Manage five common privileged identity management scenarios

Learn how to implement five common privileged identity management scenarios with IBM Security Privileged Identity Manager

Take a look at this set of common use cases/scenarios based on customers' uses of shared and privileged identities. Then look at the how-to guides for each scenario to learn how IBM® Security Privileged Identity Manager offers controlled sharing and automated logon for privileged identities.

Share:

Ranjan Kumar, Software Developer, IBM

Author Photo: Rajan KumarRanjan Kumar is an architect and software developer on the IBM Security Identity Manager development team in IBM Security Systems.



07 March 2013

Overview

It's important for all enterprises to protect their confidential information from external hackers. It is equally important to protect enterprise resources from insider abuse and negligence, such as using weak or shared passwords. Insider security incidents typically occur because the identities (accounts) and passwords for accessing these resources are not well protected or not protected at all. IBM Security Privileged Identity Manager offers controlled sharing and automated logon for privileged identities. It provides:

  • Centralized administration, secure access, and storage of privileged shared account credentials
  • Role-based access control for shared accounts
  • Life cycle management of shared accounts ownership
  • Ability to change the password on every check in
  • Single sign-on through automated check-out and check-in of shared credentials
  • Auditing of shared credentials access activities
  • Integration with the broader Identity and Access Management Governance portfolio

Five common privileged identity management scenarios

Based on customers' use cases for shared and privileged identities, take a look at this collection of common scenarios and written how-to guides for each scenario. These scenarios are stand-alone and can coexist with each other. The how-to guides use a fictitious organization, JK Enterprises, which deploys a privileged identity management solution to simplify and streamline the access, compliance, management, and governance of the privileged IDs. Each of the scenarios' how-to guides are described below. Each scenario provides a link to a detailed how-to guide that describes the implementation.

Scenario 1: Pool of delegated administrators or help desk users access a credential pool

The how-to guide for Scenario 1 describes how an enterprise with many servers (either in server farms or heterogeneous servers) managed by a group of people (regular employees or contractors) can define a pool of privileged IDs and manage and track the access to these IDs by their system administrators.

Scenario 2: Application administrators request Ad-hoc privileged access

The how-to guide for Scenario 2 explains how application administrators typically have fewer privileges than system administrators. This scenario describes how higher level privileges can be provided to application administrators when needed and how the access can be controlled (through approval), tracked, and audited.

Scenario 3: Administrators need privileged access in emergencies (The "break the glass" scenario)

The how-to guide for Scenario 3 describes how every organization is susceptible to unplanned absences by system administrators. In these emergency situations, another person needs to carry out the privileged administration tasks. This scenario describes how emergency administrator privileges can be assigned, how to track what the emergency administrator did, and how to (manually or automatically) remove their access.

Scenario 4: Applications or cron jobs use a shared privilege ID

In the how-to guide for Scenario 4, get an explanation on how an organization can write secure applications (including scripts and cron jobs) by eliminating the need to hard code a privileged ID and password. Instead, the applications check out a privileged ID when needed and check it in when done.

Scenario 5: Multiple network administrators share a single superuser account on a network device

Finally, in the how-to guide for Scenario 5, learn how network devices like routers, firewalls, switches, and so on, usually have only one administrator ID that is used by many network administrators. This scenario describes how to track which network administrator used which ID, and for how long. This scenario also describes how to periodically send password change reminders for these devices.

Resources

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into Security on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Security
ArticleID=860636
ArticleTitle=Manage five common privileged identity management scenarios
publish-date=03072013