Its 2017 – Give up your Password Vaults!Anirban Banerjee
I fully recognize that this article is going to ruffle some feathers. Traditional Password Vaults, one of the cornerstones of Privileged Access Management (PAM) solutions have been around for ages. My hypothesis is that this model of security is outdated, slow and is a bad way of implementing controls. I’m sure many of you will disagree with me as you have used password vaults successfully for many years, but I hope to explain my rationale well enough so that you will be able to appreciate an alternate viewpoint.
Password Vaults Suck
Yes, I said it – Password Vaults Suck. Why do I believe this to be true? In talking to many enterprises it becomes clear that the amount of time spent by IT, DevOps and Security on navigating the password vault landscape is unusually high. Typically, in large enterprises there is no central password vault for all privileged accounts. This means that for an auditor its nearly impossible to get an easy overview of what is going on in the company. The reason why one often sees multiple password vaults is because the traditional vendors in the market are focused on selling hardware boxes.
The incentives are lopsided. The more boxes I can sell to you, the more money I make – however, this complicates and fragments the password management landscape inside your organization. The incentive of a PAM solution and vendor should be aligned with making the customer’s life easy, and then making money. Not, making money at the cost of user experience, visibility, and manageability.
The usability of the vaults feels like using software from the late 1990’s – remember Win ME? Maybe you are too young to bear those scars, but the user interfaces with multiple Windows style directory trees, multiple clicks to get to any operation is reminiscent of poor user interface design.
This type of poor UI is not just annoying but it eats up time when trying to give access to a critical resource to someone on your team. Imagine being under pressure to get someone access to a production cluster because a patch update went sideways, and then having to click 8 times, open up 4 levels of directory trees, figure out from the minute text (yes, text size matters, because some of us have vision that is far from perfect 20/20) where the heck is the credential you are supposed to share.
Oh, and here comes the kicker. You’ve decided that someone on your team should get access to the privileged account and you authorized credential sharing. How exactly is the credential being provided to the end user? Is it via email? Then, is the credential encrypted? How is the credential presented? Can it be copied? can someone take a photograph of it? You see where I am going? Its a never ending stream of what ifs here. Password Vaulting in a traditional manner replaces one problem with another. Password vaulting does not solve the problem, instead it kicks the can down the road. This is not security, this is a strategy for CYA (Cover Your – Behind).
The times are a changing
Password vaults made good sense when the infrastructure and applications in an enterprise were relatively static. As an example, many eons ago most enterprises would have a CRM, ERP, HR and other types of systems, happily co-existing on data center servers, tightly tied to employee directories like Microsoft Active Directory or LDAP. In this type of a scenario where data center dynamics are not changing every minute or apps are tightly controlled its feasible to use a system that requires manual guidance for every access grant.
Enterprises are embracing the cloud. AWS, Rackspace, Digital Ocean, Heroku, Google Cloud, Oracle Bare Metal – you name it, and its being used by enterprises. Similarly people are jumping on the capex to opex SaaS bandwagon. Enterprises are using various SaaS services from everything to HR, benefits management, Accounting, Expense tracking, the possibilities are endless. Most enterprises don’t have a full idea of what apps are being used by which group, let alone be able to manage privileged accounts on these apps.
When the servers powering your core product are expanding, increasing in number dynamically what manual process of check in and check out are you going to use? A high speed environment cannot be held at ransom with this outdated check in and check out of passwords process.
When SaaS apps are using Google as the authentication source, what check in and check out of passwords are you going to use to protect privileged accounts? When your admins create accounts on SaaS apps and on AWS which is not directly tied to your directory structure what check in and check out of passwords will you use to grant authorization? Most organizations don’t even know what accounts are in play, let alone control them.
Furthermore, there are many apps that do not offer an API to reset passwords so how is your password vault going to reset the password after a check out? Who is going to reset the password? Similar issues exist for servers. Once you provide a root account password how are you going to change the password if the server is not tied to your active directory? Things are not as simple as they may seem.
