Do you have a Post-It Password note? Thankfully they’re becoming less common compared to even just five years ago. But it’s still not shocking to see someone with a piece of paper tucked under their keyboard or in a drawer of their desk that has a set of login credentials for a little-used server. People have horrible memories for things like that.
Worse yet, the solution for many password issues is simply to make them all the same. I can recall a time when I was working as an intern at a large computer company and my cubicle neighbor was complaining about having to change all his passwords again. I recalled that it had only been 30 days since his last password change. The company default for credential changes was 180 days. Why was he changing them all so quickly? When I asked, his response was “Oh, since I don’t like to remember more than one password, I just change them all every 30 days so I just have to remember the same one.” Worse yet, he wrote down all the old ones so he didn’t repeat one!
When it comes to accessing enterprise systems, the likelihood of someone taking your credentials and doing something nefarious with them increases as your password complexity decreases and your access level rises. In order to make sure that your users aren’t inadvertently exposing your corporate assets to naer-do-wells, you need a more robust solution to help you manage all those complicated credential situations.
A few months ago, I had the opportunity to sit down with several folks from BeyondTrust and talk a bit about the challenges that they are seeing in the Privileged Access Management space. BeyondTrust is a part of a larger portfolio that includes the former Bomgar, Lieberman, and Aveco companies. BeyondTrust is focused on credentials though.
BeyondTrust provides a platform that allows you to manage credentials in a number of ways. Their Password Safe solution allows you to store and monitor credential use in your enterprise. This allows you to catch when someone is using an account with admin privileges at a time when that user shouldn’t be logged in at all. This could be indicative of an outside threat having compromised a user ID to perform reconnaissance on a network. It could also be an early indicator of an insider threat looking to steal sensitive information on the sly.
Because you can audit all credential use through BeyondTrust Password Safe, you can also force them to be rotated. This is a huge win for teams that are following proper procedure with service accounts to take care of things like backups or other non-interactive services. Woe be to the network or systems administrator that forgets to change the password on a Backup Operator account for years and then finds out that the account was used as a vector to invade a network and cause problems or steal data.
Another big use for BeyondTrust is finding embedded credentials. Too often, we’re focused on making service work for our developers. Or our development teams are trying to get the services configured for users as quickly as possible. That means embedding credentials in the program to log in automatically. Embedded credentials are as good as compromised.
There are legions of bots that scan GitHub for Amazon AWS API keys. Or things that looking like passwords. Or anything that could even be considered a login. And once those are collected they can be used to invade your system. Or, at the very least run some servers on your AWS account for a couple of weeks until you find out what’s going on and change things.
BeyondTrust can help you identify these exposed credentials and prevent them from happening in the first place. Rather than having your developers embed the credentials into the program, you can use BeyondTrust to create a RESTful API call back to the central credential repository. Now, not only are your credentials secure and not floating around in the wild, but those REST API calls can be audited and confirmed as valid. That means you don’t have to worry about someone stealing the code from your program and using it to call your AWS APIs.
Bringing It All Together
The two examples above are just a small taste of what a full privileged access management solution can give you. Things like Active Directory change audits and secure remote access are also a part of the BeyondTrust platform. Passwords are a very important part of the way we do business in today’s world. Keeping them safe is as critical as securing the keys to your building. The experts at BeyondTrust have a great solution to ensuring your password assets are protected behind their lock and key.
For more information about the BeyondTrust platform and some of their use cases, make sure to visit http://BeyondTrust.com