The Role of Application Identity Management in Securing Privileged Credentials


If you have homegrown or legacy applications in your environment, you might have security threats of which you aren’t even aware. Your applications and scripts might include hard-coded user IDs and passwords that enable them to access systems, databases, and other resources. An attacker who is able to gain access to those programs will find a treasure trove of privileged credentials, often in plain text.

In the past, when most applications sat behind firewalls, developers might not have considered it a big deal to hard-code credentials in applications. However, this practice causes a number of serious problems:

  • It’s extremely difficult to track and manage such credentials and virtually impossible to follow best practices for password rotation. No one wants to “break” a production application or script simply to change a password.
  • Developers and IT administrators are well aware of these privileged credentials, opening the door to insider threats. One disgruntled employee could use this knowledge to wreak havoc on your environment.
  • A security audit conducted for legal or regulatory compliance requirements could reveal the hard-coded credentials. If that happens, you will face the monumental task of locating and remediating the threat.

Application identity management (AIM) helps to alleviate these concerns. AIM is the process of removing hard-coded and unsafely stored credentials from applications, scripts, and application services and managing the entitlements that applications need like other identities in the environment. AIM makes it feasible to change passwords automatically, remove credentials from software that no longer needs access to a resource, and track the use of application identities to detect potential security threats.

CyberArk’s Application Identity Manager works with the CyberArk Enterprise Vault to secure and manage application credentials. Passwords, SSH keys, and other credentials are safely stored in the vault and automatically rotated. Hard-coded credentials can be replaced with an API call to the vault. Applications that request credentials from the vault are authenticated based on path, hash (signature), user, and other characteristics.

Application Identity Manager has two deployment options to meet the requirements of both mission-critical and non-critical applications:

  • With Credential Provider, an agent installed on the application server uses an API to retrieve credentials from the vault. The agent also stores the information in a secure local cache to ensure that applications can access needed credentials in the event of network downtime or performance problems. Credential Provider is recommended for mission-critical and customer-facing applications and services.
  • Central Credential Provider uses one agent deployed in a central location to serve multiple applications. The agent uses a web service to retrieve credentials from the vault and stores the information in a secure cache to reduce the load on the vault and ensure application performance. Central Credential Provider is recommended for non-critical applications, desktop applications, and cloud services.

Application Identity Manager also works with the Privileged Session Manager within the CyberArk Core Privileged Access Security platform. Privileged access by applications is monitored, and an audit trail is preserved for IT security audits and regulatory reporting.

The CyberArk-certified consultants and engineers at Clango can help you close the security gaps created by hard-coded credentials. CyberArk Application Identity Manager allows you to track, manage, and secure the credentials used by applications and scripts without impacting the performance or availability of your production environment.


For more information about AIM, please send us an email at (

Comments Closed.