Blogpost

Account Handler: How Privileged Access Management Extends IAM

How can privileged access be managed securely without disrupting existing IAM structures? An account handler enables secure access to privileged systems without the need to know passwords. Temporarily activated accounts drawn from a pool are granted admin rights as needed and are automatically reset, deactivated and revoked after use.

Privileged Access Management

In an era of increasing cyber-attacks and growing regulatory requirements, the secure management of privileged access to IT systems is more important than ever. Particularly in enterprise environments, where administrator rights are granted across numerous systems, there is a need for solutions that are not only secure but also flexible and scalable.

In practice, this need is evident: whenever an employee leaves or changes roles, admin rights must be re-assigned or revoked; service accounts require a designated owner throughout their entire lifecycle; and during audits in accordance with MaRisk or BAIT, the granting of privileged rights must be fully traceable. Addressing each of these requirements individually ties up IT and compliance resources on a permanent basis in many institutions.

The current problem is that many Privileged Access Management (PAM) systems are only offered as comprehensive turnkey solutions or as extensive component packages, which makes their integration into existing Identity and Access Management (IAM) systems difficult. This is precisely where our solution comes in: a modular account handler that can be integrated into existing IAM structures, regardless of the vendor or the existing infrastructure.

What is a PAM system and how does it complement IAM?

Privileged Access Management (PAM) is a security approach for managing and controlling user accounts with particularly high privileges, such as admin, root or service accounts. These privileged accounts are essential for system operation, but pose a significant security risk if they are compromised.

In many systems, administrators have an additional admin account or are granted extended privileges on their regular user accounts. These privileged accounts increase the system’s attack surface.

PAM is not a competitor to Identity and Access Management (IAM), but rather a targeted extension of it. Whilst IAM systems manage all user identities and control their access to general resources, PAM focuses on critical accounts that require particular protection. Together, both systems ensure comprehensive security and control in modern IT environments.

Account Handler – the smart control centre in a PAM context

Our Account Handler solution bridges the gap between user requirements and secure access to privileged accounts. This central control component processes access requests, identifies the required resources and grants the necessary permissions without users receiving passwords or direct login details.

To do this, the system uses a pool of deactivated accounts. Only when a specific request is made are the necessary admin rights temporarily assigned to an account. The user is automatically logged into the target system without knowing which account is currently being used or what its password is.

Once the task is complete or the defined time period has elapsed, the account is revoked, reset and deactivated again. Further access is only possible following a new request. This creates a complete decoupling between the user and access. The dynamic, context-based assignment of rights provides transparency and security.

Modularity and universal applicability

At the heart of our approach lies its modular architecture. The Account Handler can be connected to various IAM systems via adapters. These adapters act as interfaces that extract data from the target systems, standardise it and make it available to the Account Handler.

The user never has direct access to passwords or accounts. Instead, the system establishes a secure connection to the target system in the background. Access is automated, time-limited and requires no manual interaction.

Thanks to its flexibility, our prototype can be integrated into traditional, hybrid or heterogeneous IT environments, regardless of which IAM and IT Service Management (ITSM) systems are already in use. This combination of security, control and adaptability thus supports the flexible and traceable management of privileged access.

Privileged Access Management: Account Handler - Integration into Enterprise Systems

Figure: Account Handler - Integration into Enterprise Systems (Click on the image to enlarge it)

Conclusion

For financial institutions, integrating a PAM system into an existing IAM landscape usually presents an integration challenge, as most solutions are only available as turnkey packages, which would also necessitate replacing connected systems. A modular account handler mitigates this problem. It can be connected to the existing infrastructure via adaptors, rather than replacing it. In practice, this means that access processes remain traceable and the architecture can scale alongside new target systems without the need for renegotiation with every expansion.