AnyIdentity’s workflow is built upon three fundamental harmonized actions to ensure robust privileged access management: account discovery, heartbeat, password rotation and password propagation. Each of these actions plays a crucial role in maintaining the security and integrity of your system.
Today we’re diving into the heartbeat action—the vital intermediary step that serves as a bridge between the initial discovery phase and the final rotation process. This middle component is essential for maintaining an up-to-date and secure privileged access environment as a constant guardian against unauthorized changes and potential security breaches.
The AnyIdentity workflow
Before we dive into the details of each step, let’s take a high-level look at AnyIdentity’s workflow. This process ensures comprehensive privileged access management.
- Account discovery: Finds and catalogs privileged accounts.
- Heartbeat: Checks if stored passwords match current passwords.
- Password rotation: Updates passwords when necessary.
- Password propagation: Updates external services and hosts’ stored credentials.
The heartbeat action is the crucial comparison component that acts as the intermediary between account discovery and password rotation.
What does the heartbeat action do?
At its core, the heartbeat action is remarkably simple. It compares the password stored in PAM against the current password on the identity provider.
Let’s break this down with some pseudocode
# Simplified representation of the heartbeat action
$storedPassword = Get-StoredPassword -Account $accountName
$currentPassword = Get-CurrentPassword -Account $accountName
if ($storedPassword -ne $currentPassword) {
Write-Host "Passwords do not match"
}
Like all other AnyIdentity actions, the heartbeat action is written in PowerShell and can be updated at any time, leaving the user in control.
The crucial importance of heartbeat
While many assume the heartbeat’s primary function is to check if credentials are in sync, its role is far more critical. The heartbeat action serves as a vital security measure, ensuring that no one has altered the credentials from an external source. It’s not just about synchronization; it’s about verifying that the system manages and controls the credentials.
This continuous monitoring is crucial for several reasons:
- Detecting unauthorized changes: The heartbeat monitors credentials for any unauthorized modifications whether unintentional or malicious. This ensures the integrity of access is maintained at all times.
- Preventing security breaches: By quickly identifying any discrepancies, the heartbeat action helps prevent potential security breaches that could occur if credentials were changed without the system’s knowledge.
- Maintaining system control: It verifies that the PAM system remains in control of the credentials, ensuring that all password changes go through the proper channels and are logged appropriately.
The heartbeat action, therefore, acts as a continuous guardian of your privileged access management system, ensuring that your credentials remain secure, synchronized, and under the system’s control at all times.
Heartbeat in action
To see how this works in practice, let’s walk through a typical scenario:
- Account discovery finds a privileged account, “sysadmin01,” and stores its password in PAM.
- The heartbeat action runs on a scheduled basis (e.g., every 4 hours).
For example, perhaps we are looking at a trimmed-down version of the SQL Server Login heartbeat script.
function Compare-SqlLoginPassword {
param (
[string]$Server,
[string]$UserName,
[string]$StoredPasswordHash
)
$query = "SELECT password_hash FROM sys.sql_logins WHERE name = '$UserName'"
$result = Invoke-SqlCmd -ServerInstance $Server -Query $query
$currentPasswordHash = $result.password_hash -join ''
return $currentPasswordHash -eq $StoredPasswordHash
}
- During this check, it was found that the password stored for “sysadmin01” did not match the current password.
- The heartbeat action returns a boolean
$false
value.
Configuring heartbeat
While the heartbeat action is straightforward, its effectiveness relies on proper configuration. The action consists of two areas to configure (if you’re building your own provider):
- Parameters to define the identity provider to connect to;
- Account-specific parameters such as Username and Secret, as shown below.
Heartbeat actions also consist of a PowerShell script that connects to the identity provider and makes the comparison.
Note that these two areas only apply if you create your AnyIdentity provider via a template. If you are using a pre-created template, you must provide values for each mandatory parameter.
Simple in concept but vital to secure password rotation
While simple in concept, the heartbeat action plays a vital role in AnyIdentity’s privileged access management workflow. Regularly verifying password integrity ensures that your PAM solution remains in sync with your identity providers. More importantly, it serves as a crucial security measure, continuously monitoring for any unauthorized changes and maintaining the system’s control over privileged credentials.
As you implement or refine your AnyIdentity setup and need help with the heartbeat action, be sure to check out our documentation on heartbeat action scripts, which will give you some ideas on how to implement your own heartbeat action scripts.