Where Enterprise Password Management Fits in an SSO and PAM World

By January 23, 2019 Security Tips No Comments
Man at laptop computer

Last month I attended the 2018 Gartner Identity and Access Management Summit and was delighted with the insights shared by identity and access management (IAM) experts across a variety of industries. The topics discussed included single sign-on (SSO), privileged access management (PAM) and enterprise password management (EPM), and industry best practices on how organizations can both strategically and tactically improve security and digital experiences through IAM.          

As I was speaking with people at the LastPass booth, two questions came up pretty regularly. The first: “Why do I need enterprise password management if I already have single sign-on?” And the second: “Why do I need enterprise password management if I already have privileged access management?” Each of these technologies have its own use case and role in the IAM lifecycle, so I wanted to address these questions by differentiating between the three. 

Single Sign-On vs Enterprise Password Management 

Enterprise password management and SSO are two technologies that complement one another well. SSO enables users to access a variety of applications within an infrastructure using a single set of credentials. It does this through protocols, such as SAML or LDAP, to securely store credentials and can then verify users are who they say they are without requiring an additional authentication. This reduces the number of passwords within the organization, improves employee productivity by reduced logins and password resets, and increases security overall. 

However, not every application supports the SAML or LDAP protocols. Actually a large majority do not, and this means that those applications are not secured by the organization’s SSO. If the applications aren’t managed by SSO, often the passwords are not managed at all. According to the 2017 Verizon Data Breach Investigations Report, passwords continue to account for 81% of all data breaches, and in a world where passwords remain the leading cause of a breach, this increases an organization’s risk posture significantly. SSO tools are critical to the IAM infrastructure and I highly recommend them, however users must also be aware that using SSO can leave gaps and should be complimented with additional solutions, such as an enterprise password manager. 

The crux of where SSO and enterprise password management are different is that EPM securely stores credentials for every application, regardless of whether those applications support the protocols or not. This enables organizations to have complete control over every password in their business with actionable data into password behavior and security. If you do not already have an SSO solution in place, LastPass offers single sign-on for a true SSO experience into the enterprise password manager itself. If you already have SSO, LastPass offers federated login through Microsoft Active Directory Federation Services to simplify the onboarding experience and eliminate the Master Password. 

Where Does Privileged Access Management Fit In? 

Privileged access management technologies are designed to secure an organization’s most sensitive data and the users that have access to it. Common examples of privileged users include executive leadership or the IT department, essentially any employee who needs to access highly sensitive information for their role. Examples of privileged information can include employee’s personally identifiable information, internal-only financials, or access to production servers. 

Privileged users have the highest levels of access in the organization, and therefore the security protecting their accounts must be the highest as well. PAM solutions secure privileged accounts through password vaulting, auditing and recording privileged sessions, password rotation and more to ensure that cybercriminals aren’t reaching the data that businesses want to protect the most. However, since only a subset of the overall organization is a privileged user, PAM solutions only cover a small percentage of the overall business, and do not cover applications outside of the corporate network. PAM technologies also add an overhead which is why they are applied to only certain users and applications. This leaves a gap for the rest of the organization’s data that is not considered privileged, as well as employee’s personal passwords. 

PAM technologies can be complimented with enterprise password managers to manage the user identities for every account in an organization, and even passwords. This is especially important with the emergence of shadow IT and trends such as bring your own device (BYOD) increasing in popularity. For companies without a PAM solution, enterprise password managers like LastPass can even aid in managing privileged credentials through shared folders, role-based permissions, multiple levels of Admin access, and password rotation. 

EPMSSOPAMBetter Together 

As you can see, SSO, PAM and EPM each have their own distinct role in the IAM lifecycle, but also come together to securely manage a user identity. In an economy where businesses are competing with one another on user experience and where security is expected everywhere more than ever before, the underlying infrastructure supporting and securing both must exceed all expectations.  

The reality is, having only one piece of the IAM puzzle is not going to fulfill these expectations alone. SSO, PAM and enterprise password management are all aimed at solving different use cases, however the power they provide together is what’s able to differentiate one brand from another.

Sandor Palfy
CTO, Identity and Access Management at LogMeIn

Sandor Palfy serves as CTO of LogMeIn’s Identity and Access Management business unit. In this role, he is responsible for the technology vision, innovation, engineering and security of all LogMeIn IAM products including, market leading password manager, LastPass, and remote access and management solutions, LogMeIn Pro, GoToMyPc and LogMeIn Central. With more than 18 years of experience working in technology and development, he joined the company in 2004, initially focusing on the Pro and Central product lines, and later taking ownership of Platforms, IT and Security. From 2014 he served as the company’s CTO, and now most recently the IAM business unit.