The management of administrative passwords such as ‘root,’ ‘administrator,’ ‘sa,’ and ‘enable’ is a problem that has existed since distributed systems made their way into business environments. Traditionally, this issue has been dealt with through procedure-based controls. These solutions are typically manually intensive, do not scale and are unable to meet growing government regulations such as Sarbanes-Oxley, GLBA, HIPAA and others. Unlike single user passwords, management of shared administrative passwords introduce many unique challenges and requirements:
1. Administrative passwords are shared among multiple
administrators, hampering individual accountabilitys
2. Organizational risk associated with unauthorized
administrative level access is extensive
3. Secure, audited password release and change control management
4. Ubiquitous, secure password accessibility 24x7x365
The Password Auto Repository™ (PAR) was specifically designed to provide a commercial solution to the problem of shared administrative password management. Designed in a purpose build appliance form factor, the PAR addresses the storage, release, update, and auditing of administrative passwords.
- Auto password change capabilities across multiple users and platforms.
- A Dual-Control mechanism to enable regulatory compliance.
- An end-to-end Security solution, protecting your
passwords during transmission, and while in storage.
- A strong auditing solution with time and date stamping
to track password usage, where passwords are stored,
with a history of all versions, and the changes made.
- A granular access control mechanism to control
who has access to each password.
- Ubiquitous, secure password accessibility.
- Robust reporting capabilities for displaying systems
under control as well as users and their level of access.
- A clientless, plug-and-play solution.
The PAR is a purpose built hardened appliance. A commercial embedded firewall (CyberGuard SG630) protects the network interface. No interactive access is allowed. The hard disk is encrypted using AES256 disk encryption to protect against physical attack. The passwords themselves are also AES256 encrypted prior to being stored on the PAR.
The highly granular release mechanism can enforce dual control. SMTP (email) messages are sent from PAR to alert the respective approvers that a request requires their attention. Role based access control (RBAC) is utilized to segregate users into requestors, approvers, administrators, auditors, etc. The release mechanism is done through an HTTPS session, displayed for only 20 seconds at a time to reduce the opportunity for exposure. A CLI/API mechanism allows PAR to be integrated into a current workflow system.
The graphic below illustrates a sample environment:
To ensure that individual accountability is preserved, PAR generates a new strong password (with configurable options) and changes the password on the managed system. This autochange feature is currently available across multiple UNIX variants (Solaris, AIX, HPUX, Linux), Windows (2000, XP and 2003), and multiple firewalls / network devices (Cisco, CyberGuard, Netscreen). In addition, PAR can manage database privileged accounts such as “sa” for Sybase and MS SQL Server, or “sys” and “system” for Oracle. PAR is designed to change a managed account password two hours after it has been released; it may be configured to make the change after any length of time you specify. PAR will also ensure that passwords are changed periodically (monthly, etc.) in accordance with a company’s Security policy.
Secure File Storage & Release
In addition to passwords, PAR also supports secure file storage and release controls. The file storage, release control and audit capabilities of PAR allow the enterprise to expand the use of PAR to include additional system information, tokens, keys, pass phrases or other text based information.
All actions are recorded by the PAR, and accessible through a robust reporting interface. Daily reports can be emailed from PAR, providing information around password aging, passwords release, password updating and verification, as well as administrative activity. All reports can be exported to Excel for further processing.
With the Enterprise PAR (ePAR) performance upgrade, PAR is able to scale to support hundreds of thousands of systems and devices meeting the requirements of today’s largest enterprises.