Passwords vaults are used to store (shared) passwords for privileged accounts and are a critical part of traditional privileged account and session management (PASM) systems. With privileged account and session management (PASM), access to root accounts is brokered for human users, services, and applications. From there, privileged session management functions establish sessions via credential injection. In addition to vaulting account credentials, privileged account and session management (PASM) enables full session recording at the vault/gateway level.
Vaults reduce the risk of privileged credentials being abused by internal or external threat actors and may include additional security features such as scheduled password rotation and a workflow-based access request and approval mechanism to support a just-in-time access model. Privileged account and session management (PASM), however, is only one piece of the privileged access management (PAM) puzzle. By requiring users to log into a vault and check out passwords, organizations risk slowing users down. As a result, users with administrator-level privileges often look for ways to circumvent the process of checking out passwords, which can endanger security. For example, creating an SSH backdoor key may make logging in faster, but does so at the expense of locking down access.
While password vaults are a good start, they are only one part of an effective privileged access management (PAM) strategy. However, only adopting a password vault neglects the advantages of also utilizing privilege elevation and delegation management (PEDM). Using privilege elevation and delegation management (PEDM), specific privileges are granted on the managed system by host-based agents to log in privileged users. This approach includes host-based command control (filtering) and privilege elevation, with privileges only being granted for a short time period. By combining this with a comprehensive approach to privileged access management (PAM), organizations can keep their most sensitive credentials safe from abuse and reduce their cyber risk exposure.