Masaryk University Faculty of Informatics
Bachelor Thesis
Password Management Solutions for Collabor ative Environment
Klára Pavelková
Brno, Spring 2014 Declaration
Hereby I declare, that this paper is my original authorial work, which I have worked out by my own. All sources, references and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source.
Advisor: Mgr. Pavel Tuček Acknowledgement
I would like to express my deepest gratitude to my advisor Mgr. Pavel Tuček for his continuous support and strong encouragement throughout this project. Despite the fact that it was necessary to overcome several obstacles he was the person who kindly motivated me to achieve the completion. In addition, without his patient assistance I would not have been able to perform so many lengthy business calls which were completely new for me. A special thank goes to my colleagues Mgr. Luděk Finstrle and RNDr. Marek Kumpošt, Ph.D., who found time to help me with formulating the initial list of requirements without which the project could not have begun. Last but not the least I would like to thank my sister Radka for precious language advice and my beloved Tom who had a lot of patience with me during the toughest times of this project. Abstract
Theoretical part of the thesis analyzes motivation for deploying password management software in infrastructure of an organization and the security aspects regarding both cloud-based and on-premises software. In the practical part a survey of enterprise password managers is realized, suitable products are selected and proof of concept is implemented. According to the results a recommendation of a particular product is offered. Key Words
Password Manager, Cloud-based, On-premises, Security, Proof of Concept Table of Contents
1 Introduction 1 2 Password Management Software 3 2.1 Passwords and Their Ancient Records 3 2.2 Passwords in Context of Access Control 5 2.3 Identification, Authentication, Authorization and Accountability 6 2.4 Motivaton for Deploying Password Management Software 7 2.5 Pros and Cons of Password Management Software 9 3 Security 10 3.1 Cloud Computing and Information Security 10 3.2 Cloud-based Password Management Software 12 3.3. On-premises Password Management Software 13 4 Optimal Features 14 5 Enterprise-Requested Features 15 5.1 Essential Requirements 15 5.2 Optional Requirements 18 6 Survey of Enterprise Password Management Software on the Market 22 6.1 Cloud-based Software 23 6.2 On-premises Software 23 6.3 Availability of Trial Versions 26 6.4 Rejected Software for the Proof of Concept Purposes 30 6.4.1 Rejected Because of No Trial Version Availability 30 6.4.2 Rejected Because of Not Meeting the Enterprise Requirements 31 6.5 Software Selected for Testing 32 7 Proof of Concept 34 7.1 Test Environment 34 7.2 Password Manager Pro 35 7.2.1 Requirements, Installation and Configuration 35 7.2.2 Resource and Password Management 36 7.2.3 Backup of Database 37 7.3 Secret Server 37 7.3.1 Requirements, Installation and Configuration 37 7.3.2 Resource and Password Management 38 7.3.3 Backup of Database 38 7.4 Enterprise Random Password Manager 39 7.4.1 Requirements, Installation and Configuration 39 7.4.2 Resource and Password Management 39 7.4.3 Backup of Database 40 7.5 Conclusion of Testing and Recommendation 40 8. Conclusion 42 Bibliography 44 Appendix 48 Legal Issue 48
7 1 Introduction Using a password for the purpose of authenticating to a certain service is a daily practice of a user. Together with an increasing number of various services which require authentication the need of remembering all the passwords is growing as well. This process could result in a rather disturbing phenomenon – passwords could be reused or written down and stored at insecure places which could endanger the security of user’s confidential information stored within a service. In order to offer a solution to problems connected with the usage of a large number of passwords, a password management software is available on the market. There are various forms of the software – some of them are for personal purposes whereas the others are designed to store and protect shared privileged information within an organization. This thesis deals specifically with an enterprise password management software which is typically used by system administrators. This thesis is divided into two major parts – theoretical and practical. In the theoretical part the password management software is introduced, a brief insight into the past of passwords is made and passwords are set in context of access control, an explanation of basic terms is also included. An overall motivation of administrators for deploying and using such software and a section dedicated to its strengths and weaknesses follows. There are two approaches of password managers – cloud-based and on-premises. Each of them is discussed from the security point of view in the next chapter together with focusing on the security aspects of cloud computing in general. The final section of the theoretical part briefly outlines what approach should be taken into account when searching for an optimal password management software features. The original output of the practical part of this thesis should have been a proposal of password management software for the purposes of NetSuite Inc. as there is a strong need for deploying such software in its global infrastructure. However, the motivation had to be slightly changed during the process because of legal-related problems that suddenly occurred. Therefore, the practical part deals with general aspects of available password managers instead of being
1 related to NetSuite. The only exception is the first practical chapter related to enterprise-requested features, because these features were initially consulted with participating specialists from NetSuite. The survey of software available on the market follows, a few products are selected and further analyzed. The end part of the last chapter summarizes practical experience from the deployment in testing environment and outlines personal recommendations of the author based on the proof of concept results.
