When password management comes to mind, most IT managers think of their own personal passwords or those of end users, which are used to access the company's network, sales database or e-mail systems.
But there's another set of passwords that's at the heart of the enterprise operation. These passwords are critical and sensitive, and yet their security and management is often overlooked. I am referring to administrative passwords.
The backbone of every enterprise infrastructure is a massive network of servers, network devices, and security and other infrastructure that creates the complex communications network, or nerve center, of a company. Every day, systems, network and security administrators are logging onto these critical infrastructure points for routine maintenance, repair and application of the most updated security patches. Many of them are running around with "root" and "administrator" privileges, either with their personal user or with their commonly used accounts.
Companies have gone to great lengths to educate end users and implement tools to help them choose complex passwords, avoid obvious ones, eliminate leaving them on Post-it notes and change them frequently. It goes without saying that the same precautions apply to administrative passwords. Since administrative user rights are extremely powerful, there's a need for an extra level of caution.
To begin with, some administrative accounts must be shared among several people. Some network devices, for instance, support only a single defined user, or the operations staff may need to solve a problem after business hours. This results in administrative passwords becoming widely known and changed less frequently. Since administrative privileges are required for emergency and disaster recovery scenarios, only a reliable password management policy can guarantee that the correct passwords will be promptly available in these time-sensitive circumstances.
Administrators have the best intentions, but the more those passwords exchange hands or remain unchanged, the greater the likelihood of a security breach. At the same time, companies need to give near-instantaneous access to these resources to keep the infrastructure in tip-top shape. This creates a catch-22 situation that often results in accessibility trumping security.
Establishing a password-control and change management program
As a stopgap measure, many companies store passwords for these systems in files like spreadsheets and simple databases. A quick penetration test will show just how easy it is to get at these documents. Mismanagement of administrative passwords is a major cause of security breaches and one of the top reasons for long recovery processes from IT failures.
The problem would be easy to fix if large organizations didn't demand near-instant access for administrators struggling to keep up with crashes and maintenance. But since this is unlikely to change, companies have to look closely at the way passwords are saved, controlled and managed.
They should start with a formal password-control program that expands upon best-practice policies and uses technologies that enable companies to have the accessibility and security needed for administrative passwords. This type of program combines policies with controls, changes and audits to ensure best practices.
Here's a checklist that should be included as a part of an administrative password-control and change management policy that can be used when creating a program and evaluating the software and services to support it:
- Centralized administration: Often, different IT groups control different pockets of passwords. It's important to take steps to create a centralized policy, procedures and enforcement mechanism. Otherwise, there is no way to ensure that each business or technical unit is doing its best to protect the keys to the kingdom.
- Secure storage: Administrative passwords should be securely stored in a way that offers strong authentication, granular access control, encryption and auditing to safeguard every password.
- Worldwide secure availability: At the same time, remote access is also critical. With today's distributed enterprises, administrators need access beyond network boundaries, where they can securely access and share passwords from anywhere within or outside the enterprise network.
- A dual-control mechanism: This would require two or more administrators to access passwords to the most sensitive or vulnerable servers.
- Routinely change passwords and track history: In addition to secure storage, the only way to ensure the long-term security of passwords is to alter them routinely.
- Intuitive auditing: As passwords are used, changed or added, organizations will need to audit the whereabouts and use of passwords without poring over log files. A new wave of regulatory compliance measures is also driving routine auditing and tracking of access to vital systems.
- Disaster recovery plan: Administrative accounts play a major role in recovering from incidents that range from a simple problem to a full off-site disaster recovery. Look into technologies for automated, safe replication of vital administrative information that can guarantee the availability of those accounts in time of need.
As a final note, it's important to emphasize that the goal of the password management program is not to implement a new, overly burdensome layer of management to an already jam-packed day. With the right mix of commercially available software, best practices and a little forethought, organizations can implement these best practices quickly and without disrupting or jeopardizing critical day-to-day management functions.
Calum Macleod is Senior IT Consultant, Cyber-Ark[email protected]