The recent SolarWinds hack should have all companies thinking about passwords and shared accounts. The US Cybersecurity and Infrastructure Security Agency (CISA) recently said that the malicious actors behind the hack used password guessing to access credentials. There are also reports that in 2019 a SolarWinds update server was accessible with the password ‘solarwinds123’ and leaked in the public Github repository. According to the report, SolarWinds addressed this issue but it raises serious questions about the use of passwords for shared systems or shares accounts. In a zero-trust security model, no one should ever know a password for a shared account.
Shared Accounts and Passwords
Shared accounts are just that – accounts with one password that are shared across many users. They are used for platforms and network tools like servers and databases as well as applications and email addresses. Often the particular resource leaves no option but to use one shared credential. When companies create passwords for shared accounts, they are opening themselves up to greater risk. Just consider the following:
- Shared passwords are often shared outside of the intended users.
- You cannot track who is using the account at any given time. This presents a security and auditing problem. If there is a breach of the account, it’s hard to map the attack chain of the incident.
- When an employee leaves or moves departments, the shared credentials need to change. This process is not scalable and leaves a lot of room for error.
- Shared passwords are not overly complex (as seen in the SolarWinds example). This makes password guessing an effective strategy for hackers.
- Most importantly, many shared accounts have elevated privileges making them prime targets for malicious actors. If hackers gain privileged credentials to your systems and infrastructure, they can move laterally through your business network, evade detection, and access your most sensitive data causing serious damage to your business and reputation.
That leaves the question of what to do with shared account passwords?
Password managers help by enabling users to share passwords without showing the actual credential. While this offers an additional layer of protection, the passwords still need to be transmitted and can be vulnerable to hackers. Password managers are limited in their auditing capabilities and tracking of incidents for shared accounts. They often don’t meet regulatory requirements for privileged accounts and companies can quickly outgrow password managers. Even with limitations, they are a good option for personal password management but not ideal for enterprise privileged credentials or shared accounts.
Multifactor authentication can be added to further secure passwords by forcing a user to have additional identifiers or authentication tokens before granting access to a system. With MFA, even if passwords are stolen, it’s unlikely that the hacker also has the phone and one-time password (OTP) generator. But when you add MFA to shared accounts, who receives that token? What happens if someone receives the token and doesn’t know which team member requested it? This is a growing challenge with shared privileged credentials and one I’ve written about before.
When it comes to privileged credentials (i.e. passwords) especially for shared accounts the most secure option is to put them into a secure vault using a privileged access management system. Privileged access management (PAM) systems help administrators to forget privileged passwords by not learning them in the first place. Anyone who needs access to a privileged or shared account uses a natural domain account to connect to the central vault. Then the person uses it as a gateway to the remote destination.
PAM software, such as Xton Access Manager (XTAM), stores all privileged accounts in one easy to access vault and releases passwords by request to the qualified IT personnel/privileged user. The system comes back and resets this password. XTAM includes a host of additional features such as account discovery, session monitoring and auditing capabilities, rules-based controls, MFA and virtual MFA support for shares accounts, one-time passwords, and just-in-time access.
Now is the time to enhance your company’s security by forgetting passwords. Let XTAM handle all your passwords for shared resources and privileged credentials. Contact us today to learn more and see a demo.