New Ideas in Password Management

In his Network World on Security newsletter this week, Dave Kearns talks about a new kind of password management product that seems to be picking up traction. Lieberman Software's Random Password Manager offers interesting new capabilities in password management similar to Cyber-Ark's Enterprise Password Vault (EPV). I had briefly mentioned Cyber-Ark in a blog post I wrote about this years Catalyst conference, where Oracle announced that Cyber-Ark was joining its Extended Identity Management Ecosystem. At the time I had promised to follow up with a more detailed discussion of its relevance. Dave's newsletter reminded me to write this long overdue post.

Both these products attempt to solve a very interesting problem - providing controlled, audited access to passwords for highly privileged administrator accounts. Also referred to as service accounts, these types of accounts have been a problem in the IAM space for a long time. They usually do not belong to one person, though there is typically one administrator who "owns" the account. These accounts are often shared between different users, making it difficult to track who actually used the account when they logged into the system (a compliance nightmare). They are also used in application integration scenarios, making them especially critical to an enterprise's complex infrastructure.

While a tool like OIM can be used to manage the lifecycle of these accounts, a tool like EPV can step in to provide a lot of help in the runtime usage of these accounts. The basic idea is simple: Any time a user wants to log in using one of these accounts, they obtain the account password from EPV (check out the password). They use that password to log in, and after finishing their work, they let EPV know that they are done using the account (in effect, checking in the password).

This simple methodology allows EPV to do some interesting things. Because of the need to check in and check out passwords, EPV makes sure that only one person is using the privileged account at any time, and is able to track who was logging in using that account at any given time - thereby solving the all important audit issues associated with such accounts. EPV is also able to then layer a lifecycle process around that password, changing it (through a connector mechanism) to a new, randomly generated value after it has been used (checked out and back in). This prevents any user from logging back into the system using that same password at a later time. In effect, it makes sure that all passwords used by anyone to log into a privileged account are random, one time passwords.

While the overhead of the password lifecycle could prove burdensome in certain usage scenarios for privileged accounts, it is not really a problem in the vast majority of use cases involving UNIX root accounts, DBA accounts and Windows Administrator accounts

You can learn more about Oracle and Cyber-Ark's collaboration here.

Comments:

what if you had to type another minimum equal length expression in the same field when you enter your password. SAM would keep a history of the insignificant phrases you had used and refuse to let you use the same one within however many retries (this number could be modulated too to get around scripts) anyone grabbing the hash for your password would then, after trying to de-hash it, have to key in a phrase INCLUDING the bits that are your password but which is not a phrase you have used within the appropriate number of retries. maybe this phrase could be from a list of legal phrases or maybe this would just be defeating the point, but i reckon this would be pretty hard to crack if implemented (with any flaws ironed out!) jaymz

Posted by jaymz on September 30, 2008 at 09:04 PM EDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

bocadmin_ww

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today