Skip to main content

Business Challenges and Solutions for Password Management

Businesses face many password management challenges. Implementing a password management solution is necessary in many corporate environments because users have to authenticate to the network in a secure manner. Passwords are the most common authentication mechanism. From a deployment perspective, passwords are the simplest and cheapest authentication technique.

With this in mind, having a poor password management policy in an enterprise environment can compromise enterprise security and make the enterprise vulnerable to outside attack from malicious threats. In organizations with poor password management practices, one or more of the following issues is typically present:

  • Weak and easily breakable passwords.
  • Passwords that users are not required to change often enough, which means that attackers can compromise the passwords through force and cryptographic attacks.
  • Passwords that have been written down, which can be easily compromised.
  • Numerous calls to the Help desk for password resets, which can result in increased operational costs.
  • Users who have too many passwords, which can result in password overload. With so many passwords for users to remember, they have difficulty managing passwords securely.

To meet these challenges, businesses should find an appropriate solution to address their password management requirements.

  • Business Solutions for Password Management

Businesses can adopt various solutions to solve password management challenges. For example, users can change their passwords on each connected data directory by logging on to each directory interactively, and then changing the password natively in the connected data store. Although this is a typical solution, users can easily become confused and frustrated if they cannot remember which password they used for any of the connected data stores.

  • Event-driven password management application

An event-driven password management application, such as the one in MIM 2016, is a more viable solution to these password management challenges. MIM 2016 users change their passwords from their desks in an authoritative connected data source. Then, a service in the authoritative connected source captures the password change requests and pushes the newly changed password to other configured connected data sources in real time. This solution is cost-effective and efficient because users do not have to manually change passwords for each connected data source to match the password of the authoritative connected data source. Also, when they initiate password changes, those changes are effective immediately.

  • Automated Password Synchronization Solution 

Automated password synchronization synchronizes passwords only between existing accounts on connected data sources that have management agents that support the password synchronization option. During automated password synchronization, a user makes a password change in an authoritative connected data source. The newly updated password is automatically captured from the authoritative data source during the password change process, and then distributed to configured, connected data sources in MIM 2016.  

MIM 2016 uses the domain name to locate the management agent that services that domain, and then uses the user account information in the password change request to locate the corresponding object in the connector space. Then the tool uses the join information to determine which management agents should receive the password change request, and if they are enabled for password synchronization. Password synchronization is initiated, and then the updated password is sent to the configured data sources. The automated password synchronization solution for MIM 2016 addresses the password management needs of many enterprises in a real time!

For more information about other PATECCO solutions, check in the new e-guide:

PATECCO’s Best Practices For Securing Privileged Accounts

In a time of rapid digital transformation, a lot of organizations face challenges managing privileged accounts. To strictly control, protect, monitor, and manage them, such companies use Privileged Account Management (PAM). It grants privileges to users only for systems on which they are authorized, centrally manages access over systems and eliminates local system passwords for privileged users. Besides, PAM creates an unalterable audit trail for any privileged operation and may track user activity to command detection.

PATECCO provides consultations on PAM solutions’ implementations into the customers’ infrastructure, especially in banking and telecommunication sector. The two main components of its PAM projects are Password management and Session management. The password management refers to different types of accounts such as Privileged (administrative) account, Shared account, Administrator, root, QSECOFR, Emergency account, Technical account (only used for machine to machine communication), etc.

For example, shared and emergency accounts, in general are highly privileged accounts. They differ in approval workflow to get the corresponding password. The use of shared accounts can be planned, but the emergency accounts need faster workflow. The problem with the shared accounts is that without PAM, it is not clear who uses this account, at what time. By using PAM, the companies can make sure, that only one person could use such account for a predefined time. This is stored in an activity log and after using this account by that person (checking in), the password is changed by PAM. This process is called “breaking glass scenario”.

In reference to session management, it is ensured that all data gathered (session files and some activity logs) is stored in a safe manner (encrypted) and the access to these is possible only via the “principle of four eyes”. Guideline and process documents are designed and agreed with the works council, the data security officer and some other people involved in compliance processes.

For the past 3 years, PATECCO developed high skills in implementing PAM solutions, describing and designing necessary processes, and connect systems to these solutions. Its IT consulting team can offer best practices in the following functional PAM subsets:

1. Identity Consolidation

  • Consolidate UNIX, Linux, LDAP identities under a single unique ID in Active Directory for centralized identity, role, and privilege management and Kerberos-based authentication
  • Deleting or disabling as many privileged accounts as possible to reduce the attack surface

2. Privileged Access Request

  • Establishing a solution (tool) that supports workflow-based privileged access request across both SUPM and SAPM components for stronger security, governance, and compliance

3. Super User Privilege Management (SUPM)

  • Minimizing the number of shared accounts. Reduce/disable the number of privileged accounts. Use of host-based SUPM for least privilege login with unique ID and explicit privilege elevation wherever possible, and use of SAPM for accounts where SUPM cannot be used as the EXCEPTION not the RULE.

4. Shared Account Password Management (SAPM)

  • Data breach mitigation is most effective when reducing the attack surface — reducing the number of privileged accounts as close to zero as possible and only using SAPM for emergency login scenarios such as “break glass”.

5. Application to Application Password Management (AAPM)

  • Replacing plain text passwords embedded in scripts with an API call to a company’s SAPM service for better security and reduced IT administrative overhead

After introducing PATECCO’s best practices in Privileged Account Management, it’s time to summarise the main goals of its PAM projects: to demonstrate PAM capabilities allowing privileged users to have efficient and secure access to the systems they manage, and ensuring that audit and compliance requirements are met.