2 2 Enterprise Password Management Software A password manager (further in the text as PM) is a software used for storing various passwords and optionally other confidential data (e.g. PIN codes, credit 1 card numbers, SSH keys etc.) in an encrypted database. Such database is stored either on provider’s servers or within purchaser’s infrastructure. It is protected by a master password and accessible after having been provided. The PM helps to keep passwords up-to-date, well organized and frees a user from the responsibility of remembering all of them. In general, there are two approaches of PM, the first one is to use PM for personal purposes, the second one is to deploy shared PM within a company. This thesis deals exclusively with the second approach – enterprise password management software – whose main aim is to manage shared privileged information of an organization. In this chapter it is briefly explained what the role of passwords in ancient times was in order to understand their importance within history of mankind. The definition of passwords in context of access control is given together with the explanation of basic terms associated with access control. The motivation for deploying a PM within a company is offers and its advantages and disadvantages are mentioned.
2.1 Passwords and Their Ancient Records
A password could be defined as a string which enables a user to enter some service or resource and perform specific operations within it. Each password has to be strictly used in combination with credentials which belong exclusively to the user. As passwords are so widely used across information systems, it is important to keep them secret and constantly develop better techniques to protect their confidentiality for the purpose of protecting privileged data.
1 [1] “The SSH protocol supports the use of public/private key pairs in order to perform authentication based on public key cryptography.”
3 In order to be aware of the importance of using passwords, keeping them strong and unbreakable and using them in a proper way it could be helpful to find out their role in the past times. As the following shows, the usage of password in order to keep some secret confidential has a long history. It was reported that such application of passwords was already used in Ancient Egypt. According to the Encyclopedia of Ancient Egypt [2], from which the following quotations are taken, there was depicted a mortuary text called Am Duat on the walls in the tomb of Egyptian king, TUTHMOSIS III (1479 – 1425 B.C.E.) in the VALLEY OF THE KINGS in THEBES. The purpose of this text was to “instruct the deceased how to overcome the dangers of the afterlife, by enabling them to assume the form of several mythical creatures, and to give them passwords necessary for admittance to certain stages of the Underworld. The spells (i.e. magic words written on the walls) also allowed the deceased to proclaim themselves as bearing the identity of many gods.” Passwords should help the deceased to be recited in the afterlife. As the above note shows, passwords have been inseparably connected with privileged information for ages. While in Ancient Egypt their potential was reported to be utilized after king’s death, in 21st century they are an inevitable part of everyday lives of prosperous nations. As the quote says, in order to reach the afterlife (which was the target), it was important to know the spells and passwords – protected information locked in the tomb. This knowledge also allowed the deceased to change their identity according to current needs. In today’s terms it could be compared to identification and authentication to a particular service that is somehow valuable for us, which is further explained in section 2.3. As confidential information has always been important for people, its importance is nowadays even increasing due to the swift development of information technologies.
