Lock Down Access to Admin Accounts with On-Demand Privileged Access Management

Intruders Can’t Drive You Nuts If You Don’t Give Them the Keys!

When administrator accounts are assigned full-time to an individual or shared across members of the IT Staff, these accounts are an open door with unlimited access to the systems and data contained within. The credentials to these accounts are literally the “keys to your kingdom.”  Such being the case, they are high value targets for malicious intruders and hackers.

Should an intruder successfully guess or steal the credentials for one of these administrator accounts, they essentially have a free pass to do whatever they want with little risk of being caught.  This includes moving laterally into other critical systems where they can infiltrate, steal, sell, and/or share your corporate IP, source code, design docs, trade secrets, and customer data.

On-Demand Privileged Access Management

Rather than providing unlimited access to administrative accounts, Identity Automation strongly recommends moving to a just-in-time access policy.

In our view, this isn’t just a best practice, but a necessity, given the number of high-profile breaches that have occurred via privileged accounts over the past few years.   

And, just to prove we put our money where our mouth is at Identity Automation, not even our own CTO has unlimited administration rights to any system.  He has to request access just like any other staffer.

This is possible, because Identity Automation enables On-demand Privileged Account Access in RapidIdentity through a combination of automated workflows and password vaulting.

Reduce Security Risk with Password Vaulting

Unlike personal, shared, and (especially!!) default administrator credentials that are easily guessed or stolen, password vaulting generates a new, random password every time an administrator requests elevated access to a target system.  

This is how it works: administrators simply request to check-out a password for a given system in their RapidPortal, which triggers an approval workflow that can be completely automated based on the requester's role, attributes, or currently held entitlements. The workflows can also be designed to require the approval of one or more managers or system owners.  A third option is to design your workflows to be both manual and dynamic. For example, during the workday, manual approvals are required, and during off-hours, dynamic approvals are in play.

Once the request is approved, the recipient receives a randomly generated password,  providing them with elevated access to the given system for a customizable duration of time. When the time period expires, the password is no longer valid.  If additional time is needed, the administrator must request a new password and access window in the system.

Compliant, Secure, and User Friendly – No Compromises Needed

The great thing about our Privileged Access Controls is that they don’t just make your organization more secure, they also help keep you compliant with nearly all data security standards, such as PCI DSS, HIPAA, Sox, etc.  All associated privileged account events, including requests, approvals, and revocations are logged, providing a complete audit trail for reporting purposes.

The Benefits of RapidIdentity On-Demand Administrator Accounts

On-Demand Access might not be right for all types of privileged accounts, but for administrator and other service accounts, there are meaningful benefits that include:

• Reducing the likelihood of a cybercriminal guessing or hacking the credentials to an administrator account.
• Time-limiting elevated access for administrator accounts, which in turn limits harmful actions, whether unintentional or malicious.
• Enabling IT to maintain multiple administrators for the same systems without over-granting full-time accounts.
• Satisfying compliance requirements by proving to auditors that your organization’s administrator accounts are managed, controlled, and secure.
• Providing individual accountability and visibility into who has access to what and when.

Download our RapidIdentity Privileged Access Management datasheet to learn more, or request a demo to see these capabilities in action.