What's the Admin Password?

I’ve been there and asked that question. When I was a state IT manager, knowing that service account password was just part of keeping things running on a day to day basis. My team knew it and members of our security and server teams knew it.

In retrospect, we were lucky that password was never used to hack our systems. It was a complex password, and was changed periodically, but not on a regular schedule. Everyone who knew it also had their own admin accounts – but there were times when the quickest way to fix a problem and keep things running was to use the default service/admin account.

This was about six years ago. Cyber attacks happened then, of course, but with nowhere near the frequency and intensity that they do today. Today is a different story entirely.

We all know how powerful privileged accounts are. When we describe them as being “the keys to the kingdom,” that’s more than a metaphor, it’s a fact supported by numerous cyber attacks in which  privileged account information was obtained through brute force, social engineering, or other subterfuge. Protecting privileged accounts and responsibly tracking and managing their usage keeps the keys to the kingdom in the kingdom, not with the (metaphorical!) barbarian hordes who want to ransack it.

At One Identity, we’re very interested in how far state and local governments have come in Identity and Access Management, and especially in how our solutions can help them improve privileged account management. So we’ve commissioned a Government Business Council survey of more than 300 state and local government IT leaders to find out how well they’re doing with IAM, how well they believe they’re doing, and where there are opportunities for improvement.

At first glance, the results look strong. Two-thirds of the respondents believe their organization is doing a good job managing user access, and the numbers are even higher when it comes to citizen and third-party/contractor access. But when we drill down past beliefs, into actual practices, we find a few areas that don’t look quite as rosy. With the importance of the data held by state and local governments, especially citizens’ Personally Identifiable Information, safeguards above and beyond a single username/password combination would seem appropriate. In the commercial world, the current release of PCI DSS, v 3.2, requires (not presently, but there’s a time limit given to implement) the use of multifactor authentication for any user accessing cardholder data. Yet only 10% of the survey respondents indicated that they’re using hardware or software tokens for user access. Even fewer are using other mechanisms such as SMS or biometrics.

When it comes to privileged accounts, we also find areas of concern regarding best practices. 25% of the respondents say their organization “never” changes administrator passwords. Only about 30% are actively auditing sessions in which privileged passwords are used. And only 30% have implemented password vaulting mechanisms for privileged accounts, automating storage, issuance, and changing of administrative credentials. About two-thirds rely primarily on least-privilege delegation principles for admin accounts, and while that provides some degree of protection, One Identity believes that a combination of all three activities provides a much stronger level of privileged account security.

State and local governments have a lot of valuable information to protect, provide essential services to their communities and citizens, and do all this under often challenging resource constraints. We hope that the GBC survey provides guidance as to how best to improve their IAM infrastructures.

Read more about the survey in Minding the Gaps: Diagnosing Privileged Access Risks in State & Local Government.

Anonymous