Improve Security with Vault Integration
March 5, 2024
Organizations constantly seek to balance desires to improve their performance and end-user experience while maintaining their robust cybersecurity posture. Concerning automated testing and monitoring, these information security best practices often present challenges to IT administrators looking to introduce new automated ways to gain visibility in their environment.
Login Enterprise utilizes virtual (synthetic) users to perform simulated workloads and gather user experience, application performance, and system performance data. These virtual users are Active Directory User objects. In some organizations, these accounts may be considered a service account or a non-person entity, which carries increased scrutiny when requesting security approvals within your organization.
Due to recent product innovations and pioneering customers, Login Enterprise can now be integrated with existing PAM systems to retrieve securely stored credentials.
How to enable increased cybersecurity
Vault solutions offer enterprise organizations a secure repository where their most sensitive information, such as passwords and certificates, can be stored. Many have password rotation features, which can automatically change the password to limit the lifespan of a potentially exploited password. Passwords can be rotated monthly, daily, or each time they are used. Unlike an actual end-user, virtual users do not disagree with this requirement and don’t mind retrieving their password from a vault, even if it is every login.
In a real-world example, a regional healthcare organization with around 2,500 users needed 1,000 accounts to use Login Enterprise, which required the approval of its security team. Unlike a real user, the automated Virtual Users would not be able to know whether their account was compromised in the same way a real user might. To limit the attack surface of potentially vulnerable accounts, Security mandated that the Virtual Users’ passwords be stored in their vault.
Now, each time a Virtual User is scheduled to monitor the workspace, the Universal Web Connector proactively retrieves the password from their Vault. Once it is retrieved, the password is changed so that the next time the Virtual User logs in, they will use a different password. In effect, a password is only valid for the lifespan of the synthetic session, and their security team agrees this is more secure than standard user accounts.
Integrating Your Vault with Login Enterprise
Two ways to integrate Login Enterprise with your vaulting solution are by pulling or pushing methods, both require PAM-specific APIs that allow for this functionality.
PullingSecrets from the Vault
Pulling secrets is the first option from the client side (Launcher). The Universal Web Connector, using APIs, can retrieve the password before each Virtual User attempts to log in. This also provides an opportunity for strict conditional access. Vault administrators can assign the least privileged access required, such as: “Only provide access to this secret, from these IPs to requests that have a matching certificate.”
Pushing Secrets to Login Enterprise
The second option, which requires less customization, is to push secrets to the Login Enterprise Virtual Appliance from the Vault solution. A similar feature to password rotation is the ability to update external systems with the rotated password. You can imagine the laborious effort required to update passwords across an enterprise; human error or oversight will inevitably occur. This common PAM feature can be employed to update credentials within Login Enterprise based on the required password rotation frequency dictated by security policies. Again, an aggressive password rotation policy can be used (daily) because Virtual Users are not impacted in the same way a similar policy may affect the user experience of a real employee.
What now?
While historically, Login Enterprise was used to target non-production infrastructure to gauge the system’s capacity, measure the impact of change, or compare it with other systems, the introduction of continuous testing has shifted to production. A request for “synthetic transactions in production” may raise alarms within your security team, but you can get ahead of this concern by outlining these two highly secure methodologies for securing credentials.
Want to learn more about how organization with high-security requirements use Login Enterprise? See a roundup of our customer success stories.
Automation