Security

3 Questions: Password security starts with admins

Best practices for password management


By Terry Sweeney

With Nir Gertner, CTO of security vendor Cyber-Ark Software Inc. in Dedham, MA, who has more than a decade of experience in enterprise systems security.

This interview originally appeared in the IT Business Edge weekly report on Fortifying Network Security. To see a complete listing of IT Business Edge weekly reports or sign up for this free technology intelligence agent, visit http://www.itbusinessedge.com.


Question:
Patch management has stolen a lot of thunder in the security market with all the malicious code attacks. Why should enterprises be concerned with password management?

Gertner: The backbone of every enterprise infrastructure is a massive network of servers, network devices, security, and other infrastructure that creates the complex communications network of a company. System, network, and security administrators log on to these critical infrastructure points for routine maintenance and repair using root and administrator privileges. Although enterprises have gone to great lengths to educate end users on the importance of choosing complex passwords and changing them often, this approach is not enough....Administrative privileges are required for emergency and disaster recovery scenarios; only a reliable password management policy can guarantee that the correct passwords will be promptly available in these time-sensitive circumstances. Additionally, some administrative accounts must be shared among several people, for instance with network devices that support only a single defined user or when operations staff needs to solve problems after business hours. This results in administrative passwords becoming widely known and changed less frequently than required. Administrators have the best intentions, but the more those passwords exchange hands or remain unchanged, the greater the likelihood of a security breach. The traditional password security system falls short when applied to administrative passwords.


Question:
What's the biggest mistake most enterprises make where password management is concerned?

Gertner: As a stopgap measure, many enterprises store passwords for their critical systems in files like spreadsheets and simple databases. A quick penetration test will show just how easy it is to get at these documents. If large organizations didn't demand near-instant access for administrators struggling to keep up with crashes and maintenance, the problem of password security would be fixed. But since this is highly unlikely to happen, organizations have to get serious and look closely at the way they save passwords and how information security and network/security management controls and manages them. Mismanagement of administrative passwords is a major cause for security breaches and one of the top reasons for long recovery processes from IT failures.


Question:
What sorts of best practices do you also encourage customers to follow, in addition to using your password management products?

Gertner: There are seven key practices a company should include as part of an administrative password control and management policy:
  • Centralize administration: It is important to take steps to create a centralized policy, procedures, and enforcement mechanism. Without this centralization, there is no way to ensure that each business or technical unit is doing its best to protect passwords.
  • Secure storage: Administrative passwords should be saved in secure storage that offers strong authentication, granular access control, encryption, and auditing.
  • Worldwide, secure availability: With today's distributed enterprises, administrators need access beyond network boundaries to securely access and share passwords.
  • A dual-control mechanism: This mechanism requires two or more administrators to access passwords to the most sensitive, or vulnerable, servers.
  • Routinely change passwords and track history.
  • Intuitive auditing: As passwords are used, changed, or added, organizations will need to audit the whereabouts and use of passwords.
  • Disaster recovery plan: Companies need to look into technologies for automated, safe replication of vital administrative information that can guarantee the availability of vital accounts in time of need.

Editor's Picks