10 Steps for Secure Enterprise Password Management
Regardless of the size of any organization, one thing they all have in common is the need to use passwords for securing access to infrastructure, business systems, or user generated data. What differentiates organizations is how well they manage and securely store these sensitive passwords. The intent of an Enterprise Password Management system is to provide a mechanism whereby passwords can be securely stored; access control is well managed, and can assist in becoming compliant with various regulatory acts. In order to realize these goals, the following 10 steps should be considered when evaluating an Enterprise Password Management system. The system:
1. Must remove the need for employees to remember passwords
One of the leading causes of bad password management practices is employees do not have a system whereby they can securely record their passwords. Even worse is when IT departments don’t use such a system, instead they write their passwords down somewhere, or store them in unsecured spread sheets.
2. Must prevent unauthorized access
To ensure unauthorized access to passwords is not possible, the password management system must consider the following:
- Passwords should be encrypted with 256bit AES encryption, so they are not visible when looking at the raw data in the database
- The system should detect when someone has modified database records outside of the application, and alert the system owners
- The system should prevent someone trying to write their own code to retrieve data from the database, and alert the system owners
- Sensitive code within the system should be obfuscated, preventing reverse engineering
3. Must provide role based access
A flexible approach to providing access to sensitive passwords is very important, as not all users require the same level of access. The system must provide read, modify and administrator access to not only entire password lists, but also to the individual passwords contained within the lists. Similarly, staff with administrator access to the entire system must have different levels of administration, so the right roles are assigned to the right employees.
4. Must consider unlocked screens
We all know it’s bad practice, but people do walk away from their workstations and leave their screens unlocked. It’s important the system can automatically log users out after a set period of idle time. It must be able to hide passwords on the screen after a set period of time, and it must also clear the clipboard automatically if passwords are copied to it.
5. Must be well governed
Traceability is paramount in a password management system. All activities should be auditable and reporting needs to be readily available when needed. As some organizations are mandated to reach certain levels of regularity compliance, the system must facilitate this.
6. Must promote the use of strong passwords, and educate the use of bad passwords
The system must give users an indication of how strong their passwords are when they are creating them, and this password strength must be customizable to meet the needs of different organizations. It’s also important users are educated when they are creating what is deemed to be a bad password i.e. 1234.
7. Must promote regular resetting of passwords
A key component of bad password management practices is not resetting passwords at regular intervals. The system must have one or more options for reminding users that passwords have, or are about to expire.
8. Must be simple to use
As with any IT system, acceptance by its audience is crucial to its success. Provide users with a poorly designed interface, and you will meet resistance at every step. To successfully employ an enterprise password management system, and realize the benefits it can bring, it must be very simple to use and provide the user community with sound help documentation if required.
9. Must have a High Availability Option
In the event of an IT disaster, the recovery team’s main objective is to recover systems to an acceptable working state so the business can continue to function. What happens if your password management system was also affected by the disaster, and you cannot recover as you don’t have access to your passwords? You must have a High Availability option available to you if your organization deems it to be important enough.
10. Must be affordable to all size organizations
One of the most common barriers to adopting an Enterprise Password Management system is the cost. It’s crucially important all size organizations manage their passwords well, and as such, it needs to be affordable for any size company. Free for small business, and affordable for everybody else.
Click Studios - 28th June 2011.