Federal Agencies are Playing a Game of Hope with Two-Factor Authentication

Shortly after the federal government suffered it’s largest and costliest data breach ever at the Office of Personnel Management (OPM), a post-mortem analysis found that the breach was entirely preventable, and the exfiltration of security clearance files of government employees and contractors could have been prevented through the implementation of two-factor authentication for remote log-ons.

But is two-factor authentication the answer? There’s no question it significantly reduces the vulnerable user and even administrator accounts to password attacks. But, even with authentication in place, many accounts remain vulnerable to password attacks. Passwords exist in just about every environment. Some of them are buried in appliances or built into operating systems. These accounts and their passwords have been treated as incurring an acceptable level of risk, but that risk is becoming more and more difficult to accept.

Federal agencies are playing a game of hope:

• Hoping the people that know or have access to these passwords are honorable and will protect the passwords.
• Hoping that when they leave the organization, they magically erase the passwords from their memory. Hoping they change the passwords at the required intervals to meet compliance requirements.
• Hoping they use these accounts only for the purposes intended.

Some delegate the management of service and administrative passwords to a security team or single person. But maintaining compliance can require training a highly-trained security engineer into a full-time “password resetter”. And that’s a pain in the neck job and risk-laden job to have. That’s because when a service account password is reset in a typical Active Directory environment, it must also be entered everywhere the service is running. If not, the next time that the service restarts, it will fail – affecting hundreds of servers, cause application outage, and hurt productivity. The bigger the agency or department, the more pain this causes.

Traditional Privileged Password Management Has Teams Running in Circles

If you’re using and managing traditional privileged passwords, as you know, just applying a single hotfix is a multi-step process which can sap up the time of any security admin or auditor as they submit and review requests, change passwords, connect to each server where the service is running and enter the new password, document the new password and lock it back in the safe.

Security auditors have better things to do. And, any missed step in the process risks application downtime. Plus, the auditor has no idea what the security admin did with the new password while he had it. All the auditor can hope is that the admin had honorable intentions.

Probably the most serious problem is all the unknowns. In this scenario, the security auditor has access to the password. If something malicious is done with the account, we must look to the people who might know the password. Most auditors would not want to be in that position. Moreover, if more than one person has access to the password, auditing is an exercise in futility.

Taking Passwords out of the Picture

Agencies need a better way. A more secure, efficient and compliant way to provide access to privileged accounts.

This involves taking passwords out of the picture or having them completely obscured from all persons.

The answer? One Identity Safeguard. One Identity offers a family of identity and access management solutions (IAM) that help agencies get IAM right. For example, One Identity Safeguard provides a single architecture for privileged access management that is delivered on a secure hardened appliance. This architecture greatly simplifies deployment and management, and accelerates the time to value

One Identity Safeguard delivers the ability to give the admins the sessions they need, logged in as the privileged account, only when they need it. Adding the session management capability allows the admin to request the privileges and use them without seeing any passwords, and with Safeguard they can use the same method of access they have always used – security and convenience rolled into one solution.

Using a unified policy engine and management tools teams can securely grant access to privileged passwords and sessions. And, if you add on Privileged Password Manager, you can automate and control the process of granting access to privileged accounts and passwords.

bradley.gernat@dlt.com'
Bradley Gernat