Legacy Obstacles to Access Management
The extent to which business still runs on outdated tech might surprise you. Banks and other fintech companies, for example, still lean heavily on mainframes and other so-called “big iron” infrastructure because of its speed and reliability in handling thousands of transactions per second. Those kinds of capabilities beg the question as to whether such tech is indeed outdated – but legacy tech designed for high throughput does pose problems, with a high number of administrators citing integration with legacy systems as a challenge as they consider future planning and efforts.
Security Should Never be Left to Legacy
While integrating anything with a legacy system can be challenging, the problems are especially poignant — and especially important to overcome — when it comes to security. This is true in a general sense, because security is always important, but also more specifically because legacy systems are leaned on so heavily in the fintech and healthcare verticals. Inappropriate (or unmanaged) privileged access in these cases not only impacts business, but can also severely impact the individuals whose financial and health data are exposed.
Two of the major hurdles faced by IT administrators in overcoming the challenges posed by patchwork legacy systems are the multiple access points that such systems typically expose, as well as insufficient privileged access management (PAM) inside those systems. PAM is intended to ensure that any access to the system is appropriate, and controlled. Customers, contractors, developers, administrators, and executives all need high-level access to IT resources to accomplish their various goals and tasks. The kind of access that is granted, though, needs to be both role- and circumstance-dependent – a contractor, for example, may be granted access to work on a server only at a given time and from a given location, with a limited set of capabilities. Without a proper PAM solution, administrators aren’t just looking at one potential hole in security – they’re effectively looking at many thousand holes, each potentially capable of being used to breach the system.
PAM Components for Concurrency and Efficiency
Because of the scale of the problem, what’s needed is a PAM approach that’s not only capable of working concurrently across both legacy and newer systems, but one that highly efficient in doing so. In order to achieve the kinds of concurrency and efficiency required, there are three key components that an enterprise-grade PAM solution must have:
- A real-time session manager
- A consolidated password and SSH key manager
- Centralized access management capabilities
Session Management: Fast, Appropriate, Auditable
The session manager, the first piece of the PAM puzzle, needs to be capable of providing security teams with a real-time view of privileged user activity – which is at the heart of making sure that people are actually using the system to carry out legitimate and appropriate tasks. But it also needs to be capable of providing the security team with real-time insight and alerts into access that might not be so appropriate, as well as the capability to automatically terminate sessions wherein unauthorized attempts are occurring.
Aside from its real-time capabilities, a strong session manager should also be capable of providing an audit trail of session history – an important function both for future security analysis as well as compliance with the various regulations that govern fintech and other verticals. And finally, the session manager must also have robust interoperability capabilities with a wide variety of other systems and software in order to guarantee proper functioning across today’s complicated IT infrastructures.
The Only Good Password is a Fresh Password
The password and SSH key manager must likewise be highly interoperable with a variety of systems. Furthermore, to ease the workload of the IT security team while at the same time increasing system security, the PAM system should also have functionality that allows for scheduled, automatic password and key rotation. Rotating passwords and keys is of course a best practice for anyone – and it’s especially important for preventing system access achieved via older keys that have potentially been stolen and published by hackers, or bad actors using their credentials to return outside of authorized hours or tasks.
PAM Systems are Either Manageable or Useless
Of course, in order to truly leverage powerful session and password managers, it’s important – especially at enterprise scale – that the IT team have centralized access management capabilities that pull everything together. Without those kinds of capabilities, the management of large-scale IT systems would be untenable – and especially so when talking about the large, blended legacy-and-modern systems commonly seen in enterprise architecture.
To that end, then, the centralized management capabilities must be capable of working within a multi-tenant architecture, as well as capable of robust customization that will allow it to work with, and across, all existing systems. If those kinds of capabilities are not present, the IT workload skyrockets – which often means that important work is left undone or unmanaged simply due to the volume of tasks required, or that existing systems are simply worked around in order to ease the workload. Instead, a strong PAM solution that actually streamlines access management workflows and facilitates and eases the work of security teams is a solution that will be used (not circumvented) – and a solution that will truly help to guarantee cybersecurity.
The takeaway from all of this should be that the problems of properly implementing and managing access in large, mixed legacy-and-modern systems can be intractable – but they’re not at all impossible to overcome. A leading PAM solution will have all of the components required to help ensure security even across patchwork systems – but will only be of use if it affords IT teams capabilities that lead to manageable workloads.