practices for managing service accounts for multiple customers
practices for managing service accounts for multiple customers
Hi there,
I'm struggling to find a way to further secure my customer networks as we currently use shared accounts on RDM to access things like servers RDP and other things. My idea was to use named accounts so each of my techs has their own account on each of my customers domain, that makes it clear to track things.
The problem is to manage these accounts, let's say you have 20 techs and 100 customers, that would be like managing 2000 accounts manually across all customers. If someone leaves of we need to change the password quickly it is just unfeasible.
Is there any way of achieving a better way of managing customers and credentials with RDM in this aspect? Are there tools that can help us with this?
All Comments (2)
I was talking to one of our colleagues, perhaps the only way around would be federated services?
Hello,
RDM is a outstanding Connection Manager, that offers only "great" password management features. Our strength has always been to offer Account brokering, meaning that the user never learns the password that is being used. That paradigm is great for those that desire a limited surface area for attacks. You (and your customers) have a limited number of accounts to monitor in your customer's infrastructure, but rely on RDM's logging to see which of your staff did connect to an endpoint. Most of our community uses shared accounts specifically to avoid these concerns, when a recently departed employee cannot connect to your datasource, and he has never learned any passwords, the customer's endpoints are protected.
When you switch from using shared account to named accounts, you must rely on User Specific Settings in order to connect to an entry while using a unique credential. Account management of such credentials must be handled manually using our AD Console, or automate it using powershell scripts. Investing the time in automating this process depends on the frequency of employees arriving/departing...
We are transforming our Devolutions Password Server (DPS) into a Privileged Account Management (PAM) solution, a key feature of a PAM is to perform password rotation/reset. What would be ideal for your scenario is to have a full Account Provisioning workflow, which we wont be able to offer until November...
Let me know your thoughts.
Maurice