Remember this popular quote from Sherlock BBC series when Jim Moriarty confronts Sherlock Holmes ? That’s exactly the scenario in the cyberspace today.
In the digital world, keys are the privileged accounts like Domain admin, service accounts, login accounts of the linux,unix servers, network equipment et al . These accounts in the wrong hands could wreck havoc.
Password Manager Pro from ManageEngine is an application that caters to privileged account management requirements of enterprises & has done pretty well to have the largest customer base in this domain.
Lately, there has been a steady surge in the number of cyber attacks across enterprises leaving the IT community in a state of paranoia with even the most talked about secure companies/banks falling prey. Case in point :Major banks in US including JPMorgan Chase were attacked earlier this year.
I am sure every IT administrator would have read a gazillion security related posts that emphasize the need to secure critical servers/accounts & recommend moving towards an enterprise-grade password management solution like Password Manager Pro.
Therefore, in this post, I would like to focus on the bottlenecks on the road to a centralized enterprise password repository in a typical IT organization. IT security engineers, IT infrastructure managers, Security consultants, and Service Providers usually evaluate such applications and they face several common hiccups during the above mentioned transition
1. Privileged account username /passwords strewn across the organization in SPREADSHEETS, sticky notes, SharePoint , personal password safe tools & other insecure means. Consolidation of these scattered privileged passwords for the first time can put anyone to wit’s end.
2. Adding to the above point, Privileged accounts of your infrastructure that are managed by REMOTE INFRASTRUCTURE PARTNERS are held secretive by them & will not be handed over to you on a silver platter. Instead, several service / change requests, approvals, CEO, and Board of Directors intervention is required before those accounts are consolidated .
3. No defined document detailing USERS across departments to whom the privileged accounts must be shared by default.
4. No documentation on password PERMISSIONS to be given to employees, contractors, and sub-contractors requiring access. Read only or Modify or Manage Permission must be decided along with the time period of access & revoking permissions should also be defined to be properly configured in the application.
5.Proprietary APPLICATION specific accounts that are embedded in application files & folder must be retrieved and managed .
6. PENETRATION report of the Password Management tool has to be done either by the organization or with the help of third-party penetration testers as part of the Proof-Of-Concept & Implementation plan.
7.The TCP / UDP ports required for agent-less password reset operations have to be opened across firewalls. Uphill task when the resources are in remote branch offices across WAN.
8.Streamlining AD groups to ensure that the users are properly grouped & imported into the application.Properly configured AD groups would ensure smooth sharing of multiple privileged accounts to specific AD groups automatically.
9.Here comes the biggie adding to the above mentioned conundra :BUDGET APPROVAL from CFO/CEO to go ahead with the proposed password manager tool after successful evaluation & proof-of-concept ( POC ). Training, upgrade procedures, ROI , OPEX , support services & renewal expenditure needs to be worked out.
The above points would have just scratched the surface of all the real-time issues that IT administrators face while implementing a password management tool.
Thanks for reading & and would love to hear from you on the hurdles you have faced when implementing solutions that secure your KINGDOM !!