Shared administrative password management: a growing compliance concern

The management and control of shared administrative passwords has long been an issue for financial services organizations, and for years has been an area of interest for agencies responsible for ensuring the integrity of banking systems, including: The Office of the Comptroller of the Currency (OCC), Federal Reserve Banks (FRB), Federal Insurance Deposit Corporation (FDIC), National Credit Union Association (NCUA), Office of Thrift Supervision (OTS) and more. As a result, financial services companies have been ‘leading edge’ when it comes to internal policies, procedures and technical controls of critical system-level shared administrative accounts and passwords.

With no commercial off-the-shelf (COTS) solutions available to solve all the unique needs of managing shared administrative passwords, financial services companies have been forced to look internally for answers. As a result, solutions such as physical safes and envelopes, encrypted spreadsheets, internal programs/scripts or force-fitting user-based identity management methods were deployed as ‘acceptable’ measures. Though manual, costly and with limited scalability, these solutions ‘worked’ in-lieu of available COTS solutions.

Under Sarbanes-Oxley, the rules have changed. Increasingly both internal and external auditors are highlighting existing privileged password management policies, procedures and solutions as an area of audit concern or non-compliance. Sarbanes-Oxley and other audits are finding issues with existing solutions including:

• No accountability. Existing internal solutions are not able to assure 100 percent accountability for shared privileged passwords.
• Release controls. Solutions lack effective, secure release controls, and in most cases are not able to support dual release controls.
• Change controls. Existing internal solutions deploy manual and infrequent change controls of shared privileged passwords.
• Lack of consistency. The enterprise has a strong internally developed solution for Unix root privileged accounts, but not for Windows administrator or DBA accounts, etc.
• Limited audits. Limited or unacceptable auditing of password requests, releases and changes.

Propelled by today’s compliance driven environment, the design requirements for an administrative password management solution need to address the following:

• Password storage
• Password release
• Password update/change
• Auditing

Password storage

Since this system will be storing the ‘real’ privileged passwords, encryption and server security are key requirements. The encryption algorithm must be up to the standards of the financial systems that are being protected, currently AES256. Key management must be done in a secure way, and the system that will house the passwords must be hardened and firewall protected to prevent unauthorized access.

Password release

The password release mechanism should support dual control to help achieve the segregation of duties for the managed accounts. In addition, the release mechanism must be secure (encrypted) and support strong authentication. Granular authorization should allow for systems to only allow the required users to request the password.

Password update

The system should generate and update the passwords to be managed. Not only does this ensure that strong and random passwords are utilized, but also ensures that individual accountability can be maintained, as no user has access to the password until released. The system should also allow passwords to be rotated on a periodic basis, to ensure that these passwords are changed frequently. Finally, the system should be able to change the managed password immediately after use, so that the person requiring access does not have the access any longer than needed.

Auditing

The system must provide robust auditing so that the process can be reconciled frequently, and reports demonstrating the integrity of the environment can be produced. Reports showing when passwords have been released, password inventories, etc. should all be automatically produced.

In addition, the system should address the following operational issues:

• Accountability. The system should assure full accountability between administrators and passwords.
• Resiliency. The system should be highly available.
• Retention. The system must provide retention criteria and archiving capabilities.
• Password availability. The system should verify that managed passwords are correct so that the system can be accessed when needed.
• Platform support. The system should support administrative passwords across various platforms to assure a unified management solution.

Extending existing internal solutions to meet this robust set of requirements may not be possible, or at best would be cost prohibitive. Fortunately, the marketplace has caught up to the market need. With the release of the Password Auto Repository (PAR), e-DMZ Security was the first company to develop a COTS solution dedicated to addressing the unique security and audit needs of shared password management. Deployed in many of the top financial services companies, PAR is a purpose-built appliance, providing secure password storage, dual release controls, time and last-use based change controls, historical password logs and audits across your entire infrastructure including Unix, Windows, Databases and other network devices.

Kris Zupan, CISSP is CTO for e-DMZ Security. For more information on the issues associated with shared privileged password management and PAR, including a streaming video overview, please visit www.e-dmzsecurity.com or email par-info@e-dmzsecurity.com.