4 2.2 Passwords in Context of Access Control
Ross Anderson claims in his book called Security Engineering [3] that “passwords are still the foundation on which much of computer security rests, as they are the main mechanism used to authenticate human users to computer systems.” In order to understand the meaning and the purpose of passwords fully it is important to explain some basic terms inseparably connected with passwords. The fundamental one and superior to others is the term access control as passwords are typically used to access computer systems. Following explanations and definitions (as well as in the next chapter 2.3) are taken from CISSP (Certified Information System Security Professional) publication written by Shon Harris [4]. “Access control is a broad term that covers several different types of mechanisms that enforce access control features on computer systems, networks and information.” In connection with the previous definition he also explains access control features as a set of security elements which moderate how systems and users interact and communicate with other systems and resources. Such features “protect the systems and resources from unauthorized access (...)”. In terms of password management software these security features are essential in order to protect confidential information stored within the software. Before proceeding to definitions of other terms connected with access control it could be helpful to clarify the term access itself again by words of Harris: “Access is the flow of information between a subject and an object. A subject is an active entity that requests access to an object or the data within an object. a subject can be a user, program, or process that accesses an object to accomplish a task. (…) An object is a passive entity that contains information or needed functionality. An object can be a computer, database, file, computer program, directory or field contained in a table within a database.” All the above mentioned terms – access, access control, subject and object – will be explained and dealt with in the following parts of this thesis.
5 2.3 Identification, Authentication, Authorization and Accountability
The following descriptions are taken from the publication of Harris [4]. A user cannot access any resource in case he does not prove he is who he claims to be, has not required credentials to enter the resource and has not necessary privileges or rights to perform requested actions. Reversely once the user fulfils all of these necessities, he can access and use the resource. The requirements which a user must complete in his way to access the resource are divided into three different steps.
• Identification. “Identification describes a method of ensuring that a subject (a user, program or process) is the entity it claims to be.” a user name or an account number could serve as the proof. • Authentication. In order to be properly authenticated, the subject must provide another piece of credentials which could be a password, pass phrase, PIN, cryptographic key, some anatomical characteristics or token (something a user exclusively owns). “These two credential items are compared to information that has been previously stored for this subject. If these credentials match the stored information, the subject is authenticated.” More information about authentication is given in chapter 5.1 and 5.2 in context of requested features of PMs. • Authorization. Once the subject is identified and provides their credentials, the system needs to check whether this subject has given particular privileges and rights to perform requested actions. For that purpose it uses access control matrix (for the definition see chapter 5.1 – Essential Features). If it is determined by the system that the subject is allowed to access the resource, the subject is authorized.
All the mentioned steps must be performed in order to allow a subject to access an object. Nevertheless, there must be another significant attribute held while a subject acts within an object, which is accountability. The subject has to be accountable for every action it takes within a system or a resource. “The only way to ensure accountability is if the subject is uniquely identified and the subject’s actions are recorded.” Such recording could be done for instance within a PM system by its own auditing functionality, which is discussed in chapter 5.1 as one of the core features of a PM.
6 2.4 Motivation for Deploying Password Management Software
Passwords are confidential information protecting sensitive data, information systems and networks and therefore they are also vulnerable to both external and internal threats. A significant number of different passwords is being used every day by employees and systems’ administrators. This thesis deals exclusively with the usage of PM by enterprise system administrators. There is a simple reason for that: undoubtedly, employees do use a large number of passwords during their everyday work, but on the other hand, administrators need to keep incomparably more passwords to access and manage various service accounts than ordinary employees. Passwords have to be well-organized and quickly accessible. Deploying a PM would be beneficial to the purposes of administrators. Unfortunately, these are typically privileged administrator accounts which are targeted with attacks. According to the 2014 Data Breach Investigation Report [5], during 2013 there were reported 8% of overall breaches and 18% incidents caused by insider misuse, which makes the insider misuse the 5th cause of breaches and 3rd cause of incidents out of 10 groups in total, as seen below on the figure 2.4.1.
Figure 2.4.1: Frequency of incident classification patterns [13]. The first graph represents 2013 breaches, the second one 2013 incidents.
