How to manage passwords

Haphazard password management lies at the root of cyber-attacks

Tags: ManageEngine
  • E-Mail
How to manage passwords V. Balasubramanian, Marketing Manager (IT Security Solutions), ManageEngine
By  V. Balasubramanian Published  May 15, 2014

Managed IT Service Providers (MSP) deliver a variety of IT and network management services to their clients. Especially, small and medium organisations are increasingly relying on the services of MSPs to manage part or whole of their IT services for various reasons, such as cost savings, leveraging outside expertise, the need to meet business demands quickly, and other critical aspects. Usually, tasks such as software development, network management, IT infrastructure management, customer support, and data centre management are outsourced to MSPs.

MSPs, in particular those that manage the IT and network infrastructure of their clients, typically get access to the enterprise applications, servers, databases, firewalls and other network devices, and a lot of other equipment belonging to their clients. In some cases, clients entrust the responsibility of managing their entire network or data centre to the MSPs and in other cases, they get remote or shared access.

Clients’ network resources and other IT infrastructures are accessed and controlled by administrative passwords. Since MSPs typically manage the resources belonging to multiple clients, the access pattern becomes quite complex and sensitive, and they are swamped by the ever-increasing number of privileged passwords.

And, in the absence of an appropriate management tool, password management could become quite cumbersome. Administrative passwords, which grant unlimited access privileges to IT assets, might be stored in plain text on volatile sources such as sticky notes, spreadsheets, printouts, and text documents. They might also be shared among technicians without relevant protection. Such practices leave the client organisations vulnerable to security attacks.

Haphazard password management lies at the root of cyber-attacks

Identity theft often lies at the root of modern-day cyber-attacks. Cyber-criminals use various techniques to target login credentials of employees and administrator passwords to gain access to IT resources. Because MSPs manage the IT infrastructure for many clients, the risks involved are quite high. Especially, passwords kept on spreadsheets result in a host of security issues. Here are some high-risk scenarios:

Unrestricted or uncontrolled access: There is rarely any internal control on password access or usage. Technicians at the MSP have unrestricted access to all the passwords of all the clients managed by the MSP.

Unaudited access: Privileged passwords remain impersonal in the shared environment. Mistakes, accidental or deliberate, could never be traced to the offender. There is generally no way to track ‘who’ accessed ‘what’ and ‘when’. This allows people to remain unaccountable for their actions.

Temporary access
Becomes permanent: Passwords are given out orally or by emails to any contractor at the MSP who needs to a privileged password on a temporary basis. Such a practice can be huge security hazard when there is no process to revoke temporary access and reset the password after usage.

MSP technician leaving the organisation: When a technician leaves the MSP organisation, it is quite possible that the person may carry a copy of all the passwords. The only solution to such a scenario will be to change all the privileged passwords of all the clients.

Passwords reaching malicious hands: If the text file or spreadsheet that contains the administrative passwords reaches a malicious individual, client networks could be in jeopardy.

Passwords remain unchanged for ages: Passwords of even the most sensitive resources like firewalls remain unchanged at the MSP to prevent lockout issues. Manually changing the passwords of thousands of resources might be time-consuming. And, worse, most resources are assigned the same, non-unique password for ease of coordination among administrators.

Such flawed password management practices make the MSP a paradise for hackers; internal and external. Many security incidents and data breaches actually stem from lack of adequate password management policies and internal controls.

Earning and sustaining the trust of customers is essential for all businesses, more so for MSPs. Lack of proper password management could destroy the very foundation of trust.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code