Phone Number +1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

Fast, Faster, Fastest: Speed Requirements for Your Password Vault

mm

Written by Billy VanCannon

May 28th, 2019

You’re facing unprecedented pressure to deliver higher levels of service and improve speed to market. At the same time, you need enterprise-wide visibility and control to reduce risk.

Do you need a high-speed password vault to protect privileged accounts? If so, how fast is fast enough?

These are the questions we’ve been asking to develop the best PAM solutions for your needs:

1. Will only humans use the vault, or do you need automation?

Is the primary use of your vault to manage people’s credentials, such as usernames and passwords? In this scenario you provision and deprovision privileges for individuals manually. And to speed things up and avoid errors you can integrate your vault with Active Directory or your identity management system.

But, if your plan is to vault SSH keys, certificates, API keys, and tokens that provision non-human privileged accounts, your speed requirements are greater. System authentication and authorization must happen automatically and instantly for applications, files, services, and data to share information and kick off processes.

This can be done with an API, connecting systems and injecting privileges. Awesome! But, is that enough for you?  We need to ask some more questions.

2. How frequently will systems need to integrate?

Some service and application accounts connect to a database periodically to perform bulk updates. On the other extreme, IoT applications and cloud development require a higher level of speed and scale. These systems connect hundreds – even thousands – of times each day. If you have a high number of users simultaneously performing transactions, you’ll need a vault with greater speed than a basic API can achieve.

3. How frequently will systems change?

Is your goal to manage credentials for static, IP-based solutions? Or, do you work in dynamic, virtual environments with frequently changing applications and machines? For example, in a DevOps workflow, new environments are created and disposed of constantly. Microservices and containers demand more speed than a typical PAM solution can handle. If this sounds like you, you’re going to need more.

4. Do you want centralized or distributed control?

This age-old debate speaks to the culture of your organization as much as the structure. For a team responsible for security across an enterprise, having a single PAM solution allows for consistent privilege policies and comprehensive reporting. That said, if every decision or action needs to go through a centralized team for approval, people start to chafe and productivity stalls. This is especially true for distributed teams and global organizations.

So, we need to find a way to have the best of both worlds. We believe the key to success is to empower business users, developers, and other IT teams to do what they need to do within the structure of a centralized, policy-based system.

Which fits your situation?

Fast Vault

  • Primarily human interactions
  • Creation and rotation of credentials
  • Heartbeat

Faster Vault

  • Automation for bulk update services
  • Running reports on a periodic basis, monthly down to every minute
  • Integration with scanners that need credentials (vulnerability scanners, for example)

Fastest Vault

  • IoT services
  • High-speed applications, thousands of transactions
  • Cloud development, microservices and containers, in multiple environments (dev, test, stage, production)

The fact is, your needs may fit into more than one of these categories. Or, if you only fit into one of them today, you may fit into all three by next year.

We believe the best solution is using a central vault like Secret Server as the “source of truth,” and an API or connection to a lightweight vault (LV below) for speed.

High Speed Password Vault Diagram

Central vault, like Secret Server, with an API or connection to a lightweight vault (LV below) for speed.

Watch this space!

We’re listening. We get it.   

Thycotic’s new high-speed vault is coming this summer. Be the first to know by joining our mailing list or connecting with us on social media. We look forward to sharing it with you!

 

risky applications scared

DevOps Secrets Vault Free

Get started with the free edition and protect up to 250 secrets.

 

Like this post?

Get our top blog posts delivered to your inbox once a month.

SHARE THIS


The following two tabs change content below.
mm

Billy VanCannon

Billy VanCannon has over 11 years of experience as an RF HW engineer designing radios for first responders and the military. He joined the dark side (business team) and worked with federal government customers. They constantly had questions about the security of the IT side of the networks. He taught himself networking and security and that led to him running the SoC business at Motorola. He then went to Trustwave, a cyber security company in Chicago, where he ran their Certificate Authority (SSL/TLS certs) and their PCI SaaS (helping 3 million merchants with PCI compliance). At Thycotic, Billy is leading new cloud-based initiatives. Billy attended Iowa State for a BSEE, received his MBA at Kellogg (Northwestern) and is a CISSP.