In spite of the billions of dollars that enterprises spend each year in an effort to secure their environments and achieve regulatory compliance, many still fail at the most basic security tasks. The fact of the matter is that many organizations do not properly manage their credentials, exposing themselves to untold risk.
The only way to attack these problems is to expose them for what they are. So here are five of IT’s secrets about enterprise password management:
Let’s start by looking at how some organizations achieve that all-important rubber stamp of regulatory compliance.
The problem with many audits is that they only test security at a single point-in-time. Think about it. Let’s say that on January 1 you pass your PCI-DSS audit. Then, on January 15, you bring in a new system that is not included in your password management process. Are you still compliant? Until another auditor comes in, you are indeed compliant. The state of your security, however, is a different matter.
The issue here is that the IT infrastructure is a dynamic ecosystem. There are always new systems coming in. Security falls apart if the tools and processes around your password management don’t account for change.
Shutting Off Access
The lowest hanging fruit that an organization can address concerning password management involves former employees. When people leave the company, you need to change your administrative passwords to keep ex-employees out of your systems.
Former IT employees are potentially serious security threats. These are the people who generally have the password secrets that allow them to login to systems and applications throughout the network. If their privileged logins are not shut off, odds are these ex-employees can still gain access long after their employment ends. However, many organizations maintain static administrative passwords for months, if not longer. That gives former employees all the time they need to access their old systems.
Blind Faith in Provisioning Systems
This secret is in line with the previous one. Many organizations rely on their Identity and Access Management (IAM) products to provision and de-provision users. But they don’t necessarily think about the difference between user accounts and privileged accounts.
Conventional IAM products typically manage individual user identities. They don’t manage the privileged identity passwords used to access systems, run programs and change configuration settings.
So if you want to keep your critical systems in check, you need a Privileged Identity Management (PIM) solution that can control your privileged accounts, as well as an IAM solution for your user accounts.
Privileged Account Stasis
We’ve already touched on privileged accounts, so let’s explore that a bit more.
These accounts are more prevalent than you might think. For example, take your database infrastructure. There are likely hundreds, if not thousands, of applications making connections to the databases to retrieve information. These applications have their own credentials to access the databases. If your organization doesn’t have a product to automatically manage them, it’s likely that these credentials rarely change.
What organizations are left with is a security and compliance nightmare. Any person who happens to come across these credentials access your most precious data stores. Also, there is usually no way for you to tell which individuals are accessing these systems.
And because these credentials rarely – if ever – change, there’s no way to close up this password Pandora’s Box. The information is out there and your people won’t unlearn those passwords – unless you have a PIM product to continuously update them.
Cumulative Access Rights
Without any privileged password management controls, most long-term enterprise employees collect credentials like a janitor collects keys.
Here’s how it works. Bob starts out working in accounts receivable (AR). He’s provisioned with access to accounts receivable systems. He then moves over to accounts payable (AP). His AR credentials are never revoked, but now he’s also given access to AP systems. A couple years down the line, Bob is temporarily assigned to a cross-functional accounting task force. In this role he needs credentials to some other specialized systems. After the task force completes its project, Bob still maintains his access rights to all those special systems. And now, the organization has on its hands a user with a toxic combination of access rights into critical financial systems.
To combat this accumulation of access, organizations need to determine that there is not going to be unlimited access to systems. And when there is a purpose for access, there needs to be an approval workflow process in place to ensure that the access is time-limited and audited. No user should have unlimited access forever.