Notes from the Field: PAM Folders
27 June, 2023, by Stephen Swann
Many IBM Security Verify Privilege customers ask the question: how should I structure my folders within Secret Server?
The answer is: it depends. Not very helpful, however, it is hardly inaccurate either. It does depend: and it depends on what secrets you want to store and who has access to them.
Take the fictional "Government of Western Ursustan" who have employees and third-party consultants accessing critical applications such as the Citizen Database, Finance & General Ledger, and Security systems. The end users need to be able to access their own privileged accounts, but they also need to access shared privileged accounts. The folder structure that one might adopt might be split into two high-level folders:
- Individual Secrets
- Shared Secrets
Within the individual secrets folder, it might be an idea to create a sub-folder for each supplying organisation, such as:
- ACME Consultants
- Goons For Hire Ltd.
- Independent Consultants
- Madigan Solutions
- Government of Western Ursustan (obviously)
And within each of these folders, you may want to have personal folders for each end user. Now, when privileged accounts are discovered for a user, they can be vaulted in the correct location, with the correct permissions that only allows the owner of the secret to access it.
For shared secrets, you may want to adopt a different strategy. After all, the end users who may need access to the admin account on the Citizen Database server may be users supplied by different organisations. This time, it might be appropriate to create a folder structure based on departments, applications, and even environments (i.e., Production, Pre-Production).
An example of how this might look in the world of our fictional government could be:
Ultimately, the folder structure needs to be defined in line with business requirements. That said, the folder structure doesn't need to be permanent. The structure can (and will) evolve over time.
To arrange a free PAM Maturity Assessment workshop or to see the Government of Western Ursustan's PAM tool in action, click here.