Enterprise Password Vaults are NOT ENOUGH. You need Session Management
Password vaults are an important part of locking down your privileged accounts. However, they are not sufficient for ensuring either the security or the auditability of those privileged accounts. While password vaults prevent direct root access to your devices, applications, and systems… password vaults by themselves do not provide visibility nor control over privileged user actions. This requires robust session management.
Shared Credentials Create Nightmares
We all know that we shouldn’t share credentials with coworkers or contractors. But the practice is rife. A study last year concluded that even IT bosses couldn’t help themselves… nearly 60% of US IT decision-makers share access credentials with other employees at least fairly often and 52% also shared credentials with contractors.
The total lack of accountability this creates is one problem… and the fact that over half of those respondents reported that it would be easy for a former employee to log in with old passwords is yet another.
Many, if not most, of the recent high-profile data beaches from Snowden to Vodafone have been enabled by compromised passwords.
The pervasiveness of privileged credential-sharing means that security administrators must assume that credentials are being shared unless they can actively prove otherwise.
Indeed, one of the first things many of our clients see upon installing our PAM solution is that not only are their contractors sharing their passwords amongst themselves… but they are also sharing those credentials with sub-contractors and sub-sub-contractors of whom the original company had no knowledge – or legal relationship with. The security and compliance implications of these kinds of situations are obviously severe.
Phishing for Passwords
Of course not every “shared” password was voluntarily handed over. Sophisticated spear phishing campaigns have harvested critical passwords including those in the Anthem breach as well as the recent DNC breach.
Those Passwords Could be Anywhere
Combine standard insider risks, the prevalence of password sharing, and the very real risk of malicious theft… and your secure passwords aren’t as secure as you might like.
In all, Forrester recently estimated that 80% of all data breaches involve privileged credentials!
Session Management
We can see that even with the best password vault, organizations still need to control what can happen with those credentials as well as creating an unimpeachable audit trail. That’s where session management comes into play.
Not only does a robust session management system create accountability, auditability, and control… but the very fact that these measures are in place improves compliance because users know that their actions are being monitored.
Here’s what you need in a good session management solution:
Real-time monitoring and alerting
Security teams and administrators need to be able to monitor privileged user sessions, be alerted when suspicious activity occurs, and immediately terminate any sessions if needed.
Real-time control systems
A good session management solution goes beyond manual monitoring and mitigation. Security teams should be able to block forbidden actions for each privileged user account and create rules to automatically trigger alerts or terminate user access.
RDP / SSH Access control
It’s imperative that access control is maintained through native RDP / SSH tools. This control is ideally structured around a series of rules defined according to specific criteria such as e-mail, log-in, IP address, authorized time frames, type of session (interactive, file transfer, clipboard etc.), protocol, etc.
Compliance and audit systems
A primary function of any session management system is to provide an unalterable and unimpeachable audit trail of every action taken. This is required both for incident response and to prove regulatory compliance. A good system will provide a DVR-like recording that captures everything on the screen from mouse movements to text commands. It’s critical that the session manager include an optical character recognition (OCR) system so that every action is completely searchable—as well as available to real-time systems such as security information and event management (SIEM).
Complexity is Not Your Friend
The best privileged access management is the one that gets consistently used. One way to estimate the ultimate usage rate of your PAM solution is by the length and complexity of the deployment process. The longer the deployment, the harder the system will be to maintain, and the lower your likely usage rate.
WALLIX has all of this and more.
The WALLIX Session Manager has a simple agent-less architecture designed for pervasive, sustainable deployment. This agent-less approach mitigates the risk that changes in protected systems will require extensive revamping of the PAM solution. It is not unusual to see customers able to deploy WALLIX in mere hours after fruitlessly wrestling with other solutions for months.
Although the WALLIX Session Manager allows for easy deployment, its sophisticated feature set includes all of the above and can scale with even the largest organizations.
No Need to Rip and Replace.
Many organizations have invested heavily in password vaults and understandably don’t want to abandon that investment. The good news is that the WALLIX Session Manager plays nicely with virtually any password vault, including some of the top solutions on the market.
Many of our enterprise customers in industries such as banking, energy, healthcare, and the public sector have found that they were able to quickly and seamlessly combine their existing enterprise password vaults with WALLIX’s session management to enjoy best-of-breed functionality.
Of course, if you want an integrated password vault, WALLIX has one of those too!
Want to see it in Action?
If you’d like to know more about session management in general or more specifically about how to integrate WALLIX’s solution with your existing password vault, we’d be happy to chat about it, give you a free trial or set up a demo.
