For several years, resetting passwords (a.k.a. account rotation) has been a standard best practice. For those outside the IT security world, this involves automatically generating a new password each time a credential is checked out or at a scheduled interval (e.g. once a day, once a week, once a month, etc.).
Think of it like modern hotel rooms. In the past, the same key was used to unlock a specific room. Now, however, as soon as a guest checks out, their keycard becomes invalid. So if that guest forgets their beloved Waykee plush mascot in their room, for example, and races back to retrieve him, they will have to ask the manager (or the next guest) for help unlocking the door.
Security Concerns
Obviously, resetting passwords is more secure than having the same password permanently available for multiple logins. However, there are some valid security concerns too. Hackers could potentially steal passwords and access accounts before they are reset. And unfortunately, bad actors don’t need a lot of time to inflict a massive amount of damage, including creating backdoors to re-enter accounts once passwords have been reset. And that’s where account brokering enters the picture.
Account Brokering
Account brokering inserts credentials on the back end, which means that end users never see passwords in the first place — but they can still access necessary accounts to complete their day-to-day work. Not only is this more secure, but it is more efficient as well. End users get their work done, and sysadmins don’t face endless “Help, I can’t access my account!” help desk tickets. Everyone is happy — except of course for hackers, but that’s the point, right?
How Devolutions Can Help
Since its inception, Remote Desktop Manager (RDM) has always featured account brokering. And now we’re pleased to note that Devolutions Password Server (DPS) and Devolutions Password Hub (DPH) offer account brokering. Here is a video of Devolutions Password Server's Privileged Access Management Module displaying how account brokering works and how efficient it is:
From the Desk of Our VP of Business Solutions, Maurice Côté:
Account brokering is a core criterion of a robust PAM solution, and adding this element to DPS and DPH was an important development. Next on our roadmap is to add the propagation of rotated service account credentials to the servers running them, which is where the real value lies.