Application Identity Management

The Challenge

Managing credentials for application-to-application authentication poses security, auditing and administration challenges. When an application server, a single software application, a script or any type of batch process is required to connect to a database, a remote server or to another application service - a privileged user name and password are required and are therefore made available to the application. These credentials are most often stored embedded in the application code, or in a configuration file, many times in clear text visible to a large audience. As a common example, most business applications need stored credentials to interact with a database in order to process information, provide an interface to end users etc.

This challenge identifies a security gap and significant risk, often captured by auditors, where these sensitive database and application ID passwords are widely known and accessible to developers, help desk engineers, etc. Passwords are typically given to developers and support engineers by DBAs verbally and in an unsecured manner. Since these passwords are widely known, this enables users access to sensitive production databases in a higher privilege than authorized for their regular personal user. Additionally, these are generic IDs limiting the ability for audit and personal accountability of the person accessing the database.

Hard coded passwords also limit the ability to change passwords on these resources making them static and never expiring. Changing the password of a database account requires synchronization with all applications using this account for authentication. A recent Cyber-Ark Password Survey revealed that 42% of enterprises reported that they never change embedded application passwords. This poses serious security risks and clear violations of compliance regulations as these powerful, embedded passwords are gradually becoming known to dozens of unauthorized personal across the organization, including ex-employees and external sub-contractors.

The Solution

Cyber-Ark Software provides the only Application Password Management solution in the industry that fully addresses the problem of application-to-application password management. Enterprise Password Vaultâ„¢ eliminates the need to store application passwords embedded in applications, scripts or configuration files, and allows these highly-sensitive passwords to be centrally stored, logged and managed within the Cyber-Ark Vault. With this unique approach, organizations are able to comply with internal and regulatory compliance requirements of periodic password replacement and monitored privileged access across all systems, databases and applications.

Cyber-Ark Enterprise Password Vault provides applications with easy to use tools for accessing the Vault using a single function call, command line interface (CLI) or native API for COM, Java, C/C++, and .NET on a variety of Windows and UNIX platforms. This unique solution enables organizations to eliminate hard coded and embedded passwords within services, applications or scripts and to benefit from a secure, highly available and easy to manage solution for controlling access and automatic replacement of privileged application passwords.

Benefits

Integrating the database application access with the secured Enterprise Password Vault provides a complete solution for centrally managing privileged passwords. This provides auto-replacement of privileged database passwords and automatically synchronizes the relevant business application with the new password values.

The Password Vault suite, including the Password Vault, the Central Password Manager and the Password Vault API Toolkit, provides a complete infrastructure to centralize the management of credentials to resources and managing these service accounts, including

  • The removal of passwords from all scripts and application code making them invisible to developers and support staff.
  • Encryption - all passwords are encrypted both while at rest in the Vault and while in transit to the requesting application.
  • Access Control - using the Vault's access control security layer, access to the passwords can be controlled down to the application level.
  • Accountability - Each transaction in the Vault is logged providing auditing and accountability for each request for a password.
  • The ability to change passwords on demand and according to the enterprise policy without any interruption to production or need for development/testing and IT support.
  • High Availability, Redundancy and Business Continuity - no downtime for applications.