Security myth: my admins would quit if I implement a password vault!

“No way… that would never work here!”

Even though I’ve heard that phrase all too often, I still decided to feign my confusion, cock my head to the side and ask the simple question, “why not?”

If you’ve been reading some of my last posts, you’ll know that I’ve been covering a collection of topics I call security myths.  My role as a security advisor often puts me in front of customers who are looking for the best solutions to their security challenges. Just like everyone else, many of these folks approach the conversation with a set of preconceived biases or unfounded concerns (myths) about the solutions set before them.  So, myth-busting seems to have become a part of the job.

Password vaulting?

So, what exactly am I talking about when I say password vaulting?  To put it simply, a password vault stores the credentials used to access an account or system.  While this process may sound simple, for an enterprise “saving credentials” can be incredibly complex and impactful.   It’s probably a good idea to look into the risks password vaulting technology addresses. Let’s consider the systems in your environment and how they may be susceptible to a breach:

• Databases: Databases store customer data, payment information, research data and competitive information that threat actors are after.
• Directories: Directories, like Active Directory, store user accounts and passwords. An attacker would love to create a backdoor account for themselves, or change the access levels of an account they have already breached in your directory.
• Application servers: Application servers are where your corporate heart beats. Applications run our reservation systems, calculate financial estimates, control our factory floors and more.  An attacker could wreak havoc if they had access to these systems.
• Web service endpoints, network hubs firewalls and more, are all other examples of critical systems at your company.

All the above types of systems can easily be accessed by administrators or by external applications that are designated to have access with a user ID and password.  Are these credentials secure?  Isn’t it simply a ‘cost’ of doing business that we need to ‘trust’ the few individuals that know these credentials or have saved them in an encrypted spreadsheet?  The fact is, if you have people in your company who know the credentials to your most sensitive systems, it is a massive security risk.  A modern secure password vault closes this security gap better than any other approach on the market.

What does a password vault do exactly?

Through either a manual or automated approach, you and your security consultants collect, classify and capture the credentials to your secure systems in a fault tolerant, hardened, and highly available password vault appliance.  Once your systems have been captured, believe it or not, the vault appliance can actually reach out to those systems and change the passwords while storing the new values in a policy driven local database.  When this process is completed, nobody in the world knows the new credentials.  I know, it sounds terrifying, but bear with me.

Think about it, this significantly reduces any chance for human corruption to hinder security. So, what do your admins do now?  Easy, they simply login to the appliance with their normal credentials, pass the multi-factor authentication (MFA) challenge, and request access to the system they need to administer.

Myth: My user’s will revolt if I implement a secure password vault

With the password vault background in mind, let’s get back to the myth. I totally understand why do not want to integrate this application, and of all the myths I debunk, this one is probably the one that has the most ‘evidence’ to back it up. 

Two major concerns about password vaults I hear from customers are:

• It will kill my efficiencies. The concern This is that putting an additional step in-between the admin and the system they need to access is going add an incremental cost in wasted time, increase user frustration and break the first law of a good security team, “don’t interfere with the business.”
• Since the beginning, there have always been a few select trusted individuals that have held the keys to the kingdom. Implementing a password vault is like telling them you don’t trust them anymore.

OK, so let’s roll up our sleeves and take a closer look at these concerns; we might need to do a little myth-busting.

On the issue of trust

A company can’t afford to trust their admins.  I know that sounds harsh, but the fact remains that your company can’t afford the risk of human error.  Times have changed, and the losses you’ll face in compliance penalties and brand damage could literally shut you down.  If hurt feelings are a concern, there is a way you can explain it that can lessen the blow.  A secure password vault protects administrators, too!

Access to systems via a password vault are highly audited, and the best appliances even have the ability to record an entire admin’s session via a DVR, much like you record TV shows at home.  With such auditing and recordings, finding a resolution to an issue becomes much more simplified. 

On the issue of efficiency

What if I told you that accessing a system secured with a password vault can become something almost as simple as double-clicking an icon on your shortcut bar?  Well, it’s true.  The goal here is truly nothing more than making sure access is audited, challenged with MFA when necessary, and that access policies are being adhered to.  A modern, user-focused password vault is like a microwave, after you use it you’ll wonder how you ever lived without it.

Password vaults are loaded with various elements that are designed to increase efficiency.  If anything, when designed correctly, the impact might only be measured in tiny increments, not hours, overwhelmingly worth the investment.

So, while I do indeed understand your concerns, the main thing to remember is that the cost of doing nothing could easily cost you your job or even the company.  Don’t let these myths keep you from implementing the best security practices.