7 As further statistics say, 88% of all insider misuse are privilege abuse, as seen on the figure 2.4.2. This high number is commented in the report by the following words: “Not unexpectedly, privilege abuse – taking advantage of the system access privileges granted by an employer and using them to commit nefarious acts – tops the list. We realize that encompasses a very broad range of activities, but the overall theme and lesson differ little: most insider misuse occurs within the boundaries of trust necessary to perform normal duties. That’s what makes it so difficult to prevent.” These statistics and quotes prove that generally, there is not a sufficient level of password management within companies and privileged accounts should be protected better than they are in the present.
Figure 2.4.1: Top 10 threat action varieties within Insider Misuse [5].
The PM could also help to guarantee the continuity of stored passwords. A typical phenomenon of employment is that people from time to time leave and new employees come to replace them. In such cases passwords could represent serious problems. Those used by previous employees have to be changed completely in order to keep internal data safe. It could be helpful to use an auditable password store so that it would be easy to find out which ones need a change. Ideally, the stored passwords could be refreshed automatically. Such functionality of a PM could improve the security of customers.
8 2.5 Pros and Cons of Password Management Software
As everything has its arguments pro and con, so has a PM. Before proceeding to complications which such software could bring, I would like to present its advantages. Among the most significant ones is a need to remember and protect just one master password to gain access to the PM. The others are stored in a database typically in an encrypted form and used by the software itself. Administrators could appreciate having one centralized repository where passwords for service accounts would be securely stored and operations with them would be restricted by predefined security politics. Cloud-based PMs could be accessible from various computer devices and thus enable administrators to react swiftly to i.e. emergency case. Administrators could also welcome various additional features which could help them with their role of managing service accounts, e.g. auditing and reports, remote login and password reset, automatic login to target systems and applications or disaster recovery. PMs might also have some weaknesses which could make them less trustworthy and it is always recommended to search for potential vulnerabilities within those systems, research the companies behind the products and consider evaluations by security experts than to trust vendors. A complex disadvantage is that companies rely on a third party while using a PM. Once a security of the provider is somehow compromised, it makes the data of its clients insecure as well. Therefore it is important to know how these systems save the data because all the passwords are in one place and covered just by the master password which therefore has to be extra protected, strong and changed regularly. The master password itself could be as well a disadvantage. Typically, it cannot be recovered and compromising it could lead to stored data leakage which could be destructive for the entity using such PM. Another challenging area is making a backup of stored data. In general, managing the PM’s backups requires at least the same level of security as managing the original data itself.
9 3 Security In this chapter the security aspects of cloud computing in general are outlined in order to identify the questions which need to be addressed when considering a cloud-based application deployment. Further, main differences between cloud- based and on-premises software are listed together with advantages of each approach and its security-related problems. It is not possible to determine and prove that one approach is better than the other. In both cases there are several arguments for and against. The point is that before deciding to prefer one of them over the other it is necessary to take into account various factors that differ in both conceptions, e.g. IT infrastructure, initial software and support investment or implementation time. Anyway, it is necessary for the service, whether it is outsourced or running on-premises, to meet security standards of the purchaser. Afterwards when the facts are weighed, it could be decided which approach would suit better to specific needs of the purchasing company.
