Requirements for centralized password management

Well Secured?

Guidelines for Permissions

The default permissions for new password entries also should be preconfigured. For example, you might want to grant all members of the operating team full access and grant the security team read permission for all new password entries in the "Mail Server" section. It should be possible to import the necessary group permissions, including read identifiers from Active Directory, so you can manage group memberships in one place. Automated sealing prevents race conditions when creating new password entries and keeps this important step from being forgotten.

Permissions should be of a temporary nature for situations in which someone assumes the responsibilities of another; otherwise, the risk is that someone assigned temporary privileges actually keeps them forever. As with any other software, two further selection criteria must be considered: The password management tool must be easy to operate, so you need to find a compromise between efficiency for power users who are constantly working with the tool and intuitive controls for casual users who might only need to deposit their changed passwords once a quarter. Additionally, the total cost of ownership for the password management solution – including hardware, software, administration, ongoing operation, and commercial support – must be appropriate to your organizational framework and objectives.

Conclusions

Organization-wide, centralized password management has many advantages, but it often meets with skepticism from administrators who are asked to deposit their credentials. The number of passwords that need to be accessible to several people can be minimized, but completely avoiding password sharing is difficult.

The transition from purely personal password management or offline methods, such as sealed envelopes in a vault, to an organization-wide password management tool must be well planned.

The biggest advantage of server-based solutions is reliable alerting for the person responsible if passwords are accessed in exceptional circumstances. However, you should not underestimate the overhead involved, for example, in configuring the folder structure, permissions, and default email alerts.

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus