Security

Why Account Brokering Is a Better Option than Resetting Passwords + How Devolutions Can Help

Why account brokering is better than resetting passwords devolutions blog
Derick St-Hilaire

Hello there! My name is Derick St-Hilaire, and I’m the Salesforce Administrator here at Devolutions. I’m one of the more experienced employees here at Devolutions, and it has been amazing to see the company and community grow over the years. My primary responsibilities include managing our Salesforce platform, and working closely with our strategic partners and customers. I also oversee the management of Devolutions Force, which is our VIP Advocate Community. Academically, I have a bachelor’s degree in marketing. When I’m not working, I enjoy camping, walking my dog, playing video games, and I’m a huge movie fan — including the Star Wars franchise of course. If you would like to join Devolutions Force, or if you wish to get in touch, then you are welcome to contact me directly at dsthilaire@devolutions.net.

View more posts

For several years, resetting passwords (a.k.a. account rotation) has been a standard best practice. For those outside the IT security world, this involves automatically generating a new password each time a credential is checked out or at a scheduled interval (e.g. once a day, once a week, once a month, etc.).

Think of it like modern hotel rooms. In the past, the same key was used to unlock a specific room. Now, however, as soon as a guest checks out, their keycard becomes invalid. So if that guest forgets their beloved Waykee plush mascot in their room, for example, and races back to retrieve him, they will have to ask the manager (or the next guest) for help unlocking the door.

Security Concerns

Obviously, resetting passwords is more secure than having the same password permanently available for multiple logins. However, there are some valid security concerns too. Hackers could potentially steal passwords and access accounts before they are reset. And unfortunately, bad actors don’t need a lot of time to inflict a massive amount of damage, including creating backdoors to re-enter accounts once passwords have been reset. And that’s where account brokering enters the picture.

Account Brokering

Account brokering inserts credentials on the back end, which means that end users never see passwords in the first place — but they can still access necessary accounts to complete their day-to-day work. Not only is this more secure, but it is more efficient as well. End users get their work done, and sysadmins don’t face endless “Help, I can’t access my account!” help desk tickets. Everyone is happy — except of course for hackers, but that’s the point, right?

How Devolutions Can Help

Since its inception, Remote Desktop Manager (RDM) has always featured account brokering. And now we’re pleased to note that Devolutions Password Server (DPS) and Devolutions Password Hub (DPH) offer account brokering. Here is a video of Devolutions Password Server's Privileged Access Management Module displaying how account brokering works and how efficient it is:

From the Desk of Our VP of Business Solutions, Maurice Côté:

Account brokering is a core criterion of a robust PAM solution, and adding this element to DPS and DPH was an important development. Next on our roadmap is to add the propagation of rotated service account credentials to the servers running them, which is where the real value lies.

Related Posts

Read more Security posts