How to select a password management system
When I was in college, I worked in the server room. Whenever I had to upgrade
a database or create a new user, I first had to search in a secret lock box
for the envelope that contained the password (will it be this yellow one? this
blue one?). You can imagine my disappointment when I entered the password stored
in the envelope and got "Username and password do not match" or "The
system could not log you on. Make sure your user name and domain are correct."
Just because someone forgot to update the password in the envelope!
In another company where I worked, we didn't even have envelopes. Any employee
who had worked there during the previous 4-5 years could come in and enter the
"standard" password and be logged in with the most powerful permissions.
Managing administrative passwords is a must-do, but it doesn't have to be done
manually. Here's what you should look for in a password management system.
Security - These are the most powerful passwords in the organization.
You don't want them stored in an Excel file or in an Access database. Just imagine what could happen if someone accessed the local administrator password
for the Active Directory or the Web server.
Full integration with your organization - Sure, you can write a
nice application to store passwords in an Access database, but you really need much
more than this. You need backup integration (VERITAS, Backup exec), monitor
integration (HP openview, Tivoli), and transparent user management (LDAP integration).
You also want automatic synchronization that shows when machines are added to
and removed from the network.
"2 clicks to a password" web interface - Your IT department
will need to use these administrative passwords quite often; it should be easy
for them to access them.
Full Audit - You, as a manager, want to know exactly who used the last
root password, who used the administrative password of the CEO's laptop, and
who took the emergency password of the mainframe.
Disaster Recovery - You are storing the keys to your most sensitive
and important data; you had better have a robust disaster recovery component.
Automatic change of passwords - Regulations force you to change your
passwords every 30 days. This means the end of the manual era.
High Availability - As I've said before, you are dealing with the most
sensitive passwords in your organization. You want the password management system
to provide maximum availability to the enterprise and assure business continuity.
Management dashboard - You should be able to see a real-time snapshot
of administrative passwords and privileged account usage. The dashboard should
display your compliance with policies, usage status and, of course, anomalous
Hard Coded Passwords - Many scripts contain hard coded passwords that
are not secured and contain the password in plain text. You need a component
in the password management system that will solve this problem and will integrate
easily with your application server.
Distributed architecture - You probably have more than two network
areas, so your password management system should have centralized management
with the ability to change passwords on a distributed network.