access control portions of stage 1 with these vaulting capabilities, we can allow for the use of privileged access on systems, while using our bastion approach to ensure that all access is key logged and video recorded for audit purposes. Those same role and request examples from earlier are applied to check out the credential for usage as well as gain access to the management applications for the servers.