You need better password management. But what should you try? Many people recommend password vaulting, also known as password managers. But while this can be effective for your end users, it may not be effective for your organization or network as a whole.
Privileged Account Management (PAM) is a more robust solution, but understanding why it's better requires an in-depth understanding of the way that PAM works. Here's an overview of PAM and password vaulting, and when you should use one or the other.
Privileged Account Management
What is a privileged account? A privileged account is an administrative account that has specialized privileges, such as being able to manage employee access, install software solutions, and control privileges for other employees. Privileged account management solutions automate the process of controlling access to employee accounts, such as enforcing password rotation.
The benefits of privileged account management:
- You can control privileges and access on a granular level. Password managers may be able to remember login information, but they can't do anything about the permissions of those accounts.
- You can control user accounts from a centralized location. You can decommission employees that have been terminated and you can commission employees as they are added, while controlling the privileges that they are offered.
- You can enforce two-factor authentication. Two-factor authentication is, by far, one of the best ways to protect an account, and it can be enforced through PAM.
A PAM solution operates on the back end to ensure that account access and identity management is controlled as it should be. Administrators are able to look at employee accounts at-a-glance, deploy and commission new accounts, and ensure that the privileges are accurate.
The Pros and Cons of Password Vaulting
Most users are advised to get a password vault, also known as a password manager — both to improve security and to simplify their lives.
A password vault is a single system that maintains all a user's passwords. When a user goes to log into a system, their password vault automatically fills it in. The password vault itself doesn't store the user's plain text passwords; the passwords are all encrypted and safe.
However, logging into the password vault could mean that the user's accounts can be accessed, if two-factor authentication isn't on the accounts themselves.
A password vault is useful for a few reasons:
- It allows users to use complex, unique passwords. Users no longer need to remember their passwords, so passwords that would be unfeasible to remember are now possible. A user may not be able to remember "29djDJWIOWDJ2482FJIWFJOj2j3," but a password vault can.
- It reduces the amount of times users need to put help desk tickets in. Users won't forget their passwords, and thus won't need to reset their passwords. In companies, this reduces administrative time. For the user, it improves their personal efficiency.
- It generates passwords for users. Users don't need to generate their own passwords with a vault, so it's not going to be a password that could be guessed by a malicious attacker.
But that doesn't mean there aren't downsides as well. Because a password vault contains all a user's passwords, cracking into the vault itself could allow someone to log into their accounts. That does, however, require that the individual have access to a user's device, which would be a smart phone or a desktop computer.
Privileged Account Management vs. Password Vaulting
By now, you can see that privileged account management and password vaulting are similar tools that are used for different things. They both deal with security, but they deal with different aspects of network protection.
Password vaults are used for individual users, to control all the passwords they need to use throughout their daily life. They're useful and helpful, but they're not a replacement for privileged account management.
Password vaults make sure that employees are using good passwords and that they can manage and store all their passwords. But privileged account management operates from the back end, to distribute privileges to employees, and to ensure that their accounts are commissioned and decommissioned as needed.
Through PAM, organizations are able to better control access to their systems through a centralized location, and are able to view activity related to these accounts and audit these accounts to reduce risks. Through automated solutions like password rotation, organizations are able to enforce better password hygiene.
It's not necessarily a question of whether privileged account management beats password vaulting — it absolutely does, but employees can use both. They are not mutually exclusive. For the purposes of securing company accounts, PAM is a virtual necessity. But for the purposes of user-friendliness and reduced help desk tickets, password vaulting can also be effective.
Is your organization brushing up on its security? Security is a complicated task, and it's getting much more complicated. How can you make sure that your security solutions are effective? Contact the experts today at Red River.