IT Security News and Opinion
Tuesday May 21st 2013
Auto Discovery Webinar

Secure Privileged Accounts: The Shoemaker’s Children Go Barefoot

Privileged AccountsA recent New York Times article, “A Strong Password Isn’t the Strongest Security,” offers a great assessment of the complacency of many IT security professionals. The assertion that password strength is not as important as protecting passwords against interception has some real validity.

However, user logins are just one aspect of the problem. It’s also important to consider that systems administrators may be walking out the door knowing passwords for the most sensitive privileged accounts in an organization. Even worse, many supposedly security-conscious organizations put their critical privileged passwords on spreadsheets and share them indiscriminately over the company network for the sake of convenience.

In some cases, the same privileged account password is deployed on all systems in an enterprise and everyone in IT knows this common “back door password.” When an IT problem occurs and management needs to learn who made the undesired change, it becomes clear that the convenience of a well-known and common password leads to the most basic failure of security controls – lack of segregation of duties. Or, in basic English, it’s impossible to say with certainty who did what and when.

In general, there are already guidelines for the strong management of passwords (length, complexity, change frequency, etc.), but I have seen these standards neglected by IT groups managing their own internal resources. In other words, when it comes to the security of IT and its most sensitive resources (privileged identities), the shoemaker’s children go barefoot.

As a matter of full disclosure, my company sells privileged identity management solutions that eliminate the common “back door password” problem, but you would be surprised by how many IT organizations reject such fundamental security in favor of “convenience”.

FacebookTwitterLinkedInDeliciousTechnorati FavoritesDiggBlogger PostGoogle ReaderShare
Post Published: 09 September 2010
Author: Philip Lieberman
Found in section: Emerging Threats, Security Best Practices

Tags: , ,

Previous Topic:
Next Topic:

Leave a Reply


− 1 = seven

Follow Us

    Follow us on Twitter            Follow us on LinkedIn

  Visit our YouTube Page              Identity Week RSS Feed
Visit the Lieberman Software Website

Archives

Recent Comments

Tags

Administrator Password Application-to-Application Credentials Application Security Cloud Computing Cloud Security CSO cyber-attacks cyber attack Cyber Security data breach Data Breaches Datacenter Security Data Security default password disaster recovery enterprise security Governance Risk and Compliance hacktivism Identity Management insider threat Insider Threats Internet security IT Audit IT Auditing Compliance Reports IT Marketplace IT Outsourcing IT security IT Security Threats online privacy Password Security PCI-DSS Compliance privileged account credentials privileged account management privileged accounts Privileged Identities privileged identity management regulatory compliance RSA Securing Legacy Applications Security Management SIEM smart card smartphone security stolen credit card Stuxnet