New Ideas in Password Management
By Nishant Kaushik on Aug 29, 2007
In his Network World on Security newsletter this week, Dave Kearns talks about a new kind of password management product that seems to be picking up traction. Lieberman Software's Random Password Manager offers interesting new capabilities in password management similar to Cyber-Ark's Enterprise Password Vault (EPV). I had briefly mentioned Cyber-Ark in a blog post I wrote about this years Catalyst conference, where Oracle announced that Cyber-Ark was joining its Extended Identity Management Ecosystem. At the time I had promised to follow up with a more detailed discussion of its relevance. Dave's newsletter reminded me to write this long overdue post.
Both these products attempt to solve a very interesting problem - providing controlled, audited access to passwords for highly privileged administrator accounts. Also referred to as service accounts, these types of accounts have been a problem in the IAM space for a long time. They usually do not belong to one person, though there is typically one administrator who "owns" the account. These accounts are often shared between different users, making it difficult to track who actually used the account when they logged into the system (a compliance nightmare). They are also used in application integration scenarios, making them especially critical to an enterprise's complex infrastructure.
While a tool like OIM can be used to manage the lifecycle of these accounts, a tool like EPV can step in to provide a lot of help in the runtime usage of these accounts. The basic idea is simple: Any time a user wants to log in using one of these accounts, they obtain the account password from EPV (check out the password). They use that password to log in, and after finishing their work, they let EPV know that they are done using the account (in effect, checking in the password).
This simple methodology allows EPV to do some interesting things. Because of the need to check in and check out passwords, EPV makes sure that only one person is using the privileged account at any time, and is able to track who was logging in using that account at any given time - thereby solving the all important audit issues associated with such accounts. EPV is also able to then layer a lifecycle process around that password, changing it (through a connector mechanism) to a new, randomly generated value after it has been used (checked out and back in). This prevents any user from logging back into the system using that same password at a later time. In effect, it makes sure that all passwords used by anyone to log into a privileged account are random, one time passwords.
While the overhead of the password lifecycle could prove burdensome in certain usage scenarios for privileged accounts, it is not really a problem in the vast majority of use cases involving UNIX root accounts, DBA accounts and Windows Administrator accounts
You can learn more about Oracle and Cyber-Ark's collaboration here.