Why Password Vault Only Solutions Are Not Enough to Stop a Breach

December 18, 2017

‘Twas the month of Christmas and all through the town,

packages ‘round trees were being carefully laid down.

But much to the surprise of one neighborhood,

their packages were stolen, taken for good!

Despite guarded gate, doorbell cameras and perimeter wall,

the residents had no clue about their tormenters at all!

One crafty neighbor with experience from Christmases before,

Built a zero-trust model, to protect more than his front door.

All that entered the house, he could monitor and see,

and to access his extra special stuff required more than just one key.

One night as he slept, something stirred in the in-law suite,

Under a cloak of darkness looking for a treat.

A sneak came in through the garage door.

So, what was it that the camera saw?

Nothing at all it’s sad to say

Pointing only at the front door is not the best way.

An alert was triggered, lateral movement at midnight not allowed.

And the extra key for the basement they had not been endowed.

Security in the home stopped the wine cellar breach

Perfect Cabernet was saved for the Christmas feast.

By now a lot of computer security readers are asking themselves, “What does this have to do with me? I’m worried about real problems like my company’s future product plans, my customers financial data, etc.” Aaah but the story could have a lot to do with you ….

Well, someone possibly convinced your company that managing privileged account passwords and gateway/jump box session recording would provide the ultimate protection -- just like the home builder that sold the gated community to future homeowners on the protections provided by the guarded gate, perimeter wall and doorbell cameras. These measures can help somewhat towards protecting their inhabitants -- homes or computers, but in these dangerous times -- they are not enough. Important gaps remain. It’s easy to leap a fence or sidestep a jump box based session recording. Therefore we can’t assume all server access occurs through the jump box (e.g. “front door”). We need to secure our computer hosts for the threats that can occur when the servers are accessed directly or when other security measures have failed and malware is present on the host.


Verizon Data Breach Investigative Report (DBIR) and others agree that privileged user attacks are a current vector of choice, due in large part to their access to valuable information. Thus securing these users’ credentials and monitoring their use is of utmost importance.In Gartner’s 2017 Privileged Access Management (PAM) Market Guide two types of solutions are defined for addressing these risks. First there is privileged account and session management. In layman’s terms this means vaulting and managing credentials as well as recording user sessions. In many initial implementations, session recording is achieved via a jump box and assumes that all privileged activity will traverse the jump box. Secondly the report refers to privilege elevation and delegation management, which is essentially enforcing least privileges for users on the operating system.  Note that Gartner specifies that privilege elevation is controlled by “host-based agents.” With Centrify’s implementation of host based security, users have just enough privilege to do their job and their activity is recorded regardless of how they accessed the host. This safeguards against “leave behinds” like back doors or SSH keys. Furthermore, this can be bolstered with access request and/or time-based access to enable a zero-trust model.

Centrify Infrastructure Services provides password vaulting, session monitoring at the gateway or on the host, as well as enforces least privilege on the host combined with multi-factor authentication (MFA) at login or privilege elevation. Providing this host based security allows that no matter how the host is accessed the risk and potential damage is reduced.


At the end of the day, the crafty neighbor did not trust that his house was secure, he limited lateral movement by controlling access to his basement, he required more than just the front door key to access his wine cellar and he had cameras everywhere. That might be a little spooky in your home, but maybe his wine collection was something to behold much like your company’s future product plans or customer’s financial information.

At the end of the day, we don’t want to be that home builder who gave the neighborhood a false sense of security, we want you to be the crafty neighbor and we provide the tools for you to be just that for your compute infrastructure.

Learn more about Centrify Solutions for Privileged Access Management.

This is written by the individual author in his/her personal capacity, and the opinions, views and/or thoughts expressed herein are solely the author’s own. They are not intended to and may not necessarily reflect the official policy or position, or the opinions or views of ThycoticCentrify or its affiliates, employees, or any other group or individual.