Last week a software vendor published a survey stating that over 40% of IT staff abuse administrative passwords to access sensitive information that’s not relevant to their jobs.
The vendor that conducted the survey holds claim to the password vault market, promoting an approach to controlling privileged logins that relies on spreadsheets and other handmade documents to control access. The lists are maintained in a secure data store with monitored access.
Use of a password vault might keep the privileged identity problem out of sight from auditors, but it disguises the fact that the spreadsheets often contain never-changing passwords known to too many individuals inside and outside of IT. The unfortunate consequence remains that too many people still have too much access for too long with a complete disregard to even the most basic requirements of “need to know.”
Like others in this market, this vendor also develops a product to automate the changing and recovery of privileged passwords. Our advice is to treat the claims of all vendors in this category with skepticism. We’ve heard from more than a few organizations about deployments that bring the buyers into a trough of misery as soon it’s discovered that the products fail to cover changing IT environments for more than a few weeks – that is, unless the vendor stages expensive professional services staff permanently on site.
A Better Solution Than Using a Password Vault
The right solution is to implement technology that can autonomously, automatically and dynamically find and manage all of the privileged (sensitive) accounts without reliance on human beings or professional services contracts to keep the security working. This includes not only the administrator logins used by IT staff, but also the privileged identities coded into line-of-business applications, databases, web apps, directories, and other IT assets. Left unsecured, any of these credentials can be used to access your most sensitive data.
To solve the problem of unsecured privileged identities, organizations should expect controls to operate and be verifiable 24 hours a day. Consider that in some environments passwords ought to be changed every 1 to 24 hours; without the right technology this is impossible to accomplish.
A second important mindset is to accept that privileged credentials should only be provided for a limited amount of time and only for authorized purposes. After the approved time interval is over, an issued password must be changed automatically and all applications that use it must also be updated by a solid re-key process.
The move to real privileged identity security can be accomplished in weeks with the right technology and the proper mindset: super-user credentials must be requested and it is understood that they will no longer work after a few hours. This means that administrators and Help Desk staff will need to follow a process and be accountable for their access and actions.
Even with the best technology, in some organizations the individuals’ desire to avoid accountability can hinder progress unless C-level staff guide the change for the benefit of the operation as a whole. Poor security as a convenience to IT is a dangerous way to run an organization.
Funny thing about this improvement: your auditors can become a lot happier and your IT staff will find its workload reduced. Once there’s a process in place to grant IT staff fast, audited access and your hardware is protected from viruses and hackers that can gain access through common credentials you’ll find that fewer IT staff hours are wasted. Even mandated 30-90 day service and application password changes can now be handled in minutes without disruption to the business.
It is amazing how easy and trouble-free security can be to accomplish with the right technology. The TCO is miniscule compared to choosing the wrong solution – or no solution at all.