Friday, 6 January 2012

Don’t let your administrative passwords become Pulcinella's Secrets!

If you wonder what the phrase 'Pulcinella's Secret' means, let me start with explaining that:
Pulcinella is a popular comic character in Commedia dell'Arte, a form of theatre that began in Italy in the mid-16th century. The very character of Pulcinella is his inability to keep secrets. That means, any confidential matter revealed to him would soon become an open secret. Everyone will come to know of the 'secret', but will pretend not to be knowing. So, in reality, Pulcinella's secrets are not secrets at all!

Now, coming back to the question: Do you leave your administrative passwords as Pulcinella's Secrets?

I am afraid the answer would be ‘Yes’ if you still follow the practice of keeping your administrative passwords in text files and spread sheets. Everyone will be knowing all the passwords, while you would be thinking otherwise!

Let me explain further:

Modern IT and other enterprises are heavily dependant on servers, databases, network devices, security infrastructure and other software applications for their day-to-day operations. These infrastructure are accessed and controlled through administrative passwords. Typically, the applications are used in a shared environment by a group of administrators.
The number of administrative passwords keep on growing as more and more servers, devices and applications are added to the enterprise. Administrators end up virtually struggling with a pile of passwords and face problems on securely storing, managing and sharing the passwords.

How administrative passwords are being handled in enterprises?

If truth be told, even many big enterprises do not have any effective password management system in place at all. Employees follow their own, haphazard way of maintaining the passwords; there is rarely any meaningful management
  • Sensitive passwords are stored in volatile sources such as text files, spread sheets, print-outs etc.,
  • Many copies of the administrative passwords are circulated among the administrators who require them for their job functions. The passwords thus become impersonal in the shared environment – no accountability for actions
  • When other members of the organization such as developers, database administrators and support personnel require access to IT resources, passwords are generally transmitted over word of mouth
  • The administrative passwords mostly remain unchanged for fear of inviting system lockout issues
  • Still worse, most resources are assigned the same, non-unique password for ease of coordination among administrators. In most of the organizations, a common administrative account is created and all the administrators use the same account to access the infrastructure - for instance 'Administrator' on Windows, 'root' on Unix/Linux, 'enable' on Cisco, 'sa' on SQL server etc.  
  • There is rarely any internal control on password access or usage. Administrators freely get access to the passwords of all the resources in the organization
  • There is generally no trace on ‘who’ accessed ‘what’ resources and ‘when’. This creates lack of accountability for actions
  • If an administrator leaves the organization, it is quite possible that he/she may be getting out with a copy of all the passwords
 So, if you follow the traditional practice of storing the passwords in text files and spreadsheets, sensitive administrative passwords will be known to everyone, much like Pulcinella’s secrets.

What is the Solution? 

One of the effective ways to securely manage the administrative passwords is to store the passwords in a central, secure vault and automate password management tasks. Deploying 'Password Management Applications' or in simple words, the 'Enterprise Password Managers' can help you in controlling access to administrative passwords and in taking total control of the shared administrative passwords. Your passwords will no longer remain as Pulcinella’s Secrets.
ManageEngine Password Manager Pro precisely helps achieve this.  Deploy Password Manager Pro and Stay Secure!

No comments:

Post a Comment