In-Depth

Securing Admin Passwords: It Takes a Vault

It's difficult to audit administrative passwords if you're not managing them properly. That's what drove Manitoba Lotteries Corp. to employ a password vault.

How does your organization manage its admin passwords?

According to a recent survey of 175 IT professionals by Cyber-Ark Software Ltd. in Dedham, Mass., half of organizations don’t store admin passwords securely, and at a quarter of companies, all IT staff can access them. For password storage, Post-it notes and Excel files are not uncommon, and while half of companies change admin passwords at least monthly, 10 percent never change them.

Such behavior puts organizations at risk. According to a recent study by the U.S. Secret Service and CERT of insider attacks conducted between 1996 and 2002, “the majority of insiders who committed the attacks were former employees, motivated at least in part by a desire to seek revenge, and who were granted system administrator or privileged access when hired.”

Concerns such as these drove Manitoba Lotteries Corp. in Winnipeg, Manitoba, which manages two casinos and a video lottery terminal network, to improve its password-handling processes, and also to find an alternative to using its help desk to issue admin passwords on demand. Before, “the help desk staff would check a matrix that showed who had access to which passwords,” then relay them over the phone, says Marshall Garland, Manitoba’s systems security specialist. Yet there was no audit trail, and passwords didn’t always work, which meant the IT department would have to drop everything and help.

In fact, many organizations have difficulty managing shared passwords, even as more regulations (including Sarbanes-Oxley) require organizations to watch access to systems containing sensitive information and to regularly change related passwords.

Simply put, keeping insiders from abusing passwords is difficult. Unix systems can have many types of passwords defined, and tracking them all is onerous. Sometimes administrators share their admin passwords with others, which complicates auditing or disabling a user's access. Furthermore, many devices (such as routers) ship with publicly known default passwords, and administrators don’t always change these. “Let’s say there’s a guy who’s responsible for the 30 routers in the enterprise. Chances are he’s going to use a similar password for all the routers,” notes Richard April, vice president of marketing at Cyber-Ark Software. “That’s a common practice in IT teams. They share a password either across multiple devices or across the enterprise, so it can be very dangerous.”

Ultimately, Manitoba Lotteries adopted Cyber-Ark’s Network Vault for Passwords to manage about 70 people’s access to more than 200 passwords. The software combines a secured application and hardened version of Windows 2003. While Manitoba hasn’t yet calculated a return on investment, “it saves me between four to six hours per month, not to mention frustration and grief,” says Garland, since the help desk doesn’t have to page him for password problems. In addition, password management is decentralized and more accountable: each IT department manages and can access only its own passwords.

Defining the Vault

What exactly is a password vault? According to Kris Zupan, CEO and chief technology officer of Wilmington, Del.-based e-DMZ Security, which makes Password Auto Repository (PAR), vaults have five features: storage, release, updating, verifying, and auditing. In general, users log in to distinct vaults—the Unix server password vault, or the router vault. After the administrator finishes with the device or application, the vault can then automatically change the password.

Different products have different password storage and maintenance features. DMZ’s PAR, for example, verifies passwords daily, but only against the hash. That way, each verification doesn’t generate a root-level access notice in the system logs. Daily verification also assists help desks. For example, if a user calls the help desk alleging a password doesn’t work, workers can reply that the password’s been verified that day and they should try again. PAR also stores previous passwords, in case a server needs to be restored from backups to a previous state.

Such functionality can help meet regulatory requirements. Many regulators push for changing passwords enterprise-wide every 30 days, and a password repository can do that automatically. Zupan says he’s seen adoption of PAR especially for Sarbanes-Oxley, and to a lesser extent for Gramm-Leach-Bliley. One user, for example, is DuPont, which employs it to help system administrators, and to restrict developers’ access to systems.

Password Management History

Of course, password management isn’t a new concept at either the user or system level, and for vaulting, “large companies all have something like this around,” says Christian Byrnes, an analyst at Gartner Group in Stamford, Conn. In fact, “many of them have multiple generations of tools on the shelf, since the tools proved inadequate.” The reason such tools didn’t work, he says, was often scalability. “As the number of different password systems and the number of employees scale up, the systems become difficult to maintain.”

What do organizations use instead of password vaults? Zupan says he often sees spreadsheets, or manual processes such as sealed envelopes with signatures written across the seal, stored in a physical safe. Such processes, besides being time-consuming, may also be sub-standard. “Without a password generator, you were finding that people were only so creative when it came to making new passwords,” he says.

Furthermore, some organizations confuse identity management with password vaults; they’re different. “Identity management is mapping one credential to multiple credentials,” notes Zupan, “which is the exact opposite” of what password vaulting software does.

Can today’s vaults succeed where previous generations of password management software often failed? With today’s approach—just tackling IT passwords—less can be more. “Simpler, less-functional utilities scale better,” says Byrnes. Even so, enterprise-level vaulting is relatively new, and might not be a fit for all sizes of organizations, or at least not yet.

“The ‘vaulting’ concept is a different approach and may solve some problems, but it is unproven for large-scale needs,” he notes.

Related Articles:

Software Vaults Protect Sensitive Information
http://esj.com/security/article.aspx?EditorialsID=1143

Case Study: Mohegan Sun Bets on Virtual Password Vault
http://esj.com/enterprise/article.aspx?EditorialsID=955

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.

Must Read Articles