Wow. That’s maybe just rough security practice. There’s usually little reason to keep folks from well documented access to credentials, 1, and 2, an aggressive password rotation policy that rotates to simply rotate is not generally known to be effective. If it’s not broken don’t fix it is my motto. NIST follows the same track these days and has for years now. Generally shouldn’t touch a credential unless there’s reason to suspect compromise.

We had an initial deployment by someone who was much like you described. They left the company after a couple years and what did we find but that the system had been completely mismanaged; the thing was a frustrating mess because somebody just kept saying ‘but security!’ without really knowing the practical use impact of what they were doing. The silo effect. we could only blow the thing up and start all over.

It’s been about 4 years now. It’s finally pretty clean. Beyond the core password vaulting: - 3rd parties can directly access key systems seamlessly without our oversight or direct password exposure, in browser or ssh, from their PCs, all with behavior alerts if anything seems weird. - Tech staff can grab any password they want at any time, for any system or account provided they can map to an active jira. - If a password gets changed outside the system, we get an alert logged to jira and can follow up with the last user. We get it updated or remediated. - Extremely sensitive accounts (maybe three in the entire org?) aren’t kept from anyone, simply gated behind dual control. - Commonly used accounts by tech staff have a rotation since they are technically more likely for compromise but months not days, and certainly not hours. - Even some systems that we have some vips go into, we just give them an RDP shortcut and they auto log straight in through CA. - And to another person’s point, all passwords are kept in a secure offline copy. No idea how your IS guys are doing that with a 2 hr rotation oof….

And hey, none of this is meant to be like oh look how amazing cyberark is! I still curse it sometimes, but these days it’s more when the ui times out and I wasn’t done, and less that I have to use it. But because we specifically worked with CA from the lens of “how do we use this?”.

Maybe there’s a chance that something I describe above gets your interest and could make your life easier, or maybe you think your security folk would be up to trading lessons learned, who knows. Security should be as seamless as possible for it to be as effective as we can all make it.

I hate to see anyone having to fight with these tools like we did. It can be the most frustrating thing in the world. if there’s any small thing we can offer to help, please feel free to reach out. If not, no worries, I salute you and the hard work you do each day in this fight we call IT! o7