Case Study: Mohegan Sun Bets on Virtual Password Vault

The Connecticut casino and entertainment center uses password management software, which acts as an intermediary with applications, to ensure passwords are available—and secure—around the clock.

Last year, Jake Star, the vice president of computer services at Mohegan Sun, faced a predicament: keeping track of administrators’ passwords, the master keys to all its software and hardware. The casino and entertainment center had grown rapidly since its inception in 1996, but password management hadn’t kept pace. “Individuals had passwords in their heads,” he says, and nowhere else.

Mohegan Sun is a casino and entertainment center in Uncasville, Connecticut, with about 11 million visitors every year. In addition to back office chores, the center manages a 1,200-room hotel, 40 retail shops and restaurants, and convention space. That equals a large number of servers and software in use.

No surprise Mohegan Sun worried about “losing access to key production systems” if an employee left the company, went on vacation, or just wasn’t reachable at 3 in the morning, says Star. “We need to ensure our IT administrators have access to all of our critical systems 24 hours a day, seven days a week. Down time due to unavailable passwords is not an option.”

To solve his problem, Star researched software options on the Web and found a password management product called Network Vault from software vendor Cyber-Ark. He tested and implemented the software on a dedicated server, a process he says went smoothly. The software now supports about 15 administrators.

Here’s how it works: Network Vault is a virtual password vault. Instead of administrators logging on to individual applications, Network Vault plays intermediary, first authenticating administrators, then giving them access. Administrators have a password to authenticate with Network Vault, but it alone has the actual passwords needed to access servers and software. Though it gives an administrator appropriate access, the administrator never sees the real password.

Network Vault also secures all passwords during storage and transmission, and logs all access, creating an audit trail. With the exception of two people—the network security administrator and one senior executive—no one knows the actual passwords except Network Vault. The network security administrator also handles password updates and other management.

Mohegan Sun’s situation was typical, notes Alon Cohen, chairman and CEO of Cyber-Ark. “While companies make significant investments in securing their IT infrastructure, passwords, which serve as keys to the enterprise, are often the last piece of the security puzzle put into place.”

Beyond improving security, this approach simplifies delegating access. “If we have someone on vacation, they can actually give access to another admin while they’re on vacation. We can control the length of time their substitute password access will work,” says Star.

Using the software to store passwords and log their use also reassures auditors. “We’re governed by the National Indian Gamming Commission, as well as funded by some bonds that we issued,” says Star, so beyond the commission’s rules, he also must comply with the Sarbanes-Oxley Act, as well as the Health Insurance Portability and Accountability Act.

Many regulations means many audits. “I have, typically, five major audits per year, but right now I’m involved in over 15 different audits, because we audit different portions of the business every year, and more and more those audits are involving my department as well,” says Star, since IT is increasingly a cornerstone of every other department. Again, tracking passwords makes it one less potential fault for auditors.

One feature Star would like in Network Vault—he says this goes for just about everything he uses—is improved reporting. “One of the challenges is, because it’s a proprietary system and proprietary database, I can’t just use Crystal Reports against it. But that’s also a benefit—if it were that easy to access the database, it would be less secure than I want. The key thing here is security.”

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.