Office Memo 15

Home > Office Jotter > Office Memos > Office Memo 15

Time for a snack at Office Jotter?

Office Memo 15

9 December 2004

Password Overload Syndrome - the latest disorder ravaging the IT industry

I've got password overload syndrome! When I went to see my doctor he quietly admitted he had it too - as he fumbled to access my notes on-screen. The chap at the pharmacist strangely has it as well, and neither of them even works in IT.

It's all come down to the fact that we all have too many PINs and passwords to remember. Have you ever taken the time to count how many you use in the course of a day? Have you ever sat in front of your screen and have your mind go absolutely blank when asked for password?

If you think you've got it bad, what about the IT administrator who has hundreds to memorise, including those giving access to the most sensitive company data? He may resort to sticking them on to a Post-it note, or shoving them into a drawer or on to an Excel spreadsheet or Word document.

Hmm. You can hear those hungry hackers licking their lips at the very thought, and all those aggrieved staff thinking "Yippee! This is the way I'll get back at my boss."

The backbone of every enterprise computing system is a huge network of servers, network devices, and security and other infrastructure. It creates the complex communications network, or nerve centre, of a company. Every day, systems, network and security administrators are logging on to these critical infrastructure points. They need to carry out routine maintenance and repair, and to apply updated security patches.

Many of these people are running around with "root" and "administrator" privileges, either with their personal user or with their commonly used accounts. And they're losing or forgetting their passwords all the time.

Administrators, like most of us, have the best of intentions, but the more those passwords change hands or remain unchanged, the greater the likelihood of a security breach. Also, because administrative passwords frequently need to be shared, there is increased risk that they will be left lying around somewhere. This results in administrative passwords becoming widely known and changed less frequently.

Administrative privileges are required for emergencies and disaster recovery. Only a reliable password management policy can guarantee that the correct passwords will be promptly available in these circumstances.

It's surprising how many organisations resort to storing passwords simply around the office on spreadsheets and simple databases. A quick penetration test will show just how easy it is to get at these documents. Mismanagement of administrative passwords is a major cause of security breaches and one of the top reasons for long recovery processes from IT failures.

The problem would be easy to fix if large organisations didn't demand near-instant access for administrators. But since this is unlikely to change, companies have to look closely at the way passwords are saved, controlled and managed.

The most effective way to reduce the potential hazards is to apply an effective policy, which should at the very least include the following components:

Centralised administration: Often, different IT groups control different pockets of passwords. It's important to create a centralised policy, procedures and enforcement mechanism. Otherwise, there is no way to ensure that each business or technical unit is doing its best to protect the keys to the kingdom.

Secure storage: Administrative passwords should be securely stored in a way that offers strong authentication, granular access control, encryption and auditing to safeguard every password.

Worldwide secure availability: At the same time, remote access is also critical. With today's distributed enterprises, administrators need access beyond network boundaries. There, they can securely access and share passwords from anywhere within or outside the enterprise network.

A dual-control mechanism: This would require two or more administrators to access passwords to the most sensitive or vulnerable servers.

Routinely changed passwords and track history: In addition to secure storage, this is the only way to ensure the long-term security of passwords.

Intuitive auditing: Organisations will need to audit the whereabouts and use of passwords without having to pore over log files. Regulatory compliance measures are also driving routine auditing and tracking of access to vital systems.

Disaster recovery plan: Administrative accounts play a major role in recovering from incidents that range from a simple problem to a full off-site disaster recovery. Look into technologies for automated, safe replication of vital administrative information. These can guarantee the availability of those accounts in time of need.

Safe haven: Provide a somewhere within the network where all administrative passwords can be securely archived, transferred and shared. IT staff, on-call administrators and administrators in the field will all need access to this.

My advice to my doctor and pharmacist is keep smiling - it's the best therapy! For the IT people, there is a light and hope at the end of the tunnel. Password Overload Syndrome can be beaten with new treatment.

It comes down to putting the right measures and products in place for the fog to disappear and a clear conscience to emerge. Once it does, they'll find those passwords are safe and secure, tucked up where only those people who need to can get to them.

***

Calum MacLeod, Senior Consultant for Cyber-Ark contributed this article. Our thanks go to him. You can contact him on calum.macleod@cyber-ark.com or 00 31 621 827253. For further information on Cyber-Ark, go to http://www.cyber-ark.com.

About Office Memos

An Office Memo is an extended comment on what is happening in the world of the electronic business and elsewhere. Some memos will have appeared in Office Jotter; others are simply referred to in it.

You are free to disagree with, amplify or even agree with anything that appears in Office Jotter or an Office Memo. Of course, the rest of us will never know this unless you write in with your views, so please comment*.

Content from Office Jotter or Office Memo may be circulated freely, so long as you remember to credit its source.

Thanks,

Roger Whitehead

Publisher and editor

*No more than 1,000 words at a time, please. I edit material for publication but as lightly as possible.

Copyright Roger Whitehead, 2004. I hereby assert and give notice of my right under section 77 of the Copyright, Designs and Patents Act 1998 to be identified as the author of these publications.