Additionally, how is your password vault verifying the identity of the admin providing the check out rights and the employee actually checking out the passwords? If they are still using SMS or RSA tokens to verify with Multi Factor Authentication, this is slowing them down and you are incurring costs that can be avoided. A next generation transparent password vault comes with built in easy MFA. This is important as it lowers the level friction and saves time for you teams.
Making vaults transparent
Does this mean that password vaults are useless now? Absolutely not! My hypothesis here is that password vaults need to change. The core problem that I see is the one of providing access, period. If an employee needs to get their job done, they require access – which does not mean that they need credentials! Lets us recognize this simple but critical fact.
Password vaults need to be dynamic and transparent. Employees should interact with a password vault but not have to muscle their way through layers of non intuitive clicks to figure out what to do. Password vaults should also be able to help a user login without releasing the credentials. Think of Single Sign On, its kind of a password vault but the employee never bother about a SAML, OAuth token.
Password vaults need to provide an experience where an employee visits an application, requests privileged access. The security controls, workflows should allow for this request to be registered and be acted upon with a simple yes/no (with multi factor authentication) by an administrator. The security system, or transparent password vault should then log the employee into the privileged account automatically with the right checks and balances in place.
In this scenario, the IT admin will not have to navigate a password vault to check out credentials, the employee will not have to access those credentials, the auditors are happy since nobody has seen the credentials and everything has been recorded for auditing, with a smooth user experience to boot. The password vault check in and check out of passwords is a horrid way to do things. Password vaults need to become transparent where they perform their functions but add a layer of abstraction on top of themselves so that they employees, admins can interact in a simpler, faster and secure way with it.
Furthermore, your transparent password vault needs to be able to use selenium, phantom JS or similar mechanisms in addition to APIs to reset passwords for SaaS apps that do not have SSO hooks. Similarly, for infrastructure, your transparent password vault must be able to rotate passwords silently in the background. Oh and all this needs to be done while keeping PHP session IDs valid during a browsing session and not killing SSH connections in the middle of someone accessing that account.
Having a transparent vault also help you gain visibility across the enterprise. The transparent password vaults usually come with a way to set up individual teams within the single product, hence obviating the standard “buy 10 boxes for 10 teams” model. Its way more cost effective, and produces less pushback from all teams. Additionally, the roll out cycles for a transparent password vault are also much less since you can consume it as a SaaS service or only have to install on -premise/AWS-VPC one time as opposed to 10 times over.
No human in the middle, except for Authorization
Typically, in most existing password vault installations an admin has to physically check out the password for the root account on a server or something similar. This takes time, it takes trust and most organizations do not have the time or manpower to verify that the trust has been broken. Its like trusting that the wolf will not eat the hen, because you’ve worked with the wolf for some time, and the background check of the wolf came out all good. Trust without verify is a poor model.
Transparent password vaults help you provide access but at the same time not expose credentials to anyone for that matter. Hence, the wolf does not have a hen to go after. Nobody gets access to the credentials. the only place where humans should be involved in the process is for authorization – to answer the question where you should have access to a resource or not. This can be automated to a large degree with preset policies, clustering of infrastructure, AD group membership rules, GPOs and more. Having one or more people in the mix using a simple fingerprint verification on a mobile device to authorize access makes this process simple, secure and easy.
Next Gen PAM can help you layer Transparent Password Vaults
Its amply clear that password vaults were good for the time they were built for. With the technology landscape changing rapidly, IaaS, SaaS, PaaS, Mobile and more in play – they are dinosaurs. Lets not hold on to old ways of working that reduce our velocity and effectiveness just because – thats the way we have been doing it. Lets solve the problem, not put band aids on it. Employees need access – they don’t need passwords. In an ideal world there would be no password, but then we’ve been banging on that drum for the last 30 years – passwords are not going anywhere, but at least use PAM solutions with built in transparent password vaults to securely provide access and never release credentials to employees.