I don’t know about you, but when I was working as an infrastructure systems administrator my life was ruled by a list. A list of to-do’s to get the environment to a secure and happy place. There would be weeks where my list got smaller as I got things crossed off it. But mostly, weeks where the list ended up longer than before, as I uncovered another upgrade to do or issue to fix which always took priority over the things I actually wanted to get crossed off.
One thing that I never got to tick off while I was in this role was a proper password management system. For far too long an excel spreadsheet was the home of the most important and sensitive information my network had to hold and it deserved better.
It was only until a few years later where I started working in a consulting role that I actually got to design and implement such a system and I’m not ashamed to say, it felt great!
So let’s talk about Password Management Systems and the review points I used when evaluating various products and tailoring them to fit the customer.
The answers to these questions seem to be pretty common throughout the implementations I have done since. I will answer them below and see if they sound familiar to you. As you will see I usually have the source as Keepass or excel spreadsheets.
It usually lacks the following major features;
Every member of IT should be able to access the system and only get the passwords appropriate to their role. It would be great if they could also store their own personal website passwords too, as long as they are only business related. They should be the only ones allowed to access these personal passwords.
It would be great if it could hold things such as license keys too, as these are considered as sensitive as passwords in some cases.
Active Directory integration is a must here. The system should not be accessible outside of the organisation (except via VPN/Citrix/VDI etc). In the event of AD being down, there would be a master user password that could be used to access the system, but this would be a break glass sort of situation only.
The key is that we don’t want to have to apply individual permissions to every password, but to have a structure that each password will reside in that makes it like a folder view where permissions are set per folder and the password can be moved as required. If we have passwords that will need different permissions, we have these as exceptions and can assign these as required in a place where we know special permissions exist.
With the structure in place creating new passwords would be as easy as just putting it in the right folder and the inherited permissions take care of the rest.
Different products have different ways of handling this, but seeing as cloud based systems are more often than not ruled out we want to keep it as isolated and self-contained as possible for security and rapid recovery purposes and with encryption enabled. User friendliness is key to keep IT staff wanting to use the system and not go back to old habits.
Again different products have different methods, whether we are talking about the source of the passwords or the destination, but this is important to check when comparing products.
Some of the other features that can be useful, but are usually not required at the time of implementation, are;
Mostly these are available in the higher tiered options of products.
Depending on all the answers above, especially question 7, we work out the best product for the job. Surprisingly, more often than not there is a free option available.
I always found it strange that after external audits of the organisation, the lack of a password management system was never made a priority or ever even highlighted as part of their findings. I suspect this hasn’t changed because I still see the vast majority of the environments either running the old excel spreadsheet or a product that doesn’t achieve much better security.
TL;DR Password Management Systems don’t need to be overly complex or even overly expensive but can give you a great improvement over what you have for storing sensitive information. Perfekt have experience in this area and can help if you have it on your to-do list too.
For further information please contact your friendly Perfekt account manager.