Manage & Protect Privileged Accounts
01
01
A Pressing
Imperative
A Pressing Imperative
3 min read
Privileged credentials are the targets of choice for cyber attackers.
Privileged credentials are the targets of choice for cyber attackers.
It makes sense for privileged accounts to be the most vulnerable because compromised accounts can grant unfettered access to your organization’s IT infrastructure. That’s why many high-profile breaches have resulted from unmanaged and unmonitored privileged accounts. The attackers responsible often gain administrative control through a single endpoint—and always leave substantial damage in their wake.
Locking out threats with Privileged Access Management
Ensuring your enterprise can appropriately protect, manage and monitor privileged rights mitigates the risk of unwelcome guests to your IT infrastructure.
Privileged Access Management (PAM) is a critical element of a broader Identity Governance & Administration strategy. It enables you to secure passwords, protect endpoints and keep privileged accounts safe and out of the hands of would-be impostors.
By 2022, 70% of organizations will have PAM practices for all use cases in the enterprise, reducing overall risk surface.1
By 2022, 70% of organizations will have PAM practices for all use cases in the enterprise, reducing overall risk surface.1
Putting Privileged Access Management into practice
The latest Gartner survey responses suggest that 90% of organizations will recognize that mitigation of privileged access risk is fundamental to security control by 2022.2 However, 70% of organizations would fail an access controls audit today.3 That means while the vast majority of organizations will come to understand the importance and value of PAM in the near future, they currently lack the PAM software, controls and knowledgeable support required to put it into practice.
IBM delivers comprehensive PAM capabilities through enterprise-grade solutions: IBM Security Verify Privilege Vault and IBM Security Verify Privilege Manager. Backed by expert consultation and 24/7 support, Verify Privilege Vault and IBM Privilege Manager help you capitalize on everything PAM has to offer, while also integrating with identity governance solutions for complete lifecycle management for users of your privileged accounts.
A key part of securing your organization is ensuring you are integrating identity into the broader security ecosystem to mitigate internal and external threats. Two key parts of that are:
- Privileged Access Management – focused on the special requirements for managing powerful accounts within the IT infrastructure of an enterprise.
- Privileged Elevation and Delegation Management (PEDM) - which prevents external threats and stops malware and ransomware from exploiting applications by removing local administrative rights from endpoints.
Let's take a look at why both are necessary for your organization.
02
02
IBM Security Verify Privilege Vault
IBM Security Verify Privilege Vault
5 min read
Easily discover, control, change and audit privileged accounts.
The first step in managing privileged accounts is finding the accounts you don’t know exist. Manual processes and errors can lead to accounts that are unknown and unmanaged by IT. With IBM Security Verify Privilege Vault, you can automatically scan your entire IT infrastructure to discover privileged, shared, and service accounts. This sensitive information is then stored in an encrypted centralized vault to ensure proper protection using advanced encryption standards. Passsword policies can be implemented and enforced on every account. You’ll gain full visibility and control over every privileged account in your environment.
Curb privileged access sprawl
When you discover all privileged accounts across your infrastructure using Verify Privilege Vault, you identify all service, application, administrator and root accounts. This means you gain total visibility and control over privileged credentials that previously went undetected.
Get started with IBM’s free interactive Privileged Account Discovery tool.
Generate, store, rotate and manage SSH Keys
Bring the generation, rotation, control and protection of SSH keys directly into Verify Privilege Vault. SSH Keys are similar to usernames and passwords, but are used for automated processes and for implementing single sign-on by system administrators. With Role-Based Access Control and permission sets, you can control who has access to which sets of keys, regardless of location or IP address.
Monitor and record privileged sessions
Know every keystroke a user takes. IBM Security Verify Privilege Vault enables real-time session monitoring and allows you to terminate a session if risky behavior is detected. It also allows you to record privileged user activity. This provides an audit trail from when the user checks out a secret, to what they did on the system, to when they finally log off. Gain full insight into what’s going on in your most critical accounts.
