Shared Account Password Management in the Federal Government: Then and Now

One of my first consultant jobs involved installing agents on Unix servers, a procedure which required root access. I still remember the first time I was onsite at a military base to help a customer install the software because it was also my first experience with a physical vault that stored computer passwords. When it came time to enter in the root credentials, my client made a phone call, and then this other person comes in from down the hall, opens up a wall safe using a memorized combination and pulls out a folder. This person verifies my client’s badge and credentials, as well as ensures my client’s name is on the correct “allowed list” inside the folder. A log entry is made to track and detail the reason for this folder’s removal, and then the current root password was read aloud as my client typed it in. After all of that, we then proceeded with our software installation. I was shocked for a few moments, until I realized how much sense it made for organizations to literally lock up their root passwords this way.

Nowadays, this ‘“locking up of passwords” can all be done electronically within a system that’s often referred to as Shared Account Password Management (SAPM). Security 101 states that whenever possible, enterprises should avoid using shared accounts like root and Administrator, choosing instead to force everyone to log in as themselves and raise their privileges if needed. However the reality is that in some instances you don’t have a choice but to use a shared account, and for these situations this functionality should be managed by a SAPM system like Centrify Privilege Service (CPS). Additionally many organizations integrate their SAPM with a hardware security module (HSM), which by Wikipedia definition is “a physical computing device that safeguards and manages digital keys for strong authentication and provides crypto processing.”

Just as it was done 20 years ago with physical password vaults, verification of the requestor’s credentials needs to take place before any passwords are checked out, and accordingly CPS includes multi-factor authentication (MFA) policies to ensure non-repudiation of the identity of a requestor through many available methods. I don’t know how my client’s name came to be on the ‘allowed list’ all those years ago, but I’m sure in involved a set of standard procedures consisting of requests and approvals. In modern times we have electronic Workflows to handle these types of procedures, and CPS includes Workflow policies to strictly govern and audit all requests and approvals. Alas CPS does not come with a human being to travel to where you are and personally read to you the long and complicated password out loud as you type it in, however it does come with a highly secured mobile app that allows you to perform your password checkouts away from your desk.

In the old days, if an IT staff member needed temporary root or Administrator access but was not allowed to actually know those account passwords, someone else would physically type in the password for them as the staff member looked away. This same functionality requirement exists today, and therefore CPS can log into a server using a shared account, without the user every knowing the password. And just as in the old days when the person who typed in the password would physically stick around and monitor the session activities, CPS allows administrators to watch these elevated sessions in real-time, with the option of terminating suspicious sessions.

I’m sure there are still federal agencies doing many computer activities the old fashion way, like using physical vaults for shared passwords, but more and more they are moving toward modern systems that provide the same functionality with better speed, scalability and efficiency, all the while still maintaining the strict security protocols required within government networks. Additionally these agencies are looking for options on how and where these modern systems get deployed.

Accordingly, CPS is available as Software as a Service (SaaS) from within the Centrify cloud, or it can be deployed as a standalone solution within an internal network, a private cloud or even a public cloud instance. Most federal agencies choose to deploy the stand-alone solution within a private network or private cloud, and configure it to use a SafeNet HSM appliance from Gemalto for secure and encrypted storage of their shared account passwords, so that no passwords are stored inside CPS. This combination provides them with the best functionality, security and reliability to meet their SAPM needs while maintaining federal compliance.

Learn more about Centrify Privilege Service here.