Protecting Organizations' Most Critical Data with Privileged Password Management
In data centers worldwide, it is common practice to hard-code passwords and user IDs in applications and scripts. Auditors and IT groups knowingly allow application-to-application passwords and user IDs to remain shared among administrators, developers and contractors. This article reviews the security risks associated with hard-coded passwords and helps organizations.
This practice is starting to change. Leading IT organizations are now recognizing and resolving the risks of unmanaged and exposed passwords lurking in their data centers. The increasing frequency and growing impact of insider attacks, as well as more demanding regulatory compliance requirements, means organizations can no longer ignore this known risk. They must address the threat hiding in plain sight.
Hard-coded passwords also cost time and money. A simple password change requires an update and redeployment of applications, which may cause synchronization problems and server outages. Multiply these issues across hundreds or thousands of servers and applications, and one might have tens or even hundreds of thousands of unmanaged passwords that create huge costs and risks.
This article reviews the security risks associated with hard-coded passwords and helps organizations to:
- Gain insight into the security vulnerability that lies on every server
- Learn why IT organizations struggle with access controls in the data center
- Master the security challenges beyond access controls
- Learn how to secure the data center through application password management
- Discover solutions for secure centralized password management for application servers
The Security Vulnerability on Every Server
Organizations have invested a great deal of time, money, and effort in deploying network perimeter defenses and User Identity Management policies and solutions. The goal has been to ensure the security of corporate resources. However, these essential expenditures do not address threats from internal sources. Over half of the published cases on computer fraud registered with the U.S. Department of Justice have been perpetrated by disgruntled or former employees.
The pressing need to address User Identity Management has deflected attention from another use of user IDs and passwords, which is the practice of hard-coding them into applications so that an application-to-application or application-to-database connection can be established.
Unlike a human, an application lacks the ability to enter a password through a keyboard or authenticate using a second factor token. Applications must therefore authenticate using a stored password. Typically, these passwords are hard-coded into the application or script, or are stored in a configuration file.
Research shows that fully 90 percent of application authentication in a data center remains password-based. Considering that these hard-coded passwords are "in the clear" (or known by many) and are rarely changed, organizations should be mindful of the risks associated with this practice.
When assessing the effort required to reduce the risks associated with hard-coded passwords, the following questions must be addressed:
- How many server scripts and applications hosted in your enterprise data centers use hard-coded user IDs and passwords to access other server applications?
- Does your organization require that the same security practices be applied to the passwords hard-coded within applications as must be applied to users' passwords?
- When was the last time that all of your application-to-application passwords were changed?
- How many developers know the passwords to your database and application servers?
- Are all passwords changed when a developer leaves the organization, or after a contractor leaves at the conclusion of a project?
The Threat Hiding in Plain Sight: Hard-coded Application Passwords
The most common reason that application-to-application passwords are not changed regularly and often is, quite simply, cost. The human cost to maintain and redeploy the hundreds or thousands of applications that contain hard-coded passwords grows unsustainably as the number of passwords and applications grow. Furthermore, the cost of server or application outages caused by unsynchronized or incorrectly changed passwords can exceed the cost of changing the passwords in the first place.
Eliminating hard-coded application passwords may seem like a simple problem to solve, but it raises many new security challenges when you consider the potential insider threats that could compromise an organization's systems.
A Short Primer on Account Types
There are three account types typically found on a network. The characteristics of user IDs and passwords in each are as follows:
- Isolated Privilege - End User accounts (attended)
- Individual usage
- Monthly changes
- Admin revocation
- Elevated Privilege - Administrator accounts (attended)
- Shared usage
- Infrequent changes
- Admin revocation
- In spreadsheet
- Elevated Privilege - Application-to-application accounts (unattended)
- Shared usage
- Rare (or no) changes
- No reset/renew
- No revocation
Malicious insiders target elevated privileged accounts-which include unattended application-to-application accounts-because these accounts give greater access to systems and data.