Change passwords automatically when they expire
Privileged passwords should be changed regularly. Verify Privilege Vault’s built in password changing and expiration schedules ensure that critical passwords are changed automatically, without manual intervention.
Delegate access to all privileged accounts
Maintain accountability and provide better context to approvers, so they know exactly why a user needs access. You can also set up role-based access control (RBAC) and an approval workflow that enables transparent access, time restrictions and other parameters of that access and password approval for third parties.
With IBM Security Verify Privilege Vault you’ll gain full visibility and control over every privileged account.
With IBM Security Verify Privilege Vault you’ll gain full visibility and control over every privileged account.
You’ll know if someone adds backdoor access or makes an unauthorized configuration change.
You can identify who accesses a system, review the actions they take and react accordingly. Session monitoring and recording also gives you a complete audit trail.
Enhanced auditing and reporting
Utilize dozens of out-of-the-box reports for better insight into system health and compliance. You can generate full reports on password vault activity and create custom reports from database queries as needed.
Integrate IBM Security Verify Privilege Vault for enhanced security
IBM Security Verify Privilege Vault integrates seamlessly with critical IBM Security solutions, including IBM Cloud Identity, QRadar®, Guardium® Data Protection and IBM Security Identity Governance & Intelligence.
03
03
Privileged Access Management and Identity Governance
Privileged Access Management and Identity Governance
5 min read
Integrate with identity governance capabilities for continuous user lifecycle management and compliance.
IBM Security Identity Governance and Intelligence (IGI) integrates with IBM Security Verify Privilege Vault for automated lifecycle management. Implementing PAM can’t be treated as a standalone project. It requires automated identity governance capabilities to prevent issues that would otherwise emerge over time: entitlement aggregation; users with an ever-expanding collection of access to privileged accounts as they change roles, jobs and departments; limited visibility into shared passwords; and so on. Integrating Verify Privilege Vault and IGI helps prevent toxic combinations of access through a holistic view across both privileged credentials and normal business user accounts. Verify Privilege Vault securely stores and monitors privileged credentials in an encrypted vault, while IGI ensures that users’ access levels are compliant with regulations and free of SoD violations.
Avoid access combinations that lead to risk
While PAM solutions give you a simple way to know who can access and use privileged accounts, you still need visibility and insight into the unique combination of privileged access each user has. A user with a “toxic” combination of access presents a risk to your organization.
Imagine that one of your users has access to an application that uses a database to store its data. What if that user—unknown to you—also had access to the privileged account necessary to manage the database? They would have the ability to edit the database, thereby circumventing the business and authorization controls of the application. And if the user had privileged credentials to manage the OS, then the auditable trail could be cleared.
Automate recertification campaigns
IBM IGI lets you run certifications to automatically trigger access reviews and gives managers business friendly information to help with the attestation processes, free from cryptic IT jargon that could otherwise result in bulk approvals.
Integrating IGI with Verify Privilege Vault extends certification controls to include privileged users as well as non-privileged business users. You can replace error-prone manual processes with an automated recertification process that makes it easy for approvers to better understand what it is they’re actually approving.
Recertification campaigns will help you prove compliance while maintaining clean, healthy and appropriate access to privileged and non-privileged applications.
The benefits of integration
When you integrate Verify Privilege Vault with IGI, you:
- Avoid entitlement aggregation and ensure continuous access management
- Easily prove compliance through recertification campaigns
- Avoid risks and toxic access combinations through SoD controls across privileged and non-privileged users
04
04
IBM Security Verify Privilege Manager
IBM Security Verify Privilege Manager
5 min read
Remove excess privileges from endpoints and use policy-based controls to block malware attacks.
Remove excess privileges from endpoints and use policy-based controls to block malware attacks.
Least Privilege Policy
Security regulations call for a least privilege policy, which means limiting access to reduce your attack surface. Least privilege requires that every user, application and system account have the minimum access to resources needed to do their job. Many customers, users or applications have admin or root privileges with access to sensitive data/operating systems. Under a least privilege model, administrative accounts with elevated privileges are given only to people who really need them. All others operate as standard users with an appropriate set of privileges.
