A disaster hits your organization. Your ERP system is down. The emergency DR resource logs onto the system to perform a restore function….and discovers he doesn’t have a recovery password. All work stops as you search frantically for that password.
The critical password problem
A critical password is any password used to set up, configure, maintain, or restore servers, services, and applications. Some examples of critical passwords include:
- IBM i security office passwords and Windows domain admin passwords
- Firewall passwords
- Service account passwords
- Machine passwords
- Router or switch passwords
- Application package passwords
- Cloud service passwords
- Device configuration passwords
Some critical functions (such as IBM i and Windows domain administrators) allow for multiple users to have administrative privileges so password sharing isn’t necessary. But other functions—including some machine, firewall, router, and switch passwords—may only allow one sign-on with one password to handle administrative functions. Those passwords must be available to multiple people for shared duties, emergency maintenance, and disaster recovery.
Critical password sharing is particularly important during a disaster or emergency, as key people may be on vacation, cut off from recovery efforts, or dealing with emergencies of their own, forcing back up personnel (who may not know all the critical passwords) to perform DR tasks. But sharing critical passwords creates a critical problem: how do you share passwords among trusted users, without exposing those passwords to the world>
Some guiding principles for sharing critical passwords
Before we get into the mechanics of sharing passwords, let’s look at some basic principles that should be applied in a critical password sharing scheme. These principles can inform and shape your password sharing scheme.
- Don’t share critical passwords, if there’s an option to create individual passwords for administrative users– If two people need to have IBM i security officer access or Windows domain admin privileges, create an account for each of them. You can and should create individual primary and secondary administrative users, where you’re able.
- When available, use emergency authority provisioning programs to provide access during disaster recovery situations—There are many commercially available products that allow you to temporarily grant and track privileged access as needed. SEA’s iSecurity on Demand for example, allows you to assign emergency temporary authorities to IBM i users and track when and what those users do on the system.
- Only share critical passwords among users when there isn’t any other option—When all else fails and an emergency resource needs the password for your firewall, IBM i security officer, or router, you may have no choice but to share that password with them to get the system up and running.
Storing critical passwords so the right people can find them
As with other sensitive data, critical passwords should be stored in a location outside of the primary location. Sensitive, shared passwords should be afforded the same security as your other backups (data, server, workstation, and mobile device data).
Choosing how to store and share critical passwords is not a trivial decision. There are generally three options for secured password sharing and retrieval.
- Hard copy (paper) storage
- Internal network storage
- A Password Manager program (vault) stored on the network or in the Cloud
Each of these techniques have their advantages and disadvantages. Here are some of the common ways people use these techniques to ensure critical passwords are available during an emergency.
Hard copy (paper) storage
Under this scenario, critical passwords are kept as paper documents in a folder or binder in one or more locations.
Paper-based password folder(s) are disbursed among authorized users with the understanding that the folders will be securely stored or travel with the user when they leave the office (so that the user can access the passwords outside of the facility in an emergency). If kept on-site, they should be kept in a secured location, such as the Computer Room, preferably in a fireproof vault.
A hard copy password folder should be treated like a corporate trade secret, where everyone knows where the folders are at all times. If one of the folders needs to leave the site, it should be checked out with an audit trail showing its movements.
The biggest problem with on-site hard copies of critical passwords is the security risk. Hard copy password listings can be copied or videoed. On-site hard copies may also not be much use in a regional disaster where the physical Data Center is cut off due to fire, tornado, flood, etc. Given that almost no one will handwrite a critical password folder, there will also be a digital copy somewhere on a network folder that can be hacked. On the positive side, paper copies can travel with authorized users and can be available in the location where they are most likely to be used.
Internal network storage
As mentioned above, even if you store your critical passwords in hard copy format, there will generally be a digital copy somewhere that the file is printed from. Network password files can be very simple or very complicated.
A seldom-discussed network secret is that many managers log critical passwords in an Excel spreadsheet on the network. The file should (but often doesn’t) have password protection enabled. If stored on the network, the password file should reside in a highly secured location, not in a public folder. It should be accessible to both on-site and off-site authorized personnel. And Stored password files should always be encrypted. The password file should also reside in a network folder that’s replicated to other file servers, in case the main file server is damaged. The file/folder should be backed up on a regular basis by a service such as Microsoft System Center Data Protection Manager (DPM) that stores backup and archived file copies offsite on a regular schedule. If replication isn’t being used and the file resides on a Microsoft volume, the volume should have shadow copy enabled so again, you can revert back to an earlier copy in case of file corruption or deletion.
Password management vaults
A Password Manager is an encrypted software vault where users can store their own passwords as well as the passwords they share with others. Password Manager vaults can be created on local hardware (mostly used for personal passwords), your network, or stored in the cloud. Look for Password Manager programs that offer strong encryption, including 256-bit encryption, Salted Hashing, or PBKDF2. You might also want to use a Password Manager product that provides for two-factor authentication before revealing stored passwords to another user.
Password Managers provide much more control over which users can access critical passwords than ad-hoc Microsoft Excel spreadsheets have.
While Password Managers provide an easy way for off-site or cut-off employees to access key passwords, they are also tempting targets for hackers because they literally contain the keys to your network. So be careful when choosing Password Manager software.
Be careful with critical passwords stored in DR/HA plans.
Pluses, minuses, and a lot of choices
There are many choices for storing and sharing important passwords. But they all have flaws that you’ll need to compensate for. No password sharing plan is perfect, but these techniques can help you with important job of protecting shared passwords.