Legislation Pressure on CIOs and Auditors
Industry and government legislation, such as Payment Card Industry, FISMA, Sarbanes-Oxley, Senate Bill 1386 and others, require changes in how organizations run. Auditors are interpreting the applicable legislation to establish the policies and practices to which their organizations must adhere. Cost has not been an accepted reason for failing to comply with a particular piece of legislation. CIOs know that organizations' application-to-application passwords are not being secured or changed, are known to developers and contractors, and are visible in plain text inside of scripts, applications and configuration files across all of the servers within the company's data center. CIOs are responsible for the Internal Controls for Financial Reporting as they relate to the Sarbanes-Oxley Act of 2002 and are required to sign off on Section 404. Knowing all of this, the real issue becomes how to initiate this sign-off.
The auditor interprets all applicable legislation and compares the intent of those documents with the organization's policies and procedures. Most organizations are tired of having the legislative hammer poised over their heads; however, the daunting prospect of having to publicly disclose any lapses in security, being tried in a court of law or risking revenue and customer losses have driven security practices to the top of the IT spending list.
While most forms of legislation provide general guidance, few- if any-explicitly state the mechanisms to achieve compliance or conformance. It is hard for an auditor to review and interpret the specific details of each of the legislative documents that may affect your business. Establishing the best practices that cost-effectively allow organizations to gain compliance is even harder. It is important for the audit community to raise the awareness of this threat hiding in plain sight. Hard-coded application passwords are a legacy problem, yet developers continue to hardcode application passwords into new applications.
A big reason for this is that cost-effective, efficient, secure, commercially-supported solutions to the application-to-application password management challenge did not exist until recently.
Struggling with Access Controls in the Data Center
Today, most applications rely on the organization's "trusted network" to control who or what has access to maintain or execute the applications resident on their servers. The trusted network is the internal network of the organization that employees and contractors authenticate to in order to complete the tasks associated with their roles. Though few organizations have protected their internal networks beyond using operating system file access controls.
Consider that an internal threat comes from a person who has, or has had, access to an organizations' internal network. The realization becomes clear that they have also had the time to plan an attack, understand the value of their objective, know the systemic defenses and reporting mechanisms, and enjoy a presumption of innocence because they are an "insider".
It has been shown that internal attacks, while fewer in number, are far more financially damaging than external attacks. Of the listed Department of Justice computer fraud cases that were perpetrated by insiders, most included the exploitation of weak, unchanging passwords on servers to which the insiders had some level of access-because they were members of the trusted network.
Even Public Key Infrastructure (PKI) systems are challenged by unattended applications. PKI systems must protect the private keys used to authenticate, authorize and digitally sign. But how does an unattended application protect its private keys stored on disk? With a password! And this password is typically embedded into the application or script, or is stored in a configuration file-completely defeating the purpose of using a PKI for strong authentication. In this case, security becomes a "chicken and egg" issue: How are private keys protected while in use in memory by an unattended application? The answer is they aren't. While PKI is an elegant solution for strong authentication, digital signatures and non- repudiation, it suffers many challenges in an unattended environment that is subject to internal attack.
To effectively solve the password management challenge, first eliminate the passwords from the scripts and applications that use them. To do this, establish a central location from which scripts and applications are able to retrieve passwords when needed. An important benefit of using a central password repository is it provides a single point of control over the release policies for passwords. This was not possible before. Clearly, strong security techniques are needed to protect the passwords stored in the central repository. Data encryption is not enough. An attacker will attempt to monitor server memory or breach the software libraries that contain or utilize the keying material, to decrypt the data in the repository. Techniques to hide keys and algorithms are essential to a secure password management solution.
It's also vital to secure the end points of connections to the central repository. As these end points are expected to operate unattended, it is not enough to rely on physical security alone. The end points must be capable of protecting their identities, protecting the keying materials used during cryptographic operations, and detecting attempts to tamper with scripts and applications that execute upon them.
Security Challenges beyond Access Controls
For a system to have both the confidence needed to release a critical credential, such as a password, to an unattended application and the resistance to both external and internal threats, it must be capable of application self-authentication and systemic self-protection. Just like the human biometric that uniquely identifies a person, there are many runtime environmental details that can be collected during application execution.
