The Myth of Shared Account Password Management (SAPM)

In a response to the OPM breach and Tony Scott’s 30-day sprint, many agencies invested in a SAPM solution to manage their privileged users. Unfortunately this does not meet the measure of the requirement of HSPD-12 and multi-factor authentication (MFA) everywhere and the CDM authentication and credential requirements. The reality is that SAPM solutions only cover 5%-10% of the problem. The need for a true Super User Privileged Management (SUPM) is the only way to ensure that everyone in every organization is using a smart card (CAC/PIV) and a PIN, plus a third level of authentication to access all resources. SAPM tools are used by a select few on a select number of assets. This leaves the majority of the organization’s associates and assets open to a breach. This is very dangerous since every organization has a diverse number of heterogeneous resources that the entire organization uses to accomplish the mission. The result is risky behavior that has led to the breaches we have seen in the past.

This is where a single architecture platform that leverages an already existing repository of roles to access every resource in the organization makes sense. Employing such a solution will increase productivity in the most secure compliant manner using MFA everywhere in a very cost effective manner. In order for an organization to achieve true accountability for what resources are accessed by which users, the agency associates must access those resources as themselves, not as “Admin” or “Root.” In today’s environment anonymous access increases an agency’s risk surface tremendously. Having the ability to leverage a SUPM solution using a PIV or CAC card and a PIN, plus a third factor of authentication to support HSPD -12, MFA everywhere and CDM authentication and credential requirement will meet the mark.

smartcard

Employing just a SAPM tool is akin to putting a screen door on a submarine. It is time for federal government leaders to grasp that shared account password solutions do not meet the measure of HSPD-12 and multi-factor authentication (MFA) everywhere, or the CDM authentication and credential requirements. They must understand that having 5% of their agencies associates leveraging a root password vault solution to checkout passwords is like putting a band-aid on their risk surface area. They need to ensure that ALL agency associates leverage their PIV or CAC card, a pin to employ a “something you have and something you know” access process, coupled with a third method of authentication to ensure they are who they say they are — to reduce the cyber data breach threat that has caused millions of dollars and threatened the security of millions of people. It is time to dismiss the myth that shared account password management solutions are the answer to our cybersecurity problems.

Click here to read our white paper on Best Practices for Privileged Identity Management in the Modern Enterprise.