If a scammer has your phone number, you should lock your SIM card, secure your online accounts with strong passwords and block spam calls from your
Password security plays a fundamental role in Identity and Access Management (IAM). The easiest way for cybercriminals to breach an enterprise network is to obtain a set of legitimate login credentials. This allows them to bypass firewalls, intrusion detection systems and other technical security solutions. Once inside, they can remain undetected for extended periods of time.
From proprietary IAM solutions offered natively through cloud providers to provisioning software and identity repositories, there’s no shortage of IAM tools on the market. There are so many tools that even tech companies may be uncertain as to which one(s) they need.
In the end, most IAM solutions fall into one of three categories: Single Sign-On (SSO), Privileged Access Management (PAM) and Enterprise Password Management (EPM). In this blog, we’ll explain what each of these solutions does, examine their pros and cons and outline typical use cases.
What is Identity and Access Management?
Identity and Access Management is an umbrella term that refers to the policies, procedures, controls and technological tools that organizations put in place to manage their end users’ digital identities. It also encompasses how organizations control access to networks, applications and data – making it a fundamental part of Defense-in-Depth (DiD). DiD is a multi-layered approach to cybersecurity, with each layer focused on a different type of security. The idea of DiD is if one layer fails, there is another layer to stand in the threat actor’s way.
The Purpose of Single Sign-On
Single Sign-On (SSO) allows end users to log in to multiple websites or cloud applications using one set of login credentials. SSO is session based, meaning once a user logs into the SSO, they don’t have to log in again during that session. It is used by both individuals and businesses.
Most people have seen SSO in action when using their Google, LinkedIn, Twitter or Facebook credentials to log into a third-party website or application. Some SSO services use protocols such as Kerberos, SAML or OAuth. There are also smart card-based SSO systems that require users to present a card, such as the Department of Defense’s Common Access Card (CAC), that’s encoded with their login credentials.
SSO Advantages and Disadvantages
The biggest advantage of SSO is user convenience. Instead of having to remember multiple passwords, users only need to memorize one. Once logged into the SSO solution, users can access multiple sites and apps without having to re-enter their login credentials during that session. This enhances productivity and minimizes IT help desk tickets for forgotten passwords.
However, SSO is not a silver bullet. All of that convenience can come with security risks, particularly if the SSO doesn’t utilize end-to-end encryption and isn’t augmented with additional controls such as Two-Factor Authentication (2FA). SSO only manages access to systems, not individual user access levels within the target application. If the user forgets their password, they’re locked out of multiple sites and apps instead of just one. Conversely, if a cybercriminal steals a password, they can access multiple systems instead of just one. SSO also doesn’t prevent employees from reusing passwords from the workplace for their personal accounts.
SSO does not solve all of the productivity issues with passwords either. Some apps and systems may not support the SSO protocol your enterprise is using or SSO at all, which results in serious security gaps. If your company uses the SAML protocol and your employees need to access apps that support OAuth, they’re out of luck. Employees will have to separately track passwords for sites and apps that don’t support your SSO. Moreover, SSO does not protect mission-critical non-password credentials such as cloud infrastructure, API keys, SSH keys and digital certificates.
SSO typical use case
Cloud-first or cloud-only businesses with users who need to access a known and finite number of applications, such as companies that use the Microsoft 365 ecosystem.
The Purpose of Privileged Access Management
Privileged Access Management (PAM) is used to restrict and monitor access to an organization’s most critical and sensitive systems. Privileged users are typically IT and security admins, C-level executives and other high-level individuals.
In addition to preventing cybercriminals from stealing privileged users’ credentials, PAM systems prevent users from misusing their access. Typical features of a PAM system include password vaulting, session logging and tracking, password rotation, 2FA, and automated provisioning and de-provisioning.
PAM Advantages and Disadvantages
Unlike SSO, which only governs user access, PAM enables granular permissions and Role-Based Access Control (RBAC). It generates comprehensive reports and audit trails to enhance security, supports stringent IT compliance standards and alerts administrators to suspicious behavior that might indicate misuse or a stolen password.
However, traditional PAM platforms are highly complex, costly to set up and require substantial time, money and expertise to maintain through an on-premises staff. They are not a realistic option for budget-minded SMBs. Additionally, traditional PAM solutions are not meant to provide comprehensive identity and access management for the entire organization, but rather, they are designed to secure only a subset of credentials belonging to a small number of high-level employees.
PAM typical use case
Large enterprises or multinationals with substantial budgets and in-house IT resources, especially businesses operating in high-risk industries, such as finance, that are subject to very strict regulations and IT compliance mandates.
The Purpose of Enterprise Password Management (EPM)
A password manager is a software application that allows users to securely store all of their login credentials in one centralized, private, encrypted vault. Similar to SSO, users memorize only one master password, which is used to access all of the credentials stored in their vault. Password managers work with all websites, applications and systems and include additional features such as strong password generators and password autofill.
Robust password managers also provide advanced features such as support for 2FA; secure storage of other confidential information such as access credentials, metadata, documents and media files; the ability to share records with family, friends and colleagues; and a warning for users if they are duplicating passwords across multiple accounts.
EPM Advantages and Disadvantages
Password managers are cost-effective, easy to set up and maintain, and easy to use, even by non-technical employees. They simplify and enforce password best practices, such as strong passwords and not reusing passwords across multiple websites and applications. Organizations also gain visibility into employee password practices and can enforce requirements.
However, like any cybersecurity product, password managers aren’t a solve-all solution. Employees must use a strong master password to ensure their vault is secure. For the best protection, they should be paired with 2FA, RBAC and other security measures, such as dark web monitoring.
EPM typical use case
Password managers are a particularly good solution for SMBs that don’t have large IT budgets or extensive, in-house security expertise. However, the largest enterprises also benefit from using password managers. They can be used alongside SSO, PAM and other IAM and security solutions, and in fact, augment them with an additional layer of protection.
How KeeperPAM™ Helps Unify IAM Solutions
A comprehensive IAM strategy is a layered approach that combines SSO, PAM and a password manager with 2FA, RBAC and other security measures, such as monitoring end-user behavior for unusual login activity.
Luckily, organizations don’t have to choose one solution over the other thanks to KeeperPAM. KeeperPAM is a next-generation PAM solution that unifies three of Keeper’s products into one unified platform: Keeper Connection Manager, Keeper Secrets Manager and Keeper Enterprise Password Manager. KeeperPAM provides a comprehensive solution for organizations’ IAM strategy that is fast and easy to deploy, and has simple pricing.
Interested in learning more about KeeperPAM? Request a demo today.