3.1 Cloud Computing and Information Security
Cloud computing is a current issue. The following definition is taken from the Communications of the ACM (Association for Computing Machinery) magazine [6]. “Cloud computing refers to both the applications delivered as services over the Internet and the hardware and systems software in the data centres that provide those services. (…) The data centre hardware and software is what we will call a cloud.” There are many different ways how to describe cloud computing. Bruce Schneier said it in other words [7]: “Also called software as a service (Saas), cloud computing is when you run software over the internet and access it via a browser. (…) Computing has become more of a utility; users are more concerned with results than technical details, so the tech fades into the background.” There are many new aspects which cloud computing brought to the field of information technology. Some of them are outlined in the magazine of the ACM [6], e.g. infinite computing resources which are now available on demand. This is an advantage because cloud computing users do not need to plan far ahead for
10 provisioning. Companies can increase hardware resources only when there is an increase in their needs, which gives them more flexibility. In addition, outsourcing companies hold their professionals of the matter. It could be advantageous for the companies to make use of those outsourced specialists than to employ their own ones. The last but not least advantage is that cloud computing enables users to pay for computing resources they use on a short-term basis, according to their needs again. As an example I can mention paid processors by the hour and storage by the day. This could lead to e.g. noticeable infrastructure and power savings for the deploying company. On the other hand, there is a security issue. As Schneier expressed [7], IT security is mainly about trust. He claims that there is no other way then to trust hardware, operating system and software vendors, CPU manufacturers and Internet service providers. “Any one of these can undermine your security: crash your systems, corrupt data, allow an attacker to get access to systems.” Cloud computing is not an exception. It moves the trust boundary even one step further, because now there is as well a need to trust software vendors. Once a company wants to utilize some service which is offered by another outsourced company, it is necessary to provide it with 1st party’s own data. In any way – if the service is either free of charge or paid – there is a strong need of trusting the provider whereas the purchaser must be aware that there is a lack of full control over the data and processes. It is apparent that the future of computing is in outsourcing, therefore it is good to stress that it is not just about the security of an outsourcer, but also reliability, availability and continuity is what matters. According to Schneier’s note it is even worse that “data stored online has less privacy protection both in practice and under the law”. While stored secrets are moving towards the cloud, it seems that strong passwords protecting them are the only things to rely on.
11 3.2 Cloud-based Password Management Software
As cloud-based PMs are examples of outsourced services, they have the same advantages and security problems for companies which deploy them as those described in previous section. As providers of PMs have their own experts it could be more cost-effective to make use of them than to hire some new. The providers have their own computing resources as well as terms of payment. Some examples of licensing are managing fixed number of systems per year or obtaining a specific number of system administrators per year. Some of them have support fees included whereas others demand separate payment. From the security point of view, such services must guarantee reliability to be their fundamental feature as they are used for managing privileged information which is stored in the cloud. It is essential for the provider to supply transparent system with clear documentation, prove its dependability and offer adequate support. The goal is to gain complete overview of each PM’s security features in order to understand how it works and where a potential problem might occur. E.g. privileged data is stored on provider’s servers, therefore conditions of storing must comply with security standards of the purchasing company. Such services are accessible through a web browser, the connection must be encrypted – all the data have to be sent through the Internet via HTTPS protocol. For more references about HTTPS it is recommended to follow the Request for Comments document regarding HTTP over TLS [8]. As with any cloud-based services, there are some risks that could be faced, therefore maximum effort to avoid them should be made. Some of them are depicted by Schneier [7] and helpful recommendations are available on the Cloud Computing Channel of InfoWorld web page [9]. One of the risks is the provider’s bankruptcy. This could lead to entire data loss which is unacceptable for the stored passwords. Therefore it is recommended to run a health check before signing on with a PM provider – such as check its revenue, profitability or number of customers and with their feedback. It could as well pay off to back up the data stored in the cloud as the only way to reach them is through the vendors’ own APIs (more information about API is given in section 5.2). Therefore PM providers should offer stored information backup, but obviously in an encrypted form. Another potential risk is that the provider could be sold to another company. The data loss or unwanted transfer should be previously avoided in the terms and conditions of the service. The same applies for e.g. sudden rapid increase in pricing and blocking the data.
12 The worst case of all could be that the provider experiences some kind of attack – either internal or external. The purchasing company’s data loss and breach threat could be devastating. There is no general advice on that, just to check for the provider’s reliability. As is written in the Cloud Computing Channel, “The best bet is to keep an eye on your vendor’s balance sheet and to keep your local backups current”.
