Light Dark
August 21, 2018 By Stefan Köhler 3 min read
Identity & Access

When an IT administrator or other privileged user leaves an organization, the security team must take care to determine which systems he or she could access, and what data, if any, he or she accessed on the way out the door — especially if the outgoing administrator is in any way disgruntled.

But how can organizations gain the visibility they need to monitor their most sensitive accounts and databases? A privileged account management solution is a great place to start.

The IT Administrator Challenge

IT administrators have access to most of the systems, applications and technologies within an organization. This means that they have sufficient privileges to potentially cause harm to the organization by manipulating data, destroying important services or stealing intellectual property.

Since many privileged accounts are shared between several administrators, removing these accounts is not a viable option, and the process of changing passwords for such accounts can be arduous. In addition, it’s difficult for security teams to see exactly how many accounts an outgoing administrator has access to — it could be hundreds. Removing or securing all these credentials manually requires a significant investment in time and resources.

Even if the security team manages to block the outgoing administrator from accessing privileged accounts, it must still determine which accounts were accessed the last time the administrator logged in and what activity he or she conducted while inside the database. To gain this visibility, security teams must invest in either:

  • A centralized monitoring solution that analyzes activity on all systems and applications; or
  • A session-recording solution that records all the administrator’s activities when using privileged accounts.

Although both options require manual activities, they are critical tasks if the organization suspects that an outgoing administrator might conduct harmful activity on the way out.

What Does a Privileged Account Management Solution Do?

Fortunately, there are privileged account management (PAM) solutions available to automate these processes while producing the necessary documentation. This documentation is required by a wide range of compliance regulations, many of which focus explicitly on the management of privileged accounts.

PAM solutions can cover all of the above-mentioned challenges and more. The functionality mostly includes:

  • Secure storage of account credentials, meaning an admin no longer needs to know the credentials;
  • Automatic discovery of administrative accounts;
  • Controlled access to privileged accounts by permitted administrators, including automatic logins;
  • Recording of administrative sessions; and
  • Manual and automatic password rotation for one or all administrator accounts.

How Else Can PAM Help Boost Data Security?

While the main use case of a PAM solution is to allow administrators to securely access privileged accounts, there are additional scenarios where such a tool can be used.

Administrators aren’t the only ones who need access to certain accounts; developers also need test accounts in various systems. Managing these — especially in an DevOps environment — is just as complex as managing shared administrator accounts. A PAM solution can help provide the right developers with the right test accounts at the right time.

In addition, there is another oft-forgotten group of accounts that must have the passwords changed from time to time: technical and application accounts. There is likely not even an overview of all these accounts, and their passwords will almost certainly not be changed periodically, even if regulations require this. The problem is that it is not always clear which application uses this account. A PAM solution provides an overview of all such accounts, discovers the dependent services, changes the password in all places at once and restarts the services in the correct order.

Whether you need to manage administrator access, privileged users or application accounts, a PAM solution can provide the security team with robust protection capabilities to keep data safe from risks associated with outgoing administrators.

Read the e-book: Privileged Account Management for Dummies

 |  |  |  |  |  | 
Stefan Köhler
Client Technical Professional, IBM Security

More from Identity & Access
April 23, 2024

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

April 16, 2024

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

March 5, 2024

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature