How Credential Management is just like Raising a Teenager

December 10, 2014//Ellen Neveux

Last Updated: May 30, 2018

By Michelle Allen

Raising the strong-willed credential
Sure you’ve got a top notch IT staff, the best policies, and all the best intentions – but do you really know what’s happening to your credentials after you carefully relay them to the individual you are authorizing for access? Chances are your credentials are taking on a life of their own.

The average IT organization today is tasked with managing a multitude of varying credentials. Credential management includes, internal credentials, vendor credentials, privileged access credentials. There are often multiple credentials per individual and application. Credentials and their security requirements become a complex and fast moving piece of the IT security puzzle that is often sacrificed in the name of speed and ease-of-use.

Caring for your newborn credential
Most IT professionals – even non-security focused ones – could tell you some basic guidelines for secure credential management.

  • Don’t issue shared credentials
  • Store and pass credentials in an encrypted state at all times
  • Enforce complexity and expiration requirements on all issued credentials
  • Don’t expose credentials to individuals they aren’t issued to

So why are compromised credentials still at the root of most security breaches?
Because credential management in an organization has to move beyond policies and into procedures that are efficient and end-user friendly or they will continue to be manipulated and bypassed.

When your credential is all grown up
Not all credentials are created equal. When you need to grant privileged access, a new level of credential management is required. Raising a well balanced and safe credential is certainly full of difficult questions. Do you issue individual credentials to users with privileged access? Do you know how they are storing them? Do you force them to reset? Do you use two-factor authentication? How do you enforce all the right policies and procedures without increasing calls to the help desk for users who can’t keep up with all of those credential management rules?

When your credential leaves home
In the standard VPN and Active Directory environment, vendors pose the biggest challenge to the basic credential management guidelines. Unlike employees, vendor support reps don’t go through a vetted hiring process in your organization which means they often evade policies and procedures designed towards your internal users. Vendors could have 10s, 100s or 1,000s of individual reps moving in and out of an organization’s network. Tying individual accounts and credentials to those representatives leads to hundreds of hours spent managing AD and VPN accounts and still leaves gaps. Over time many organizations with the best of intentions find themselves creating shared accounts, failing to disable individual accounts of vendor reps and abandoning complexity and expiration requirements to enable timely support.

The scariest part though is that once you pass that credential ever so carefully and securely to your trusted vendor- you are no longer managing it. You are trusting your vendor to follow best practices, store that credential securely, disseminate it safely to support representatives and never expose it to anyone that shouldn’t have it.

The SecureLink five-step guide to parenting your credentials
While it is tempting to clasp your hands together and hope the credential management policies you have made will result in strong, safe credentials, the truth is they are running wild behind your back. Sneaking out of the house, sharing with people you don’t approve of, and being used by people you didn’t even know existed. How do you stop all this and still keep an efficient organization?

Step 1: Lock your credentials in a vault and never share them with anyone – That’s right – ANYONE.
Vendors and privileged users alike should be given single sign on access methods that prevent them from ever knowing the credentials they are using for access. With your passwords safely and secretly in a vault they will never be placed on an excel sheet, written on a sticky note or stored in someone’s passwords.txt file.

Step 2: Enforce best practices for strong passwords and password expiration in your vault.
When you aren’t disseminating your credentials to users you can make them as complicated as you want and change them just as often without disrupting the workflow of your users. Set expirations on accounts using your credentials to expire after a period of inactivity to help prevent misuse of the credential.

Step 3: Authenticate individual users of your credentials every time.
Now that your complex credential is tucked safely away in your vault, make sure it is only used by authorized users. Use a two-factor authentication that verifies the individual and before you let them use the credential, confirm that the individual still works for the vendor. For privileged access and high security applications, consider using IP source network control to manage where they are using your credentials from.

Step 4: Audit the use of your credentials.
Every time a credential is used you should know who used it, why, what time, and what was done under the power of that credential. Make sure the power that comes with the credentials is being used appropriately and that no one is misusing your credentials to damage your network.

Step 5: Rest Easy knowing you have done your best and are managing your own credentials.

Join the discussion on Twitter.

Request a demo to learn more about credential management. 

Subscribe to the SecureLink Blog.
close close