Have you ever added up how many different passwords you use in a day? Does your mind go blank when you sit down in front of the screen to type in yet another one? Ever wondered if all those forgotten passwords end up in the same place as those missing odd socks? And if you think you’ve got it bad, what about the IT administrator who has got hundreds to memorize, including the ones that give access to the most sensitive parts of the company.
The backbone of every enterprise infrastructure is a network of servers, network devices, security and other infrastructure that creates the complex communications network of a company. Every day, systems, network and security administrators log onto these critical infrastructure points for routine maintenance and repair. Many of them have “root” and “administrator” privileges, either with their personal user or with their commonly used accounts.
It’s surprising how many organizations resort to storing passwords on spreadsheets and databases. A quick penetration test will show just how easy it is to get at these documents. Mismanagement of administrative passwords is a major cause of security breaches and one of the top reasons for long recovery processes from IT failures.
The most effective way to reduce the hazards is to apply an effective policy, including:
- Creating a centralized policy and enforcement mechanism which covers all IT groups;
- Securely storing administrative passwords in a way that offers strong authentication, granular access control, encryption and auditing;
- Worldwide secure availability – with today’s distributed enterprises, administrators need access beyond network boundaries, where they can securely access and share passwords from anywhere;
- A dual-control mechanism – requiring two or more administrators to access passwords;
- Routinely changing passwords and track history;
- Intuitive auditing – as passwords are used or changed, organizations will need to audit and track access to vital systems to comply with new regulations;
- Disaster recovery plan – look into technologies for automated, safe replication of vital information;
- Providing a “safe haven” or vault within the network where all administrative passwords can be securely archived, transferred and shared.
Calum MacLeod is senior consultant for Cyber-Ark