In our business, we hear a lot of real-life stories about IT administrators sharing passwords to privileged accounts and systems, or end users doing, well, interesting things with their login credentials. You get somewhat immune to if after a while, but even I was surprised when one of our new employees several months ago described how a state agency enabled IT support personnel to easily maintain an after-hours “on call” list.
Meeting new people who have been in the industry for awhile is always insightful. Turns out one of our new employees recently worked for a state government organization that allowed administrators to share passwords. And, here's where our story begins: It was accepted practice for the IT staff to email a detailed Excel spreadsheet with all the login credentials for their hundreds of server systems out to a rapidly growing number of administrators within the organization. It's worth mentioning that many of these administrators were actually contractors or temp workers, not employees. With the “keys to the kingdom” in the hands of so many individuals, it's difficult to maintain control over who performed what commands on a system. And, because the credentials are shared you don't have admins logging in as themselves. Instead, they are logging in anonymously. Let's recap: Contractors and employees, logging in with root privileged access, with no ability to track the identity of who made what changes. I'd have to imagine that IT management didn't really understand this was happening.
IT administrators are responsible for running the operational side of things in organizations and this is clearly no easy task. Systems need to be fast and they need to work every time or users get ticked off and make a phone call. In fact, it's precisely for this reason that they initiated the sharing of root passwords via the Excel spreadsheet. Why? Because when administrators have access to all the systems, this allows them to be placed on the “on call” rotation list. You know, when someone has to be on stand-by over the weekend or late at night if there is an issue that needs immediate attention. No single person wanted to shoulder the burden of being the “on call” person. Openly sharing the credentials solved their “on call” problem, but most would agree it didn't strike the right balance between efficiency and security.
Today, the challenges associated with identity and access management are even greater. So are the consequences. That's because the scope of identity now extends well beyond the on-premise, data center environment. As we all know, organizations are now adopting mobile devices and cloud-based applications, i.e. software-as-a-service, (SaaS), to reduce costs, shorten time to market, and further business agility and productivity across their distributed workforce. The net effect is that more IT resources are outside the visibility, management and even ownership of the IT organization.
IT architects are researching ways to deal with these new trends, and finding that the common thread – the reliable “constant” across their extended IT environment – is identity. These architects are aware that silos or “islands” of identity didn't work out so well in the past. Let's not repeat the same oversight as we embrace SaaS and mobile. We recently surveyed about 200 IT professionals and, not surprisingly, 3-out-of-4 said that identity and access management would become “more challenging” or “significantly more challenging.”
Salesforce.com, Webex, Office365, NetSuite… the list is growing. New applications and mobile devices will come and go; however, identity and access management will evolve to allow organizations to embrace these new computing models that make their workers more productive, and give their IT folks the right privileged access to servers and apps.
The rest of the story: The sharing of passwords at the state organization ended up being an issue on the CIO's desk last fall. It turned out that one of the contractors with the Excel spreadsheet was a citizen of a (somewhat volatile) foreign country. One day, he left the job promptly and returned to his home country. No way to tell if he took the Excel list of passwords with him, and that's part of the problem. No way to tell. If he had his own credentials to the systems you could simply de-provision him and avoid a lot of risk. This organization doesn't share passwords anymore.
Managing identity is hard enough to do in a traditional data center comprised of heterogeneous systems and applications. Throw into this mix the additional identity silos and heterogeneity introduced with new SaaS apps and mobile platforms, and it becomes even more difficult to ensure that critical IT tasks such as de-provisioning user access, running compliance reports, and managing privileged user access are easily and fully implemented.
Bottom line…regardless of where the servers, devices and applications reside, or who owns them, IT organizations still require controls over these resources that are consistent with security and compliance best practices. One key aspect of these controls involves IT staff managing users' digital identities, and managing the corresponding roles and rights those identities have across mobile devices, servers and applications. IT must still manage who can access what systems and apps, whether those systems are down the hallway in their office or across the country in the cloud. Unifying identity across the environment provides a great starting point.