IBM Verify

 View Only

IBM Security Verify Privilege Vault-Part 3-How to configure DoubleLock

By Sushmita Das posted Tue August 16, 2022 07:34 AM

  
In our last blog, we went through the process to configure an approval mechanism to control access to the secrets/machines via IBM Security Verify Privilege Vault. This ensures end users as well as the approvers are accountable for their actions.

In this leg of our ongoing series, we'll see how to provide an extra layer of security to our critical secrets. The secrets which provide access to mission critical machines; we would like to protect them with an additional password, also known as DoubleLock.

NOTE: If you are interested to know about the user story where this implementation can be applied, please read our PAM Simplified - Blog Series - Part 3.


DoubleLock encrypts the secret data with an additional encryption key that is only accessible with an another password that is unique per user. Private/public key encryption technology enables you to securely share access to the DoubleLock between users.

Benefits that we get with the DoubleLock feature:

  • Secrets cannot be decrypted even if Secret Server is compromised.
  • Secrets cannot be decrypted even when someone is accidentally granted permissions to a Secret based on AD group membership.
  • DoubleLock provides an additional grouping of privilege to grant select individuals access to critical data.

One needs to be careful with DoubleLock, as resetting a forgotten DoubleLock password is irreversible and can result in permanent loss of the data; hence, it is always recommended to assign more than 1 user. 

When resetting a DoubleLock password, a list of the assigned DoubleLocks and the Secrets they protect are displayed for the user.  Check that the secrets have at least one additional user with DoubleLock access.  This way, the data is not deleted due to a forgotten DoubleLock password.


Steps to configure:
Login to Secret Server as Admin and navigate to the Secret for which you want to enable DoubleLock. Set it to 'Yes' and provide the password(minimum 8 characters) alongwith a name.  




      Watch the video on the DoubleLock feature of ISVPV

      An end user tries to access the AD secret after logging into Secret Server; but is forced to provide an additional password before gaining access to the secret. The secret showed here is protected by DoubleLock.


      Do checkout the blog on Monitoring and Session Recording feature of ISVPV.

      Learn More at:
      IBM Security Verify Privilege Vault Product Details
      IBM Security Verify Privilege Vault Technical Documentation


      For any queries, contact @Sushmita Das / @Sivapatham Muthaiah

      0 comments
      41 views

      Permalink