Applications often need to connect to other applications or services on the network to function. For example, a web application may have to connect to one or more databases to retrieve or update data, to web services to initiate transactions, to a directory to create or update user objects, etc.
When an application connects to a network service, it uses credentials -- normally an ID and password -- to do so. This raises some questions about password management:
- Where is the password used by an application to sign into a network service stored?
- Does the password ever change?
- How is the stored password protected against compromise?
A privileged access management system must be able to address these questions.
Basic network architecture
The basic arrangement where an application needs to authenticate a connection to a network service is illustrated in Figure [link]
Baseline problem: passwords embedded in scripts and configuration files
The problems of managing and securing these connection credentials are illustrated in Figure [link]. In short, these passwords are often plaintext, visible to many (IT or other) users and static.
Security problems with passwords embedded in scripts and configuration files