In-Depth

Software Vaults Protect Sensitive Information

Software vaults are increasingly the solution for securing passwords, notes from the board of directors, and more

• By Mathew Schwartz
• 10/06/2004

When it comes to sensitive information, most organizations recognize that they can’t just encrypt everything. Typically, organizations only need to encrypt sensitive information. For many organizations that includes information for the next board of directors meeting, human resources data, administrative passwords for servers, and documents containing sensitive company or personnel information.

One way to secure information, especially on an ad hoc basis, is by using software vaults, which control and audit access to any documents or data they store. Security Strategies spoke with Cyber-Ark Software Inc., which makes vaulting software, to discuss how organizations use the technology.

What are essential features for a vaulting application, or a so-called software safe?

A dual-control mechanism. Let’s say I’m working for you and you want to grant me permission every time I enter a specific safe. So, one feature can be, every time I try to access a safe, it would say, “Richard is trying to access this safe, accept or decline.” Then … [with authorization] I would be able to get in.

So for the ultra-secure environment, to not only track who goes in, you could control when they can go in. And you can limit that by location, too. There are many elements like that. You can have control over who monitors the information and when, knowing who touched what and when …

What are the main uses of software vaults?

We’re focusing on three specific applications: allowing discrete communications, as if there was a WAN but without one … for manufacturing, so to exchange design files for manufacturing items … [and] there’s also a need to create a secure infrastructure for securing all the code that’s being developed overseas.

How are some ways you see customers using software vaults?

There are companies [where] their board of directors needs to share information, or their employee and human resources information needs to be shared. Yet any [such] documents would be visible to network administrators … [including] personnel files. So this can … create a secure repository in their infrastructure for critical documents.

The highest level of interest lately, however, has been over in the IT department to meet their security auditors’ guidelines … There are security audits being done and [organizations] are not passing them, because of the way they administer passwords, so they’re turning to us for the Password Vault, to help them manage passwords …

Of course, Sarbanes-Oxley is something that’s been around for a while now. But for some reason, over the last [several] months, a lot of our customers are mentioning [it] as one of the pains we’re helping them solve, whether for critical documents that they have to track or store for a specific period of time, [or for] a security policy they have to adhere to in terms of how security passwords are stored and retrieved.

Can your software vault split management control from full access capabilities?

Yes. The administrator can make sure there’s enough disk space in the vault, and that people can access it … but while network administrators can see the properties of the safe, or add users, they have no access to the content itself [without appropriate authorization].

How does this look to end users?

It depends on how you access it … We have a Windows GUI [graphical user interface], it could be through a browser, or transparent … where you view it through Windows Explorer. The Windows GUI we’ve created is the most fully featured version, but it’s more used by power users.

How do you handle encryption?

For performance, the encryption and caching is done on the client side, so the data flowing out from the vault is already as small and encrypted as it can be. Also, there are many layers of security—the access control layer, the authentication layer which can tap into any existing authentication mythology, such as RSA’s SecurID, tokens from Aladdin, PKI …

We also have encryption of information in transit … and at rest—in case someone goes and rips the hard drives out of the server.

Even with regulations breathing down companies’ necks, is it difficult for them to determine what to secure?

Usually there’s a specific application they’re trying to take care of. For example, usually they want a secure way to communicate with the board of directors. Before, a lot of companies would literally create a board package and Fedex it out, and they’d have to do that a week in advance, and by the time [directors] got it, it would be stale … So the vault provided a great vehicle to accomplish this.

Then what they said was, "We should also use this for our human resources documents next week—we’re doing a layoff next week," or pay raises, or whatever information they want to exchange. They want only the people who should have access to it to have access to it … [so there’s this] critical-document application.

How do organizations use this to manage passwords?

We’ve been selling our Network Vault for three or four years and … we weren’t pushing Network Vaults for passwords initially, but our customers uncovered the use.

We found that about 70 percent of our customers, whether they bought it for that purpose or not, ended up storing their administrative passwords in the vaults. So … after doing some more research and creating a specific application for it, we found out that there are a lot of customers who do view this as a problem. And with all the regulatory issues coming up, there’s more awareness around it.

Before, the network administrator would say, "It’s fine. I have it on an encrypted spreadsheet, or on a CD in our vault." But that’s not ideal, because if he’s the only guy who knows the combination to the vault, or the CD gets damaged … [the company is in trouble]. One customer, Mohegan Sun, says for every 15 minutes a server is down, they lose $100,000 dollars so … having easy access for a team of administrators to get access to a server that might not fall under their responsibility [is crucial].

In addition, one thing we’ve added to the Password Vault is [a feature] that will allow for the passwords to be automatically changed on various devices. Meaning, if the passwords have to be changed every “x” days, because it’s part of the compliance policy, [it can do that]. So for someone like Mohegan Sun that had [many] servers, it probably took them the better part of a week to change all of the passwords before.

Related Article

Case Study: Mohegan Sun Bets on Virtual Password Vault
http://www.esj.com/Security/article.aspx?EditorialsID=955