Priviledged Passwords, and Why I haven’t been posting for a while

The second topic first – I’m still here, but haven’t had the opportunity to do anything much related to IdM lately.

As some readers will be aware, I started this blog during a period of voluntary unemployment as a way of documenting all the things I’d learnt about MIIS in the previous 2 years. Partly it was for a memory aid for when I did get back into work, and partly it was to keep me occupied while accompanying a family member on extended hospital visits.

At the end of August my family relocated to Geneva, Switzerland, and I faced the prospect of job-hunting in a french speaking town. La mission a accompli (don’t be too impressed – I had to look that up on babelfish) and I’m now working for an IT Services company, based in the Suisse Romande area. They all speak french in the office and I’m getting a crash language course around the coffee machine every morning!

I’ve been promised some juicy ILM projects for next year, but in the meantime it’s all been general Windows server stuff, and correcting my collegues’ english (which is way better than my french) as a good percentage of the documents produced for clients must be written in english, befitting the international nature of many of the organisations here in Geneva.

But on to the primary topic of this post. The great thing about being back in a services company is the exposure I get to a range of different devices and applications. Recently I attended a demonstration of Cyber-Ark‘s Enterprise Password Vault (EPV), and it’s brought the whole field of Priviledged Password Management into my view.

EPV addresses a problem familiar to system admins and security auditors the world around – what the heck to do about all those admin accounts, system accounts, accounts that start services, accounts that are hard-coded into scripts to give DB access, pin-codes that you use once in a blue moon, but when you do you need it now! Many of us will have used the password-protected spreadsheet, the envelope in a locked filing cabinet, the passwords that are easy to remember, that are the same on every system, that don’t get changed nearly as often as they should. We may have all thought “gee this really isn’t that secure”, but the amount of work involved in manually resetting the passwords, and restarting the services, and updating the config files…. boy you feel tired just thinking about it.

So what does EPV do to answer this problem? Firstly, a place to securely store your passwords, and control who can access them, in “The Vault”. And secondly, a mechanism to proactively change these passwords to complex random ones, which can only be retrieved by visting The Vault, where you can be sure your every movement is being comprehensively authorised and logged. They even have a mechanism to remove passwords from code and scripts, enabled by a little client service that also has to go through the process of correct retrieval from The Vault.

What a great idea! But this sort of solution will cost you, and (from my experiments so far in a virtual environment) it’s not particularly straight-foward to install or configure. This seems like a relatively new field at present, with only a small number of companies in play – my searches have revealed only Cloakware, Symark and e-DMZ in addition to Cyber-Ark, though there may be others I didn’t uncover. I couldn’t find anything comparable in the open source world, though a person could probably cobble something together from the random password generators and encrypted DBs that are available.

Now you may be wondering what on earth this has to do with ILM/MIIS, and the answer, of course, is nothing – it’s just an identity-related topic that I’ve recently had the chance to consider. I did think that it would be nice if such a system could somehow hook into the PCNS, or if password changes could even be driven through ILM – but its not going to happen without Microsoft giving us the ability to write Password Extensions – and there may well be good security arguments for keeping things the way they are.

A correction to this post…

You can now write Password Extensions! I’ve just installed ILM 2007 for the first time, and it’s right there in the  Developers Reference. This is a very useful and much needed function as it now means we can sync passwords to any connected data source!