Solving the Achilles’ Heel of Password Vaulting with the Centrify Client

July 23, 2020

Assuring high availability of computers, applications, and services to keep the business running, is one of the many tasks of information technology (IT).

That job is hard enough when confined to a single data center. However, it’s getting much harder now, with cloud migration and data transformation projects in full swing. IT is becoming more fragmented, spreading systems and business logic across multiple containers, in multiple VPCs, even across multiple clouds. In fact, Gartner predicts that by 2021, over 75% of midsize and large organizations will have adopted a multi-cloud or hybrid IT strategy1.

If your responsibilities include IT system and application availability, please read on to learn how a modern password vault can materially help you achieve that goal.

The Achilles' Heel

Ostensibly, the job of a password vault is pretty simple. It stores privileged account passwords and controls who can access them. The main use cases are remote system login and emergency break-glass password checkout when things go wrong.

A less visible “vault plumbing” capability is password management. This can take a rudimentary form that contributes minimally to your goal of high availability, or a more advanced way that helps much more.

In its basic form, the vault schedules bulk password rotations. For example, logging into systems to change local account passwords every 24 hours or so. Scheduled rotation is not primarily aimed at improving availability, though. It’s more of a risk-reduction exercise. For example, rotate passwords to increase complexity and entropy (harder to predict), thus making it harder for an attacker to crack and gain illicit access.

Password Reconciliation

Should a hacker (or a misguided internal IT admin) change any of these passwords between scheduled rotations, however, the following example stakeholders will fail to authenticate, resulting in the loss of availability.

  • A systems admin can no longer log in to a computer with the vaulted password to triage a system outage.
  • An Electronic Medical System application can’t authenticate to a database to obtain patient data for a doctor at the point of care.
  • A collection of containerized microservices that make up a banking service can’t talk to each other to process a banking transaction.

Client-Based Sync

Centrify Privileged Access Service includes a more advanced capability that does factor-in availability as a core problem. We call this Client-based Password Reconciliation. This approach proactively checks that the local account password is in sync with the one stored in the password vault before the vault hands over the password or establishes a remote login session. If out-of-sync, the client will let the vault know. The vault will reconcile the situation, instructing the client to update the local account password. The vault is, once again, the source of truth and will only now deliver the password to the stakeholder.

The benefits of a client-based reconciliation approach over-and-above standard scheduled rotation include:

  • Increased Availability: Reconciling out-of-sync passwords in real-time ensures successful authentications by stakeholders — be it a human or a machine. The client can also reconcile locked-out accounts (e.g., due to a hacker failing to log in multiple times) to further ensure availability.
  • Reduced Risk: Scheduled rotation requires the vault to use additional “privileged master accounts” to log in and rotate passwords. The client-based approach doesn’t rely on these accounts. In fact, it eliminates the need for persistent administrative rights on a box, reducing the overall number of privileged accounts and enforcing a Zero Standing Privileges posture.
  • Improved Operational Efficiency: Less IT overhead having to recover from availability-related outages. Also, an attacker would paralyze the vault if s/he changes any master privileged accounts. IT must then log in to each affected system, manually resetting the master privileged account password, and then manually updating the vault. The client-based approach avoids all of this.
  • Single Source of Truth: Stakeholders must be able to rely upon the vault as the source of truth for account passwords. The client-based approach ensures that vaulted account passwords are valid.

In this blog, I wanted to highlight some of the hidden gems of password vaulting. I hope it helped you appreciate benefits that go beyond the basic “vaulting,” with password management capabilities that can materially improve availability of your business systems.

Please visit our website for more information about Centrify Privileged Access Service. You can also download our complimentary white paper, Implement Password Reconciliation to Ensure Business Application Availability.

Gartner: “Predicts 2019: Increasing Reliance on Cloud Computing Transforms IT and Business Practices,” Yefim Natis, David Smith, Ed Anderson, Sid Nag, Neville Cannon, Rene Buest, 13 December 2018.