BLOG


Password Management Systems

I don’t know about you, but when I was working as an infrastructure systems administrator my life was ruled by a list. A list of to-do’s to get the environment to a secure and happy place. There would be weeks where my list got smaller as I got things crossed off it. But mostly, weeks where the list ended up longer than before, as I uncovered another upgrade to do or issue to fix which always took priority over the things I actually wanted to get crossed off.

One thing that I never got to tick off while I was in this role was a proper password management system. For far too long an excel spreadsheet was the home of the most important and sensitive information my network had to hold and it deserved better.

It was only until a few years later where I started working in a consulting role that I actually got to design and implement such a system and I’m not ashamed to say, it felt great!

So let’s talk about Password Management Systems and the review points I used when evaluating various products and tailoring them to fit the customer.

  1. What is so bad about the current methods used and how can we fix these with a new system?
  2. Who will the users of the system be and what access should each user have?
  3. How will these users access the system?
  4. How will we make it easy to administer/modify/add to etc?
  5. How can we make it as secure, robust and yet user friendly as possible?
  6. How are we going to get the current password information into the new system?
  7. Can we do this with free tools or does it have to be a paid product?

The answers to these questions seem to be pretty common throughout the implementations I have done since. I will answer them below and see if they sound familiar to you. As you will see I usually have the source as Keepass or excel spreadsheets.

  1. What is so bad about the current methods used and how can we fix these with a new system?

It usually lacks the following major features;

  • ability to shield the passwords from prying eyes (products like Keepass have this though)
  • auditability, to report (or alert) on when something was changed or accessed
  • granularity, anyone who can access the current system can see every username and password we have
  • fixed portability, what is stopping someone from copying an excel spreadsheet or Keepass file and brute forcing the password offsite


  1. Who will the users of the system be, what access should each user have and what sort of information should reside in there?

Every member of IT should be able to access the system and only get the passwords appropriate to their role. It would be great if they could also store their own personal website passwords too, as long as they are only business related. They should be the only ones allowed to access these personal passwords.

It would be great if it could hold things such as license keys too, as these are considered as sensitive as passwords in some cases.

  1. How will these users access the system?

Active Directory integration is a must here. The system should not be accessible outside of the organisation (except via VPN/Citrix/VDI etc). In the event of AD being down, there would be a master user password that could be used to access the system, but this would be a break glass sort of situation only.

  1. How will we make it easy to administer/modify/add to etc?

The key is that we don’t want to have to apply individual permissions to every password, but to have a structure that each password will reside in that makes it like a folder view where permissions are set per folder and the password can be moved as required. If we have passwords that will need different permissions, we have these as exceptions and can assign these as required in a place where we know special permissions exist.

With the structure in place creating new passwords would be as easy as just putting it in the right folder and the inherited permissions take care of the rest.

  1. How can we make it as secure, robust and yet user friendly as possible?

Different products have different ways of handling this, but seeing as cloud based systems are more often than not ruled out we want to keep it as isolated and self-contained as possible for security and rapid recovery purposes and with encryption enabled. User friendliness is key to keep IT staff wanting to use the system and not go back to old habits.

  1. How are we going to get the current password information into the new system?

Again different products have different methods, whether we are talking about the source of the passwords or the destination, but this is important to check when comparing products.

  1. Do we need any sort of automation or advanced functionality?

Some of the other features that can be useful, but are usually not required at the time of implementation, are;

  • Automatic discovery of accounts
  • Automatic testing of passwords to ensure they are still correct and active
  • Automatic changing of passwords once changed in the Password Management System
  • Password workflows
  • Alerting when a password is due to expire
  • Server clustering support for high availability

Mostly these are available in the higher tiered options of products.

  1. Can we do this with free tools or does it have to be a paid product?

Depending on all the answers above, especially question 7, we work out the best product for the job. Surprisingly, more often than not there is a free option available.

 

I always found it strange that after external audits of the organisation, the lack of a password management system was never made a priority or ever even highlighted as part of their findings. I suspect this hasn’t changed because I still see the vast majority of the environments either running the old excel spreadsheet or a product that doesn’t achieve much better security.

TL;DR Password Management Systems don’t need to be overly complex or even overly expensive but can give you a great improvement over what you have for storing sensitive information. Perfekt have experience in this area and can help if you have it on your to-do list too.

For further information please contact your friendly Perfekt account manager.

 

Richard Hinder
Richard, is a highly dedicated technician from Perfekt with broad experiences in deployment, administration, scripting and solution architecture in SMB and Enterprise environments. With a high level of quality put into documentation and communication with clients, Richard is always striving to find the best solutions to today’s needs and enjoys keeping up with the latest technologies available. Richard is VMware certified and specialises across backup, ESXi, SRM and HDS Storage. He has a strong focus on technology around the virtualisation, storage, backup, DR/BCP and the server based computing space.

BACK
CONTACT PERFEKT

Need to make an informed decision? Contact a Perfekt specialist to get a free consultation.