Regulations like PCI DSS, HIPAA, SOX, and NIST and CIS security controls recommend or require implementing a least privilege model as part of a compliance solution. During an audit, you may have to demonstrate how the principle of least privilege is applied and enforced in your organization to control administrative accounts.
To successfully comply with a least privilege policy, you must know which privileges you need to manage. That means finding out which endpoints and local users have admin or root credentials, identify which apps are in use and if they require admin rights to run and understand your risk level for service accounts and apps with an elevated set of privileges.
Imagine how much damage and risk you will take away if you remove your business users from local admin groups, yet provide them with a way to install approved applications. IBM Verify Privilege Manager helps with just that.
Get started with IBM’s free Least Privilege Discovery Tool and Endpoint Application Discovery Tool.
To successfully comply with a least privilege policy, you must know which privileges you need to manage. Find out which endpoints and local users have admin or root credentials, identify which apps are in use and if they require admin rights to run and understand your risk level for service accounts and apps with an elevated set of privileges.
Secure your largest attack surface with a single agent
IBM Verify Privilege Manager can communicate with hundreds of thousands of machines at once. You can check policies and execute 24/7 control across every device and application under your purview through a single, streamlined dashboard.
You can discover which users and endpoints have local administrative rights, including hidden or hardcoded privileges across domain and non-domain machines, and automatically remove these rights as needed. This helps you control the exact membership of all local groups and users to reduce the risk of backdoor accounts.
Define flexible policies that ensure a frictionless user experience
IBM Verify Privilege Manager automatically elevates the applications and data that users across your organization need—without requiring credentials or forcing users to request IT support. It provides granular policy-based controls that determine and maintain access to trusted applications and processes.
Through advanced real-time threat intelligence, the solution creates allowed/denied lists for your applications according to flexible policies you define.
- Allowed Lists - Trusted applications are allowed and elevated, so users can easily access them without IT support.
- Denied Lists - Applications are denied based on real-time threat intelligence and are blocked from running.
- Graylisting - Potential threats are graylisted, meaning they’re moved to an isolated sandbox environment for further testing.
Additionally, any application can be quarantine and “sandboxed” at any time, as you deem necessary, regardless of its list designation. A quarantined application can be safely executed and tested without risk of exposing system folders or underlying OS configurations.
Easily manage and remove local administrative rights
Determine which accounts are members of any local group, including system administrators. If necessary, you can quickly reset all endpoints to a “clean slate” by removing all local administrative privileges at once.
Boost productivity for users and support staff
Since policy-based controls are enacted on the application level, users can access the trusted applications, systems and data they need without local administrative rights or the hassle of submitting tickets to IT support.
Achieve audit compliance through transparency
Share an easy-to-understand auditable trail of all application policies, administration credentials and privilege elevation activities with auditors. You’ll provide a clear picture of your compliance levels and what actions, if any, should be taken.
05
05
Why IBM for Privileged Access Management
Why IBM for Privileged Access Management
3 min read
Get scalable, enterprise-grade security solutions, backed by unmatched service and support.
Get scalable, enterprise-grade security solutions, backed by unmatched service and support.
When you deploy IBM Security Verify Privilege Vault and IBM Security Verify Privilege Manager across your organization, you unlock the full potential of PAM with solutions that are:
Partner with IBM for incredible service and benefits
- 24/7 access to IBM support
- Unlimited feature set within IBM Security Verify Privilege Vault
- Simple pricing and packaging options
- Quick time-to-value—install in minutes and see value immediately
- Supports large-scale distributed environments from on-premise to cloud environments
- Integration with the IBM Security portfolio
- Access to IBM Security PAM Professional Services
- Access to IBM Security Expert Labs for deployment and configuration
1 Source: The Forrester Wave: Privileged Identity Management, Q4 2018 by Andras Cser, November 14, 2018
2 Source: Best Practices for Privileged Access Managed Through the Four Pillars of PAM, Gartner, January 28, 2019.
3 Source: Comply or Die: 2018 Global State of Privileged Access Management (PAM) Risk & Compliance, Thycotic.