Ideally, in a traditional enterprise, authentication is primarily handled using username & password. But can we solely rely on it when it comes to privileged accounts? There is a need to provide a more robust, reliable and secure mechanism to protect them especially when it comes to the sensitive accounts. Quite often, organizations don’t know what privileged accounts exist, or where they’re stored, so they are unable to secure them.
Privileged accounts are a lucrative target for the hackers since they get hold of an organization’s most sensitive data. The misuse can not only be by outsiders but disgruntled employees as well.
We can mitigate the issues at the very core by using IBM Verify Privilege Vault.
IBM Verify Privilege Vault offers a robust privileged access management solution that is available as an easily deployable on-prem module or as a SaaS offering.
One can automatically discover privileged accounts in an enterprise and manage them using various custom workflows, rules, etc., send across email notifications, generate reports and many other features spanning across accounts, servers, applications, endpoints, etc.
IBM Security Verify Privilege Vault (aka Delinea Secret Server) provides privilege access controls and is an important component in security solution. It provides following capabilities.
- Password Vault
- Privilege Access
- Session Recording
- Reporting
NOTE: If you are interested to know about the user story applicable, please do checkout PAM Simplified - Blog Series - Part 1.
In this blog we will showcase how we can discover the accounts on the servers(AD, Unix/Linux, Windows, AWS, etc.) and vault the passwords alongwith few other controls that will help the enterprise in improving their security posture.
Firstly we need to bring the servers into IBM Verify Privilege purview by following the steps below.
Server Discovery
It helps in discovering the secret accounts and bringing them into the vault.
- Login to the console as admin and navigate to 'Discovery'
- Select the type of 'Discovery Source' that you want to protect via Vault. Here we have brought in a Linux server. Select the type as 'Unix' and proceed.
- Provide the details like SourceName, IP Address, Site in case you are using a DE, secret to be used for discovery. If you haven't created a secret, refer Secrets Management to see how a secret can be created.
Once the source is added, it'll show up in the main page. You can click on 'Scanner Settings' to configure or update additional items.
- Click on 'Discovery Network View' to check if the server accounts are visible. Click on 'Import' to onboard the accounts.
- After the account is imported successfully, the status would change to 'Managed' meaning the account is managed via Verify Privilege now.
All the accounts existing in the Linux server are shown here. Depending on the requirements, they can be imported.
Secrets Management
In order to connect to servers via PAM, we need to vault their passwords better known as secrets. To create a secret, we need to specify basic details like type, hostname, domain, etc. depending on the template selected.
Type: Unix Account
Type: Active Directory Account
Once the above settings are done, an end user who is in the Group that is attached to the secret will be able to login to the machine without the need for credentials.
We can define the checkout setting in the secret to block simultaneous use.
By storing the credentials of privileged accounts in a separate and secure repository, IBM Security Verify Privilege Vault enables companies to isolate their use and track their activity, effectively lowering the risk that they’ll be misused or stolen.
Administrators can also set it up to have established time limits and other rules or approval workflows for user access, as well as automatically remove privileges as soon as an individual moves to another role or leaves the company—limiting access to those who truly need it.
Interested to know more?? Visit our next blog in the series to know further.
Learn More:
IBM Security Verify Privilege Vault Product Details
IBM Security Verify Privilege Vault Technical Documentation
For any queries, contact
@Sushmita Das /
@Sivapatham Muthaiah