[unisog] Password vaulting
stasinia at msoe.edu
Tue Feb 19 19:02:40 GMT 2008
One place I know also used a fairly simple solution. All
root/administrator/etc password where stored in a text file encrypted with
PGP/GPG. All the people who would need access to the file (mainly the
people who took part in the on-call rotation) had their PGP key added to the
file. When someone left the organization, all the password were changed and
the file was re-encrypted. And of course should no one quit for X months
(don't recall the exact time) the passwords would be rotated.
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of Trevor Odonnal
Sent: Tuesday, February 19, 2008 10:04 AM
To: UNIversity Security Operations Group
Subject: [unisog] Password vaulting
Hi all. I have been asked by management to do some asking around to see if
anybody out there is currently using any sort of "password vault" solution
to manage administrative privileges to secure systems.
For those who may not be familiar with this term, a password vault is a
system that vaults administrator or root passwords in either a physical
vault, or electronic secure storage. When an individual needs root or admin
access to a secure system, he or she must have a valid work order or change
control number to request the access. The password is removed from the
vault and provided to the individual for a specific amount of time. At the
end of this time period, the password is changed and re-vaulted.
The obvious question is "Why not just assign admin or root authority to the
user's account?" That is the usual procedure. However, there are times
when engineers need full root access to a system to perform their duties, or
emergencies arrive when the privileges are needed right away.
So, is anybody using a system like this? If so, what are you doing and how
well is it working? What kinds of political issues have you had to deal
with? Thanks in advance!
Trevor O'Donnal CISSP, CCFS, GREM
Network Security Analyst
Brigham Young University
trevoro at byu.edu
unisog mailing list
unisog at lists.dshield.org
More information about the unisog