Password Management in the Enterprise
Preface: I am not on the payroll for any vendor. This is not a paid endorsement/advertisement. I am simply sharing what I have found in my research in the Enterprise password management space.
Password management is an essential part of every organization’s security program. Even if you have a well implemented single sign on (SSO) solution, your employees will still need to remember and use passwords for new external websites.
The demands we put on our employees to remember more and more passwords, and to make those passwords more and more complex, have become unmanageable.
Consider all the rules we ask our employees to follow:Passwords must be at least [X number] characters longMust include special characters, capitals, numbers, etcChange your passwords every [X number] of daysUse a different password for every systemDo not use a predictable pattern in your passwordsDon’t write your passwords down anywhere
These demands usually lead to one of two results. Either the users will write passwords down (often in a text or Word document on their computer’s desktop) or they ignore the rules and reuse passwords between systems.
Some of our more technical and security savvy users will go find a tool like Password Safe (or one of the many others like it) which does a wonderful job of giving the users a safe place to put passwords, but is very clunky in an Enterprise environment.
These types of tools do not accommodate passwords that need to be shared between users, and do not allow integration with Active Directory, or role based permissioning. And when an employee leaves the organization, those passwords are lost, potentially leaving the employer in the lurch.
There are several products that attempt to work in this space, but most of them offer SSO type functionality. While there is certainly a place for that in some organizations, it requires a very significant amount of back-end configuration by the IT department. And whenever a new application gets added there needs to be configuration changes to support it.
What I want is a tool that works like Password Safe, allowing users to create and manage all their own passwords with little to no interaction from IT, but still allows centralized management and ease of deployment. After looking through dozens of tools, I have found that Thycotic software’s Secret Server meets all of my needs.
The technology really is pretty simple. The system can tie into Active Directory for authentication and group memberships.
By default, users have their own secure area where they can create as many system passwords (which this system calls “secrets”) as they want. They can either create secrets just for their own use or they can assign permissions to other users or groups in the system.
Secret Server allows users to create auto-launcher links within the secrets. These launchers will open a web browser, SSH or Remote Desktop connection to a system with the username and password pre-populated.
More, the system can be configured so that the password is not even visible if there is a launcher available. I can give you access to sign in with my account without you ever actually knowing my password.
Secret Server can also be used to automatically change passwords on a predetermined schedule. So if you don’t want to have to log into that server every 90 days to change your password, you can tell Secret Server to do it. Then when you need the password you just log in and get it.
Secret Server is not perfect. It’s got a sizable price tag. The UI leaves something to be desired, and some of the administration configuration can use a little work.
But overall it’s a powerful tool that provides users with a real option for saving their passwords in a secure location, eliminating the need to memorize dozens of 8+ character complex passwords.
In a world where security is continually becoming more onerous for our users, this tool can help stem that tide just a little bit.
Cross-posted from Enterprise InfoSec Blog from Robb ReckNote: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.