Assume that you are an IT administrator managing servers, databases, network devices and numerous other IT applications. All these resources are accessed/controlled through administrative passwords and are being used in a shared environment. That means, a group of administrators use the common privileged account to access the resource. The privileged accounts are accessible to all the members of a team.
Needless to say, administrative passwords are very powerful and accord unlimited privilege to the users. Those who login through the privileged mode could access absolutely anything with ease. You have thousands of privileged passwords, majority of which are used in shared environment.
How do you share these administrative passwords? Is there a process ? How do you ensure security?
Apart from the ‘officially shared’ passwords, users often tend to reveal administrative passwords to their colleagues for some reason or other. The most common reason for such an ‘unofficial share’ is to cater to an emergency on one’s absence – IT Manager revealing the password to a senior member when he has gone on vacation.
Developers, help desk technicians and in certain cases, some third party vendors who require access to privileged passwords purely on temporary basis, are supplied with the required passwords mostly orally or through emails. There is no process to revoke temporary access and reset the password after the temporary usage, which leaves a big security hole.
It is quite common to see administrators assigning some familiar words or short phrases as passwords, for ease of use. The passwords are maintained in text files, spread sheets, homegrown tools or even in physical vaults. And, it is not uncommon to see UNIX administration team having full access to the Windows passwords, developers having full access to database passwords and so on.
Thus, administrative passwords are insecurely shared and lie scattered in the enterprise leaving little scope for any internal controls.
Whether it is official or casual, sharing of privileged passwords in enterprises could have disastrous repercussions on the security of the enterprise. Mismanagement of administrative passwords leads to information theft, manipulations and sabotage without a trace.
It is always good to avoid sharing of administrative passwords. Unfortunately, it is just an ideal situation. Practical needs are mostly the opposite. Business requirements demand selective sharing of passwords with others and yet not compromising on enterprise security. Thus, enterprises find themselves in a catch-22 situation!
What is the way out, then?
Before finding the solution, it is pertinent to analyze the security threats and drawbacks associated with the ‘casual sharing approach’ in detail.
Let us discuss that in the next post …
Bala
ManageEngine Password Manager Pro
Quick Video | Free Trial Download | White Papers | Success Stories