One of today's biggest IT headaches is managing privileged passwords, the super-powerful codes such as administrator on a Windows server, Root on a UNIX server, Cisco Enable on a Cisco device, as well as embedded passwords found in applications and scripts.
If privileged passwords are not properly managed and secured, it leaves critical applications and the data they contain vulnerable to deliberate or inadvertent misuse, breaches and data theft.
In fact, up to 70 percent of system breaches are caused by internal users, and in particular, privileged administrators and power users who accidentally or deliberately damage IT systems or release confidential data assets. To make your temples throb even more, a recent survey showed that most enterprises have more passwords for privileged accounts than for individuals (Source: Cyber-Ark Privileged Password Survey 2006.)
As companies continue to leave a multitude of privileged passwords unchecked, they are inadvertently creating a critical security risk that enterprises can no longer ignore and must address. For this reason, privileged accounts are under increasing scrutiny by internal and external auditors, and the inability to safeguard the use of administrative or privileged passwords is becoming one of the key reasons that many organizations fail compliance audits.
Privileged password management should be a basic tenet of IT security best practices, regardless of where an organization is or what products and services it offers. So how can you get privileged passwords under control, fast?
I work for a software company that specializes in managing privileged passwords, and here are the top six steps I see successful organizations take when they enter this area.
1. Count your privileged passwords
This is a simple step, but one that's often overlooked. For example, one Fortune 100-sized company found that each of their 300 Oracle databases had about 30 pre-defined accounts, including SYS, SYSTEM, DBSNMP, CTXSYS, MDSYS, WMSYS and XDB. This quickly added up to 9,000 privileged passwords on Oracle alone! The best way to start managing privileged passwords is to create a checklist of operating systems, databases, appliances, routers, servers, directories, and applications throughout your enterprise. Each target system typically has between one and five privileged accounts. Add them up and determine which area poses the greatest risk. With this data in hand, you can easily create a plan to secure, manage and automatically change and log all privileged passwords.
2. Personalize who has privileged or super user access
Auditors require that enterprises prove which individual identity, such as Jane Doe, accessed a shared privileged account, such as UNIX root user. How can you accomplish this task? The most straightforward method is to centralize all your privileged passwords into one spot. However, once you have all your most powerful passwords in one place, it should be the most secure area in your organization. By the end of step two, make sure your password storage is well-protected.
3. All inactive accounts should be disabled after 60 days and deleted after 90 days.
This control is critical in large organizations, which can have hundreds of people coming and going every few months. Meanwhile, the complexities of the human resources process can make it hard to delete inactive accounts from an Active Directory environment. Throw in weak password policies and you have the makings of substantial risk from inactive accounts.
4. Make sure that passwords expire regularly
Most organizations will apply a password expiration policy for general users, but frequently privileged users and administrators who are responsible for management will exclude the privileged accounts from this process. A common issue found by auditors is that administrators exclude themselves from the password expiration cycle, by selecting the "Password Never Expires" flag. Be sure to avoid this trap and change privileged passwords per company policy.
5. Don't forget embedded accounts
One aspect that can frequently be overlooked is the embedded account, and the individuals who have access to this account. There are probably hundreds, if not thousands, of embedded accounts in most organizations. These passwords are hard-coded in applications that require access to databases or other information sources. Since the application is incapable of working with an identity management system or an authentication system that requires interaction with the host system, the account credentials are embedded in the application code. Remember to include these accounts in your privileged password list.
6. Automate, automate, automate
Wherever possible, automate all of the above processes. One of the problem areas in IT is that it is virtually impossible to anticipate the details required for an audit, such as what systems and privileged users will be examined, what period of time, etc. Trying to compile this manually increases the time required and the likelihood of error. This in turn can result in a control risk, and will only extend the auditing process. The end result is increased costs associated with an audit, and additional costs of meeting the compliance requirements. The goal: A successful and non-time-consuming audit
In today's environment, it's not a question of if the issue of privileged passwords will cross the IT doorstep, only when. If you are prepared with a comprehensive assessment of your password liability, a solid policy for controlling privileged passwords, and a reasonable plan for implementing a management system, then I feel confident you can leave your aspirin in the bottle. Managing privileged passwords will be one IT headache you'll miss!
Calum MacLeod is European Director of Cyber-Ark
