Most modern cyberattacks — credential theft, bypassing authentication, impersonation and session hijacking — are tied to identity security. Traditional security perimeters, where protecting the “front door” was sufficient, are no longer effective.
Many organizations still lack maturity in core privileged access management (PAM) practices. Key capabilities, including detecting and inventorying all privileged access and applying consistent controls based on defined PAM policies and standards, are crucial. Many customers have deployed security products in silos and therefore have no integration. SailPoint offers PAM integrations that centralize provisioning of accounts and access which eliminates silos and introduces consistency.
Beyond core PAM: The need for lifecycle management
Even with a strong core PAM program covering policy, discovery, inventory and credential management, the lack of integration between PAM and SailPoint remains a significant vulnerability. PAM solutions manage and protect privileged account credentials but cannot assess whether those credentials have appropriate permissions. Integrating PAM with SailPoint fills this gap by managing identity lifecycles and access.
The SailPoint PAM integration modules automate lifecycle management for privileged user accounts and corresponding access. The integration modules support creating local users, enabling/disabling local users and adding/removing users from local groups. Users external to PAM can also be added/removed from local groups, as well as disabling external users on the PAM system. For customers that are using Active Directory groups for managing PAM access, many of the PAM products offer tools to synchronize these AD groups and group memberships to the local system.
Two other significant advantages of integrating a PAM solution with SailPoint are:
- Enforcing role-based access control (RBAC) and least privilege as part of identity provisioning, ensuring accounts only have just enough access needed for their purpose.
- Centralizing and automating regular access certifications of privileged user accounts throughout their lifetime to prevent the accumulation of unnecessary access.
Emerging security challenge of non-human identities
Although organizations have made progress securing human identities, many have overlooked the growing risk posed by non-human identities (NHIs), such as service and machine accounts. NHIs can outnumber humans by as much as 50:1 but often fall outside traditional governance structures, making them an attractive target for attackers.
SailPoint has addressed this need with Machine Identity Security (MIS) to manage NHIs. To be consistent with the SailPoint terminology, NHIs are defined as machine identities. MIS supports managing both machine identities and machine accounts for all integrated applications. In addition, MIS has the ability to classify different types of machine accounts, correlate machine accounts to machine identities and certify machine identities and machine accounts with their corresponding access.
For most customers, machine accounts are not included in their governance program for reasons such as ad-hoc creation, falls outside of SOPs, inconsistent naming convention and are very distributed. All these factors create significant governance challenges due to no defined account ownership and account classification. The best practice is to assign account ownership in the associated application; ownership can also be assigned in SailPoint. In addition, SailPoint has the capability of classification to identify the account type (i.e. service account, privileged user account, etc.).
Mitigating risks
A common misconception is that service accounts cannot be used interactively, however most machine accounts can be exploited by threat actors if the credentials are compromised. Since machine accounts often carry elevated privileges and frequently have static, plaintext passwords in scripts, applications and cloud environments, they present a significant risk if left unmanaged. A single compromised machine account can have catastrophic consequences, allowing attackers to move freely across an organization’s systems undetected.
To mitigate these risks, organizations must extend the same security scrutiny to both machine identities and machine accounts as they do to human identities and accounts. Waiting to act until a breach or audit finding may be too late. Mature identity environments will integrate SailPoint with PAM combining lifecycle management with credential protection to strengthen resilience against privileged access threats. SailPoint’s MIS provides additional visibility and management for performing regular access certifications of the machine identities and machine accounts.
To learn more about our SailPoint consulting services, contact us.
