Let’s face it. Despite the best efforts of us in the IT security industry, the top solution for managing passwords is the trusty old sticky note. Write down your password on the note and hide it somewhere you can easily find it (hopefully not on your monitor).
The second most popular way to store credentials (including root, administrator, sa, etc.) is to put them on a spreadsheet and then share that spreadsheet among those who need access to the credentials. To be at least a little more secure, some companies create different spreadsheets for different parts of the organization.
One of the biggest problems with this tactic is that spreadsheets drive your security auditors crazy because there is no way to know whohas seen the passwords on the spreadsheets or when they saw them. There’s also generally no way to track when passwords are changed. And depending on the industry, it may be necessary to regularly change credentials, and to immediately change them after disclosure or employee turnover – something not particularly feasible with a password spreadsheet.
In my experience, more and more companies are beginning to realize the need to migrate off of publicly shared password spreadsheets, to something that is more secure and helps them comply with regulatory mandates – with a future path to an automated privileged identity management solution when the time is right. IT budgets, resources, and expertise may be limited, so the best course of action is to migrate the spreadsheets to a secure solution to meet minimum regulatory requirements, and then move up to an automated solution at a later date.
With these thoughts in mind my company set out to develop a feature in our adaptive privilege management platform called Password Spreadsheet Manager (PSM). PSM allows you to seamlessly import your spreadsheets in minutes to a secure and encrypted database, with web-based audited and delegated access to the rows in your formerly shared spreadsheets.
Our objective was not to create another “secure” file vault – those suffer from the same flaws as a shared spreadsheet: lack of detailed spreadsheet row level tracking. Our objective is to quickly provide secure access and management to shared credentials with all of the scalability, security, and broad systems integrations you would expect from an enterprise quality application.
What do you think about password spreadsheets? Leave a comment below. You can also follow me on Twitter: @liebsoft.