Enterprise password vault vs. privileged access management

Securing passwords is a top cybersecurity goal, and while most of the emphasis is on securing employee passwords, it’s privileged credentials/passwords that pose the greatest risks for companies. According to Forrester, 80% of security breaches involve privileged credentials. With elevated credentials, a hacker has the keys to the kingdom. They can move laterally through your business network, evade detection and cause serious damage to a business reputation, and put you in violation of compliance regulations.

When it comes to securing privileged credentials, companies often turn to enterprise password managers or privileged access management (PAM) solutions. This leads organizations to ask, “Which solution is best?" and "Do I need PAM if I have a password manager?”

In reality, PAM and enterprise password managers address different use cases and are complementary solutions.

Enterprise password managers vs. privileged access management

Enterprise password managers allow companies to store and manage passwords and credentials in encrypted vaults. The users of many password managers are allowed to know and see the password. They do not provide Zero Trust because users can unlock the password. Unlike personal password managers, enterprise solutions simplify password management for most enterprise privileged accounts including user, system, and application accounts.

Enterprise password managers are a less expensive option and many companies use it as a first step in securing privileged credentials. However, companies quickly outgrow them and require more advanced automation, auditing, and reporting capabilities. This is because enterprise password managers are not designed to discover credentials, rotate passwords, broker secure access to systems, or provide detailed reporting. That is where PAM software comes in.

PAM solutions are designed to monitor, manage, and control access to ALL privileged accounts and credentials. The software combines a secure credential vault with approval workflow, a robust job engine with password rotation and discovery, and session management with recording. In one solution, you can securely manage and reduce the number of privileged or shared accounts, implement the principle of least privileges, tighten controls over permissions, and provide secure remote access to employees.

Benefits of having both PAM and an enterprise password manager

PAM software should be used for a company’s most sensitive passwords and credentials – especially IT admin credentials, anything with access to personally identifiable information (PII), or protected health information (PHI). But what about other less-sensitive passwords that are used by business managers or shared across teams? This is where enterprise password managers come in.

Within departments, there are often many applications or systems that are used across multiple team members which require shared passwords. This could be a shared credential to a cloud application, shared billing system, CRM, HR portal, social media sites, industry sites, etc. These applications are important to the team and are used often but don’t access PII.

They don’t require privileged access, but these passwords still need to be managed and secured. Adding an enterprise password manager, like Imprivata Enterprise Password Vault, is a cost-effective way to securely share these less-sensitive credentials without having to add users to your PAM implementation.

As more companies add multifactor authentication as part of their security best practices policies, this presents an added challenge for shared accounts. Which team member receives the authentication token? And how do they know who requested it?

For shared accounts, the most secure option is to put them into a secure enterprise password manager that the team can access. With Imprivata Enterprise Password Vault, anyone who needs access to the shared account uses a natural domain account to connect to the central vault that manages the authentication. Then the person uses it as a gateway to the remote destination. This prevents team members from even having to know the shared account password in the first place. It also prevents the password from being shared outside the approved team.

When it comes to password security, it’s important to examine your specific use case and understand the type of account. Is it a privileged account, personal account, or shared team account? Are you looking to just lock down the password? Or does it require monitoring and auditing? Does the account access sensitive business information and systems?

Imprivata offers a range of IAM solutions to improve your security posture and protect passwords, from Imprivata Enterprise Password Vault to Imprivata Privileged Access Management. Request a demo or download a free trial to learn how Imprivata can help you simplify password management for privileged credentials or shared accounts.