10 Guidelines for Managing Passwords in the Enterprise
Today the world is totally dependent on information technology, and many corporations struggle to effectively manage and store passwords securely for their employees. Every other day you hear of large companies exposing customer account details to non-intended audiences, due mainly to poorly managed IT systems and processes. The confidentiality and integrity of sensitive data is paramount to the operations of any size business, and the following guidelines should be considered when choosing any type of electronic password management system (PMS).
1. Remove the need for employees to remember passwords, or even worse, write them down
A key cause of bad password management practices is many employees don’t have a system in which to records their passwords, resulting in them having to either remember them, or write them down and store them in an unsecure manner. The password management system (PMS) must provide adequate functionality, removing the need for employees to remember passwords.
2. Centralize the management of passwords
Centralization of an organization’s passwords is the first step in gaining control of the IT accounts used to operate their business, otherwise there is no visibility or governance of their usage.
3. Ensuring the integrity of sensitive data
To ensure the integrity of data stored in an electronic PMS, there are a few key things to consider:
- Passwords should be encrypted with 256bit AES encryption, and a unique Initialization Vector used for every install
- Users should authenticate against the PMS using their Microsoft Windows domain account credentials
- PMS must provide the option to use two-factor authentication for the user(s) who administer the system
- Sensitive code of the PMS should be obfuscated, to prevent reverse engineering by system or web administrators
- PMS must mitigated against system or database administrators granting themselves access to unauthorized data
4. Make the passwords easily accessible
Users must be able to get to the PMS from any location, must not rely on any client installs, and must give them quick and easy access to their passwords.
5. Must promote the use of strong passwords
The PMS must promote the use of strong passwords, of which the policy for password strength is set by the administrator(s) of the system. Visual representation of password strength must be available when entering passwords, or when reporting against, so the user is constantly reminded if a password’s strength is poor.
6. Must promote regular resetting of passwords
A key component of bad password management practices is not resetting passwords at regular intervals. The PMS must have one or more options for reminding users that passwords are about to expire.
7. Must be portable and recoverable
There is little use centralizing your organization passwords if you’re unable to get to them in case of a disaster. The PMS must provide the mechanism by which all passwords can be exported to a separate file, to be stored outside of existing IT systems – preferable with trusted security personnel.
8. Changes must be traceable and auditable
All large organizations require governance over access to IT systems, and its imperative the PMS must support traceability of all events within it, and must be easily reportable. This applies to standard usage by employees, or administration of the PMS.
9. Must be scalable
If you intend to implement an enterprise class PMS, its crucial the system can scale with your organization, otherwise your investment (time and money) may be wasted.
10. Must be simple to use
As with any IT system, acceptance by its audience is crucial to its success. Provide users with a poorly designed interface, and you will meet resistance at every step. To successfully employ a PMS and realize the benefits it can bring, the PMS must be very simple to use and provide the user community with sound help documentation if required.
Click Studios - 18th October 2009.