3.3 On-premises Password Management Software
On-premises software is also known as shrink wrap. The following definition is taken from Techopedia.com dictionary [10]: “On-premises software is a type of software delivery model that is installed and operated from a customer’s in-house server and computing infrastructure. It utilizes an organization’s native computing resources and requires only a licensed or purchased copy of software from an independent software vendor.” It could be considered as an opposite to cloud-based software described above. This service transfers the overall responsibility to the customer, which includes its security, availability and management of the software. This kind of software requires in-house server hardware and IT support, investment in licenses (in case of open source software, there are licenses as well, but not charged) and perhaps also longer period of integration because necessary skill-set for managing such software must be first gained. Therefore it could demand larger investment and longer deployment time than cloud- based services. Nevertheless it could pay-off because the purchasing company does not have to rely on the vendor from the security point of view. There are many advantages on this fact: purchasers have full control over the system data and processes, privileged information is stored internally which avoids potential problems described in connection with cloud-based software. On the other hand, it is necessary to gain information about all the features of on-premises PMs. For instance, such software could send some routine statistics about its usage back to the provider, it must be known which data exactly is transmitted, how is it stored and potentially how could this feature be disabled. There is also a general difference between cloud and on-premises data store: a PM running on internal infrastructure would be accessible also without the Internet connection whereas cloud-based will not. This could be an advantage in case of connection loss.
13 4 Optimal Features There is a wide range of software designed to store and protect privileged shared information available on the market. As in case of any other software, it could be sometimes quite difficult to choose the most appropriate one. Therefore ahead of making any choice, it is reasonable to consider functionality which should be offered by an optimal password management software. As is described further in the following chapter, there is a long list of features which a PM software could have. Some of them are fundamental, whereas the others are additional or less important from the overall functionality point of view. Nevertheless, also the additional ones could make work of an administrator considerably easier. Therefore a particular PM could be regarded as an optimal software in case it offers both the essential and the optional features which are listed in the next chapter.
14 5 Enterprise-Requested Features A first necessary task of the practical part of this project was to create a list of requirements which the PM should fulfil. In order to propose a software that would exactly meet the requirements of an enterprise company it was necessary to consult them with IT and Security department, in this case with those of NetSuite Inc. The requirements were divided into two groups according to their importance – essential and optional. This chapter lists the requirements belonging to each of the groups together with their definitions and explanations of their importance within an enterprise.
5.1 Essential Requirements
The system had to meet certain criteria in order to be eligible for further testing. The criteria were given by the following list of features which were initially consulted with IT and Security specialists of NetSuite Inc.
1. ACL (Access Control List) management for each entry. The following description of ACL is taken from Matt Bishop’s publication dealing with computer security [11]. “An obvious variant of the access control matrix is to store each column with the object it represents. Thus, each object has associated with it a set of pairs, with each pair containing a subject and a set of rights. The named subject can access the associated object using any of those rights.”
2. AD (Active Directory) integration. As described in a publication Active Directory [12]: “Active Directory (AD) is Microsoft’s network operating system (NOS). (…) Active Directory enables administrators to manage enterprise-wide information efficiently from a central repository that can be globally distributed.” The structure of the information stored could be simply matched to the organizational structure of a company. In order to benefit fully from a functionality of PM, it is essential to integrate it with AD which is
15 already being used. Specifically, already existing users, groups and their authorization rights might be integrated. It would be also valuable to have a possibility of linking password policy to passwords stored within the AD.
3. Audit. In order to clearly analyze which actions took place within a system and who performed them [11] it is effective to require auditing as one of its core functionalities. Specifically, in the case of PM it is important to have password retrieval and entry manipulation auditable so that it is easily detectable who operated within the system and when. For more reference it is recommended to follow a book called Audit informačního systému (Information System Audit) [13]. 4. Categories. In order to maintain clear arrangement of stored information it would be useful to require a functionality which enables to sort it to particular categories. For that purpose e.g. tags, fields or windows containing a description or metadata would be helpful. 5. Search. This feature is closely connected with the previous one – Categories. Once there would be a possibility to sort the stored information out it would be easy as well to search within it. That would contribute a lot to maintain a good overview of stored information and help to keep it well organized.
