Friday, October 5, 2012

Saving Money with IT Security Processes. Example 9/26: Preventing the Angry Administrator Revenge


Article number 9 in a series dedicated to giving examples of the way IT security processes can help your company save money.

The incident that I refer to when I speak about the "Angry Administrator Revenge" is the one that happens when you sack an admin and that he uses his administrative rights to wreak havoc in your Information System. That's a pretty common case:
This is when the IT Security process of Password Management comes in. (It's sometimes part of a larger Identity and Access Management process.)

Basically, almost everything in IT is protected by a password. Rare exceptions are the things that are not protected at all or the things that require more than just a password. However, password is the rule.
There are two kinds of passwords to be distinguished:
  • The personal passwords, that are known by one person only.
  • The shared passwords, that are known by multiple people.
Whatever your degree of maturity, shared passwords can't be eliminated completely. So, virtually any Information System in this world has both personal and shared passwords and they give access to virtually every server, storage, application...

The Password Management process does the following:
  • It knows who's supposed to know (be in the shared secret) each password.
  • It knows how to change them.
  • It does change them whenever someone who knows them is no more in charge (or has been sacked).
  • And, because there are sometimes more people who know a password than the few supposed to know it, it changes all passwords on a regular schedule, like once a year, or more for critical data.
So, with a sound Password Management process, you can avoid what's happened to Gucci and so many other companies.