03:15 PM
Connect Directly

Top-Down Password Protection

New tools can corral administrator-level access, but plan ahead to avoid costly downtime.

No Easy Pieces
Implementing a privileged account management system isn't a trivial process, and companies make a couple of common mistakes, says Adam Bosnian, VP of products and strategy at password management vendor Cyber-Ark Software. The first blunder companies make is confusing password management with identity management, Bosnian says. Privileged passwords are a manageable problem that can be solved in weeks or months. On the other hand, identity management for all users is a massive undertaking that can stretch out for years and doesn't address the risk posed by weak security of the most powerful accounts in the company.

The second mistake Bosnian mentions almost could be considered a feature: When all privileged passwords are changed as part of a company-wide system rollout, some people lose access they've always had. Even in companies with the best security practices in place, there are employees who need privileged access or have undocumented exceptions to normal job roles. While this can cause an immediate failure of some business processes, it also provides an opportunity to clean up such special cases and ensure that they're handled through proper channels in the future.

Beyond Access Control
Many vendors offer unique features that do more to control access to privileged accounts. For example, Cyber-Ark's just-announced Privileged Identity Management Suite version 5.0 will include the option of creating passwords that aren't presented to users.

Because employees often write down and share passwords, Cyber-Ark's Privileged Session Manager component and similar tools from other vendors can be configured to act as a sort of single-sign-on portal for servers. When an administrator requests access to a system, PSM proxies the actual connection and passes the credentials to the host system transparently, logging in the administrator directly.

PSM also can be configured to record the session between the administrator and the server. This recording can be saved for later review in case there are concerns about the actions taken by the administrator.

Sometimes, it's not a very good idea to store a service's password in a clear text configuration file--in fact, the Payment Card Industry Data Security Standard requires that such embedded passwords be eliminated before the applications are placed into production. Most vendors offer an API that can be used to replace such clear text passwords with a library call that accesses the password vault dynamically at runtime. They even include defenses to validate that an approved application is requesting a password, and not an intruder running the API code.

Another barrier to controlling privileged passwords is finding them.

Phil Lieberman, president of Lieberman Software, says this makes changing passwords almost impossible for many companies. If they change a password without understanding everywhere it may be used, things will break. Most servers have several service accounts, used by processes running on the server to access server or network resources. While most privileged account managers can be configured to change these passwords, doing so without informing the service of the change will result in downtime and lots of scratching of heads.

6 Things To Look For
Password Account Managers
1. Ability to auto-discover
every system and network application that uses privileged accounts
2. Support for high uptime
through redundancy and simple disaster recovery
3. Agentless design
that uses a server's native protocols to interactively log in and make password changes, with no preinstallation or configuration required
4. Workflow management
to accommodate password-use exceptions in emergency situations
5. Role-based control and single-sign-on
tie-in to simplify the granting of rights to administrators
6. In-depth report capability
that can produce extensive reports suitable for presentation to auditors
While all privileged account managers can scan a network or Windows domain looking for systems to manage, Lieberman Software's Enterprise Random Password Manager extends its discovery of passwords to manage beyond typical operating system accounts. ERPM scans standard service configuration locations, and even entire servers, looking for instances of known passwords, and it can keep these password storage locations in sync with managed credentials, rotating them as required by policy.

Most privileged password managers enable organizations to build a workflow around access to passwords. This allows a company to specify which users need approval before accessing passwords, and can automatically route these requests to managers for approval. Hitachi ID Systems' Privileged Password Manager can automatically escalate unapproved requests, searching out additional approvers in cases where the originals fail to respond in a timely manner.

The workflow can be configured to require multiple approvers, implementing a true separation of duties. Workflow can be especially useful for providing access to employees who might not normally need access, such as during a disaster or when regular admins are unavailable.

Once you start relying on a system to provide critical access to all your other systems, your password manager must be rock solid. Besides internal redundancies, look for systems that provide for multiple layers of fault tolerance. Clustering also is a feature to look for, as is the ability to distribute agents throughout your network. These agents spread out the work of setting and checking passwords on the systems throughout your network, preventing bottlenecks and providing extra redundancy.

Passwords are still our first line of security, keeping outsiders out and insiders away from functions they shouldn't touch. The ever-increasing complexity of both networks and organizations makes managing these passwords ever more difficult, and accountability legislation such as Sarbanes-Oxley places high stakes on getting this right.

Avi Baumstein is an information security analyst at the University of Florida's Health Science Center.

3 of 3
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-30
Unspecified vulnerability in the kernel in HP HP-UX B.11.31 allows local users to cause a denial of service via unknown vectors.

Published: 2014-10-29
The Internet Service Monitor (ISM) agent in IBM Tivoli Composite Application Manager (ITCAM) for Transactions 7.1 and 7.2 before IF28, 7.3 before IF30, and 7.4 before IF18 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof s...

Published: 2014-10-29
Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) via (1) a crafted first argument t...

Published: 2014-10-29
Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function ...

Published: 2014-10-29
The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly exec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.