Ensuring On-Demand and Run-Time Access
4. Ensuring on-demand and run-time access
In addition to provisioning resources for privileged accounts, system, network and application administrators and developers need access to privileged accounts to connect to systems and to update software, change configurations and manage other accounts or services. This is no different for virtual systems.
Using automated security systems allows organizations to define policies and automate access code dissemination at the point of usage, limiting the exposure of the credentials to mitigate risks and potential breaches. Individuals authenticating to the privileged account management solution can be traced to the account usage on the target system, meeting audit requirements.
While programs and scripts require access to passwords to connect to back-end systems such as databases, file transfer systems and other machines, these passwords are typically hard-coded/embedded within the programs themselves or stored in files or registry settings. Security systems must provide the means to strongly authenticate and authorize the release of critical passwords to unattended programs operating on physical or VMs to minimize the risk of a breach.
5. Delivering service for privileged access management
To complete the picture of a VM environment, it is necessary to deliver the privileged account management services on a virtual platform. As VMs are dynamically provisioned within an enterprise to scale to business demand, the capacity security systems must scale in parallel. To prevent capacity problems, security systems must be able to provision additional virtual services as needed. The virtual enterprise must monitor the performance of each virtual instance of the security systems to trigger automatic provisioning and de-provisioning of services in concert with changes in demand. To maintain performance, automated privileged account management systems must:
- Replicate credentials to and from each virtual instance of the system,
- Load-balance requests for credentials among the virtual servers, and
- Distribute the workload among each virtual node, as required.
Operating these solutions within a virtual environment as a service poses the same security challenges for the authentication system as it does for any of the virtual systems it supports.