Password Management Guidelines
“…Why we need to separate the ownership of root/administrator password into different person?
Should we put the password into different envelope?
Do i need to change this password so frequent?…”
A lot of question from the user/client related to password management guidelines. My answer, theoriticaly you can refer to some of guidelines from NIST 800-118, Guide to Enterprise Password Management. However this guidelines did not explain more detail about Privileged Password Management, such as root, sa or administrator account which usually not belong to single person.
Based on my experience the password for financial based transaction should be separated. Example for SAP power user (SAP*) should be separated on different envelope. But for OS & DB password, i can’t tell you the exact best practice, but theoritically will be depend on risk analysis itself. Company or regulations (as far i’m not sure, whether HIPAA, SOX, or FISMA required this) will determine whether is required or not.
Any suggestions?
Popularity: 32% [?]
Password management is very important in IT and this is a basic way to control access and authorization. In my understanding and exprience, different organizations has different type/level of security requirement and different system also has different security requirment. For a account like root/administrator who has full authority and can comaplete any kind of operation on the system need special security considration and policy. spliting the passowrd with different people comaplete the basic rule of dual authorization so any singal person cannot conduct any fraud and if anything happens both will be responsible. The root password need to be assigned by two senior people of the department or organization based on the system or application importance or criticality.
Now a days there are appliances available which can contol password assignemnt release for different type of system for different accounts. (e-DMZ) is an example for this. I was using this device in my last bank where we controled all root and admin password for various systems thrugh this device and very stron monitoring of all activities for all password release and assignemnt.
Thanks
Naveen
Comment by Naveen Pareek — August 8, 2009 @ 6:17 am