Saturday, 18th September 2021

Access all areas? How password management can help enterprises to boost security and compliance

By Rajesh Ganesan, Director of Product Management, ManageEngine.

From protecting corporate data and reputation to ensuring compliance, robust security processes are essential. The latest government-commissioned information security survey by PwC highlights the fact that rising internal and external threats pose a near universal problem for today’s businesses, with a record 90% of large enterprises suffering a breach in 2015, costing an average of between ?1.46 and ?3.14 million.

Responding to these threats, enterprises are looking to a range of new solutions. However, in the battle to protect the business, close scrutiny is not always paid to key internal processes – including password management.

For administrators, a big challenge in ensuring best-practice password processes is the need to oversee hundreds or even thousands of users each with different levels of privileged access to an organisation’s systems. This complexity means that systems administrators are often unable to pinpoint the exact number of users. In the event that individual or organisation-wide checks are required, this complexity also makes it difficult to pull together an accurate list of who has access to what or how many times privileges have been used.

Meeting this and other requirements, a password management tool offers an alternative solution for the many organisations that leave sensitive passwords at risk by sharing them with staff or storing them in spreadsheets. Likewise, the solution can also offer a faster and more straightforward method of management and distribution for firms that lock applications up so tightly so that staff are denied access and have to waste time waiting for approval.

Automating what can otherwise be a highly-time consuming, manual process, the technology scans the active directory and provides visibility of all accounts and passwords across all devices and operating systems. Using this solution, each password can automatically be reset, bringing the entire hierarchy of passwords immediately under control.

Making what can otherwise be a laborious process much more efficient, the password management portal provides all the required privileges needed to allow admins to create passwords, regulate users and monitor password use. Meanwhile, end-users can access the portal with read-only permissions, enabling them to view appropriate passwords where needed.

In addition to internal management, password management helps overcome potential weak points in enterprise systems and applications that could be infiltrated by malicious outsiders. This includes hard-coded passwords that enable applications to access an organisation’s database. If attackers gain access to the script and decode it, they could cause severe damage.

Addressing this threat, a portal-based password management solution authorises and recognises the application’s IP address, continuously monitoring and auditing newly-generated passwords without any risk to the script.

A further security vulnerability stems from the use third-party applications which provide no accountability and no trace of how passwords have been shared or deployed. Here too, a dedicated password management portal offers an effective solution, saving time and increasing security by generating a secure password automatically based on what is imported from the active directory. Whenever a change is made in the active directory, it is reflected in the portal.

To maintain seamless performance, the portal used to administer and control the password management solution should ideally work across two servers. This means that if one goes down, the other will continue functioning. A good solution should also feature the flexibility to allow administrators to provide secure but temporary system access for contractors, visitors and other temporary users and be accessible to admins from any device.

From a compliance perspective, the fact that portal can also be accessed by auditors to establish how passwords are being used can the business to demonstrate adherence to key industry regulation. Additionally, it is also extremely effective when permanent employees leave the business, giving administrators visibility of all the passwords that were owned or shared by the former employee, along with a record of the resource groups more senior staff may have had access to and of their activities in the portal within the days leading up to their departure.

At a time of increased threat levels, no business can afford to take a back seat on security. Yet, in addition to new tools and technologies, it is clear that close scrutiny must also be paid to potentially insecure, outdated internal processes – including password management. Saving time for admins without the need for costly or complex new IT systems, it could plug an important missing gap in the organisation’s external defences.
By Dr. Andrew Shields, Head of Quantum Technology at Toshiba Europe.
Nigel Thorpe, technical director at SecureAge Technology questions whether security by design will e...
Glenn Warwick, Principal Cyber Security Consultant, Bridewell Consulting, says organisations need to...
By Gary LaFever, CEO and General Counsel, Anonos.
Schrems II enforcement is getting off the ground in Germany, highlighting the serious and urgent nee...
Why is it that the security industry talks about network security, but data breaches? It’s clear tha...
By James Preston, Security Architect for ANSecurity.
By Tod Beardsley, research director, Rapid7.