Product Review: Enterprise Random Password Manager

Many organizations face the issue of knowing precisely who has access to a particular privileged account. Although (in theory) IT pros never reveal important passwords to one another, in the trenches it is a different story. (In almost every job I've had, at some stage I've been handed the password to another administrator's account, written on a piece of scratch paper, for use in some unusual set of circumstances.) It would be nice to think that as soon as the password is used for its intended purpose, the person who is responsible for managing it will update it so that it is secret once more. In reality, what happens is this: Six months later, when a similar situation arises, you hear, "Mate, it's the same password I gave you the last time!"

Enterprise Random Password Manager (ERPM) is designed to deal with the issue of privileged password management in cross-platform enterprise environments. ERPM allows you to manage privileged Windows accounts, Linux or UNIX privileged accounts, service accounts, and application-specific accounts.

Sophisticated Process

ERPM works in a way that's more sophisticated than just remembering the passwords for specific accounts. When an IT pro needs to perform a task that requires the use of a privileged account, he or she logs on to the ERPM web console (which Figure 1 shows) and requests a password for that account. Depending on how you configure EPRM, the request might be approved automatically, or the IT pro might need to wait for approval. Either way, when the request is approved, ERPM will issue the IT pro a complex temporary password for the account. This password can be displayed on the screen, sent through email, or transmitted though a text message. ERPM ensures that the password has been synchronized on the related system before issuing it to the IT pro. Unlike typical administrator passwords, this password is valid for a limited time only; it then expires and the password is reset. Administrators also have the option of checking in a password, at which point the password will be reset ahead of schedule. You can tie ERPM into a service desk application such as Microsoft System Center Service Manager (SCCM), ensuring that an appropriate approvals framework is in place before passwords for sensitive accounts are dispensed.

Figure 1: The ERPM Console

Simplified Management

The benefit of ERPM is that it simplifies the management of privileged accounts. Organizations can more easily keep track of who has access to privileged account credentials because those credentials are checked out for a specific amount of time only. Even if an IT pro changes the temporary password, ERPM will still reset it when the checkout period expires. Rather than having access to privileged accounts on an ongoing basis, administrators have access only when they need it to perform their designated job role.

After being configured in an environment, ERPM uses a continuous discovery process to find and secure new privileged accounts. For example, if you have deployed Microsoft SQL Server and add new accounts and databases, ERPM is updated with these credentials as they are created.

Many organizations use simple passwords for inter-application communication, as a way of simplifying the process. The problem with this approach is that simple passwords are more likely to be compromised by attackers. Because application and service passwords are managed centrally through ERPM, they can be substantially more sophisticated. ERPM can also determine application interdependencies and update credentials accordingly. This capability solves one of an IT pro's biggest headaches: rotating service account and application passwords. When this rotation is performed manually, one or more account instances are inevitably forgotten and the service or application stops working because of authentication issues.

Advanced Reporting

The other substantial advantage of ERPM is that because it uses a SQL back end, you can generate sophisticated auditing and compliance reports that show which passwords have been checked out of the system, by whom, and for which purpose. ERPM supports password management for as many as 120,000 systems with as many as 360,000 accounts per system -- for a total support of as many as 3 million accounts.

Special Caveat

My only concern about ERPM is, to mix a metaphor, about placing all the keys to the castle in the same basket. As ERPM can change any password in your organization, the administrator that controls the product indirectly controls everything. Special care must be taken when setting up ERPM, to ensure that it is secure. If incorrectly configured, the product could represent a large and tempting weak link in the organization's security infrastructure.

Change for the Better

ERPM provides a logical framework for the management of privileged account credentials. Although the change to using temporary administrator passwords (rather than long-term, non-expiring passwords) will come as a bit of a culture shock to many IT pros, it can -- if properly implemented -- make privileged account management more auditable and secure.