Posts Tagged ‘database’

XtonTech Database for Secrets

August 1, 2017

One Key to Rule Them All

In the ideal world every person would have a single account used to login everywhere using some sophisticated form or authentication (maybe long password or maybe fingerprint or something that will be created in the future). This account would be used to authorize launching new equipment at work but also for something like purchasing new backpack at the eCommerce store at home. Machines would communicate with each other using generated keys after authorizations given by people using the same accounts used to ignite new equipment or to purchase a backpack.

Maybe we will get there eventually or maybe we will not because of concerns about too much centralization. The reality is that there are way too many accounts and passwords to remember, and keys and certificates to save, share, and find. These accounts come from local (not domain) computer accounts, IoTs (printers, cameras, thermostats and even coffee machines) that come with operating systems and root accounts with factory default passwords, shared accounts to portals “for everybody in the accounting” to use, application pool or database accounts, shared partner portal accounts and many others.

It is clear that remembering these accounts is not an option, writing them down in the notebook in the organization spread between multiple offices around the globe is not really an option too. Saving them in text files in some network folder sounds like an idea but there are better ways to handle this issue using some specialized software. Such software used to be pretty complex in the past but it exactly the case anymore. These days, simple Enterprise Identity Manager is a reality so it worth to research the topic.

Database for Secrets vs Password Vault

Xton Technologies Database for Secrets is a secure storage to keep sensitive information like passwords or certificates. Password managers (like LastPass or KeePass) provide similar functionality for individual users. They usually operate on a client desktop remembering numerous passwords to internet portals, banks and eCommerce sites.

Xton Database for Secrets is an enterprise version of this concept. It keeps all data in a central storage with WEB (browser) access that allows multiple users share the same information with record level permissions. Moreover, it also has field level permissions so some users can see all fields in the record but not passwords. Why would anyone need to see information about some account but not passwords? Because there is another part in Xton Access Manager called Session Manager that can log people in computer without disclosing the password.

You might think about Database for Secrets as about content management system (like SharePoint Server) with field level permissions and special functionality on top of it. Some people call such system a Password Vault or Secrets Vault because you can store there certificates, credit card number, keys, access codes, pictures with access codes – pretty much anything, not just passwords. The word Vault sounds to me like something from financial industry, not computer science, so I prefer Database for Secrets.

Automatic Password Reset

When Database for Secrets is implemented in the organization, it becomes a part of the process to look for the identity information in this database because it could be different every day. There are many people using the system and the access to computers, certificates, credit card expiration dates might change, certificates could be replaces and keys could be updated. The Database for Secrets become a single source of best known information about sensitive data.

Moreover, since the Database for Secrets knows the passwords to computers, admins can schedule automatic password resets. It adds completely new level of password protection for the organization. The system can generate very long impossible to remember, hard even to write down and very hard to break passwords. Since everybody come to the Database for Secrets to get the latest password it does not matter how hard is the password to remember. In addition to that many users will access the destination remote computers using Session Manager without even the need to type the password.

Database for Secrets can change passwords very often like every day or several times a day. It can also change the password after certain event (for example after a user requested to see the password from the database). It ensures that passwords are strong and majority of the users who need to access remote system would not even know them.

Passwords for Scripts and Workflows

Modern companies attempt to automate many of the processes creating scripts and workflows running without human supervision moving data between different systems, generating reports or sending notifications. These scripts require access to the data in databases or to network resources to produce something useful. Usually, script or workflow developers hard code password to these resources to the scripts or to configuration files. First, it creates a security issue because all of a sudden it becomes easy to learn passwords or get keys to some important data or network devices. Second, it becomes hard to change these passwords or update keys because after that many processes on the organization that rely on the old passwords will stop working. It might be hard to identify and fix them – only until the next password update.

The best practice for these automation scenarios would be to make a script of a workflow to get the password to a requested resource from the Database for Secrets. This way, the password for the remote resource could be updated often and safe for all background processes. Also, the Database for Secrets will monitor the fact of requesting the password by the script for the proper use.

Discovery

The admins could also make the Database for Secrets scan the network periodically trying to login to network resources using known accounts with popular passwords. These accounts might come from factory defaults (who would have known that the new printer has an account with factory default password that could be used to hack into the network). Also, it is customary to build new computers from the same pre-created image that often has some pre-built accounts. It results in many computers in the network with the same local accounts. Database for Secrets can find these accounts (and do it from time to time) so that admins can convert them to the managed account so the Database for Secrets will start resetting the passwords or maybe even disable these accounts completely.

Summary

An Enterprise Identity Manager comes in handy to manage company sensitive information and also access to various network resources like computers and databases. Item and field level permissions combined with the audit log and session recordings ensure strong control over the what is going on in the organization. Additional features like automated password reset, script and workflow integration as well as periodic discovery of well knows accounts allow administrators to have a good controls of their networks. Such software used to be pretty complex in the past but it exactly the case anymore. These days, simple Enterprise Identity Manager is a reality.

Advertisements