16 Feb 2012
Not all systems administration (sys-admin) is done by people. Some applications need administrator access to communicate and make changes.
Furthermore, remote management tasks are often carried out using pre-set procedures in sys-admin tools, for example the backup of branch office devices.
For this to work, privileged login details are often embedded in the applications or tools that require them. Should the wrong individual get access to these credentials, they may be able use them for malicious purposes.
To make things worse, when such details are embedded they rarely get changed because it burdensome to do so and consequently the credentials may remain valid for long after they have been compromised.
This risk is exacerbated by the fact that such privileged login details are often not just stored but also often transmitted as the clear text.
In recent Quocirca research around 50 per cent of organisations admitted that sys-admin login details we regularly transmitted in clear text, although it varied widely by industry.
This need not be the case.
First, applications and tools needing privileged access right should be administered and monitored in the same way as "human" privileged users (for example, they should not use group access privileges).
Furthermore, the assigned login details need not be transmitted in clear text. Passwords can easily be masked, or better still the whole transmission required to carry out a remote admin task can be encrypted.
To see the full research behind this and get a free copy of Quocirca's report go to Conquering the sys-admin challenge.
Bob Tarzey, Quocirca