Combining these application "biometrics" with cryptographic techniques delivers a means to authenticate and authorize the release of critical credentials to uniquely identifiable and registered applications. This "biometric" comparison of an application against the authenticated application's profile can be used to also ensure that the calling application has not been altered. This validation ensures that credentials are not disclosed inappropriately.
Security Requirements for Password Management
By combining security techniques with best security practices, it is possible to outline the specific security requirements of a centralized password management system for unattended servers and applications. They are:
- Central server authentication
- Client/agent authentication
- Protected central repository
- Session and message-level encryption
- Libraries and applications
- Server scope control
- Secure local caching
- Protected keying materials
In order to achieve these security requirements, the following security techniques, which are the building blocks of an effective password management system, should be applied:
- Integrity Verification. Through integrity verification, the centralized password manager determines that the calling application, as well as the password management system, remain as originally developed and deployed. Verification techniques check components statically on-disk and dynamically in-memory. Calling applications must prove their integrity before the centralized password manager releases a credential.
- Fingerprinting. A server's fingerprint is a unique "biometric" element produced from a combination of hardware characteristics like CPU serial numbers, network IDs and other items. By dynamically calculating the fingerprint of the computer executing a script or application, a centralized password management system can validate the physical machine identity of the credential requestor. By registering all requestors to the system, the fingerprint becomes a critical factor in controlling the scope of authenticating servers.
- Validated Cryptography. Passwords and encryption keys must be protected from unauthorized disclosure, and validated cryptographic modules ensure that this is done securely. Any weaknesses in the means used to protect these critical credentials potentially expose the entire enterprise to attack right where it is most vulnerable. By employing validated encryption mechanisms, these critical components of an agency's information security architecture are provided with assured protection from any possible unauthorized disclosure.
- Transformations. Code transformations are mathematical alterations that are applied to data flow and control flow within a program to hide the original information and algorithms. The technique prevents reverse-engineering and creates interdependencies and complexity that prevent tampering. Impact on performance and code expansion is acceptable.
- Renewability. This security technique contributes to the overall effectiveness and security of the password management solution by limiting the lifetime of critical elements of the system. Limiting the lifetime of these elements shortens the amount of time that an attacker has to successfully breach the component before it is replaced.
Automated renewability is applied to:
- Passwords. Renewing passwords frequently is a significant step toward enhanced data protection. For years, organizations have pressured users to renew their passwords while rarely changing hard-coded passwords in scripts and applications. Improving security requires a centralized password manager that automates the renewal and retrieval of long, strong and random passwords for data center applications.
- Repository Encryption Keys. In addition to renewing passwords, it is important to renew key materials used to protect those passwords while they are statically stored in a repository. A centralized password manager must allow customer-controlled regular and ad-hoc repository key renewals.
- Session Authentication Keys. To gain access to the repository, it is important to control and renew the authentication keys used by the connecting client agents. A centralized password manager must allow customer controlled regular and ad-hoc renewals of secure socket layer (SSL) client private keys.
- Message Encryption Keys. Building on repository key renewals, it also is important to renew individual keys used to transmit information securely between the centralized password manager and its connecting agents.
- Agent Software Renewal. Each of the thousands of application servers in a data center will run a copy of the software, which validates the integrity of the requesting application. Updating each of these servers to distribute maintenance patches, updates and upgrades is an essential maintenance function of any production environment. Any system to manage application-to-application passwords must include a software renewal mechanism that allows customer-controlled, automated or manual patching of the agent software.
- Agent Secure Cache Renewal. Maintaining a secure local cache of retrieved passwords greatly improves performance and contributes to a high-availability design. However, as passwords are changed, the cached information must be renewed automatically.
The combination of the above security techniques delivers a comprehensive approach to the secure management and release of the elevated privilege account passwords that protect access to an organization's most critical data. Managing these passwords proactively gives a reasonable assurance that unauthorized acquisition, use or disposition of sensitive data in the datacenter can be promptly detected and prevented.
Lack of Privileged Password Management Can Explain What Went Wrong at Société Générale
How to Select a Password Management System
Trevor Brown is Product Manager for Irdeto's Cloakware Password Authority solution. He has over 10 years experience in the telecommunications and security software industries and holds an MBA from Boston University School of Management.