Password Vaults Alone Are Not Enough to Stop the Breach

April 26, 2017

A recent Forrester study examined four levels of identity and access management (IAM) maturity and found a direct correlation between the number of privileged identity management (PIM) best practices implemented and the number of security incidents encountered by an organization.


Wait, Isn’t Privileged Identity Management == Password Vault?

Nope. Centrally controlling shared access to non-human accounts and automating periodic password rotation for shared accounts reduces risk, no doubt. This is a critical component when minimizing your attack surface and will make it harder for hackers to get in to your environment (initial compromise) -- it is a best practice. However, you can do more and you should, the Forrester study clearly shows that this (or any other single) best practice is only a piece in the overall puzzle that is complete privileged access security for the modern hybrid enterprise.

If you are relying on a password vault alone, the vault needs to mitigate the risks associated with granting full VPN access, by granting secure remote access to a targeted set of infrastructure and removing the need to connect unsecured laptops to your network. It should control remote IT admin access, federated privileged access for outsourced IT and other third party access. And the solution should support your cloud migration strategy, by seamlessly spanning your on-premises, private cloud and IaaS environments including AWS, Google Cloud and Azure.

But to be secure, you need more than just a vault…

Only a Full PIM Solution Will Stop the Breach

Centrify’s Privileged Access Security solution helps stop breaches that abuse privilege at every point along the attack chain -- check out our demo videos to learn how Centrify Stops the Breach -- and this demands not only the password vault, but a comprehensive set of capabilities that simplify the implementation of PIM best practices in four broader categories: establish identity assurance, limit lateral movement, institute least privilege, audit and monitor. The vault is one crucial layer in your layered model for privileged access security.


We’ve recently delivered a plethora of new features that our customers use to minimize their attack surface and control privileged access in their hybrid enterprise. With Centrify, customers are now moving from static, long-lived privilege assignments to a just-in-time model where privilege is temporary and advanced monitoring detects and alerts in real-time on the creation of backdoor accounts that make it easy to bypass a password vault.

  1. Establish Identity Assurance. Centrify ensures accountability by having users log in as themselves and attributing all activity to the individual. Its advanced host-based auditing capabilities now include process-level monitoring in addition to existing shell-based monitoring to attribute all activity to the individual instead of a shared account or alias. This new advanced monitoring adds a layer of security that is virtually impossible to spoof.
  2. Limit Lateral Movement: Centrify enables organizations to reduce the attack surface by governing privileged access and ensuring users’ privileges only apply on the approved server. Now you can require access approvals for role assignment and make them short-lived. Centrify’s proven host-based privilege management ensures that the user’s approved privileges apply only to the target system, and cannot be used across the network on other computers. And if credentials are compromised, hackers and malware will not have the privileges that would allow them to wreak havoc within your network.
  3. Institute Least Privilege: Centrify now uniquely governs access to both privileged accounts and privilege elevation via roles enabling organizations to implement true cross-platform least privilege access. Centrify lowers the risk of a security breach by granting just-in-time privilege and just-enough-privilege through temporary and time-bound access that leverages request and approval workflows. Audit trails and compliance reporting capabilities now include who has access, who approved that access and how that access was used across privileged accounts and privileged roles.
  4. Monitor Privileged Use: Centrify now monitors for the creation of backdoors whose existence make privileged access to infrastructure convenient instead of secure. Centrify’s advanced monitoring capabilities detect the growing threatscape and alert in real time through SIEM integration on rogue creation of SSH keys that enable privileged access that bypasses the password vault.

These new capabilities extend Centrify’s privileged access security services and help organizations increase their IAM maturity level and security posture to stop the breach. According to the Forrester study, organizations that reach the highest levels on the maturity scale are 50 percent less susceptible to being breached. In addition, these organizations save 40 percent in security costs over their less mature counterparts, and spend five million less in breach costs.

Most vendors center their PIM solutions around a password vault, requiring you to add and integrate point products alongside the password vault to cover your best practice bases. This results in a cobbled together solution that leaves gaps in security and increases the risk to your business. We’ve closed those gaps with an integrated privileged access security solution that combines password vaulting with brokering of identities, MFA enforcement, just-in-time and just-enough privilege, all while securing remote access and monitoring all privileged sessions.

Learn more about Centrify’s privileged access security solution.

This is written by the individual author in his/her personal capacity, and the opinions, views and/or thoughts expressed herein are solely the author’s own. They are not intended to and may not necessarily reflect the official policy or position, or the opinions or views of ThycoticCentrify or its affiliates, employees, or any other group or individual.