6. Toggle show of passwords. Within a PM, passwords should be hidden by default or replaced by special characters – e.g. stars. Such feature would help to increase the security of passwords by means of preventing unauthorized users from spotting them randomly. 7. Strong encryption. It is necessary for a password store to be well encrypted. The consultation with Security department representative of NetSuite led 1 into an agreement that it would be beneficial to require AES-256 level of encryption of the password storage. AES (Advanced Encryption Standard) [3]
1 An answer to question: “Why most people use 256 bit encryption instead of 128 bit?” was given by Thomas Pornin, a cryptographer [14]: 256-bit“ key cracking through exhaustive search is totally out of reach of Mankind. And it takes quite a lot of wishful thinking to even envision a 128-bit key cracking. (…) To sum up: even if you use all the dollars in the World (including the dollars which do not exist, such as accumulated debts) and fry the whole planet in the process, you can barely do 1/1000th of an exhaustive key search on 128-bit keys. So this will not happen. And a 256-bit key search is about 340 billions of billions of billions of billions times harder than a 128-bit key search, so don’t even think about it.”
16 is a symmetric-key block cipher algorithm which acts on 128-bit blocks. This algorithm also known as Rijndael can use a cipher key of 128, 192 or 256 bits in length. As mentioned in the book Security Engineering: a Guide to Building Dependable Distributed Systems, “Although there is no proof of security – whether in the sense of pseudorandomness, or in the weaker sense of an absence of shortcut attacks – there is now a high level of confidence that Rijndael is secure for all practical purposes.”
8. SSL (Secure Sockets Layer) protocol on the interface. This protocol works at the transport layer and protects web-based traffic [4]. It is designed to provide privacy over the Internet between two entities which communicate with each other – the client and the server [15]. It is considered to be the most widely used protocol [3]. “SSL was developed to support encryption and authentication in both directions, so that both http requests and responses could be protected against both eavesdropping and manipulation.” This feature could ensure privacy. 9. Database lockdown. The data store cannot be accessible without a strong password and particular access restrictions have to be applied. No remote connection should be allowed. These rules would prevent a potential data leakage. 10. Master password. This is one of the common features of enterprise PM software. It could be described as a string of characters used in order to authenticate a user to some service. It is essential to maintain its confidentiality since the master password’s role is to enable the access to other PMs’ functionality and protect other data stored within the application. Its role is to encrypt the database as well. It is usual that there is no way to recover lost master password.
11. Auto logout. In terms of web-based application there should be automatic logout function which would prevent unauthorized users to reach sensitive information stored. 12. RBAC (Role Based Access Control) support. As described in Anderson’s publication [3], this policy model provides a general framework for mandatory access control. Access decisions depend on functions which are currently performed by users within a company. “Transactions that may be performed by holders of a given role are specified, then mechanisms for granting membership of a role (including delegation). (…) It can deal with integrity issues as well as confidentiality, by allowing role membership (and thus access rights) to be revised when certain programs are invoked.” It is expected that an enterprise
17 PM software should support this model. A possibility to set access rights according to various roles of employees within a company in order to keep its structure is essential. 13. Password sharing and expiration. While logging to 3rd party site password sharing feature allows users to share one password in encrypted form, i.e. without any need to expose it. Password expiration feature provides assurance that passwords generated within a PM are up to date. 14. Break-glass administrator account. Break-glass is an additional feature of an access control model which enables the model to be more flexible in case of emergency or disaster and helps to prevent system stagnation as it enables an administrator to access the system. Such account could work as a backdoor to keep the system working in case of acute problems.
15. One-Time passwords (OTP). As introduced in the CISSP publication [4], OTP has its synonym – a dynamic password – just because it could be used for authentication purposes only once, because afterwards it is no longer valid. “This type of authentication mechanism is used in environments that require a higher level of security than static passwords provide.” An enterprise company is definitely this case of such environment. The following further description has been taken from the security-related web page TechTarget.com [16]. OTP is a numeric or alphanumeric string of characters which is automatically generated. “OTPs may replace authentication login information or may be used in addition to it, to add another layer of security.” This is exactly the functionality required by involved parties.
5.2 Optional Requirements
The following features were not compulsory for PMs available on the market. On the other hand, meeting them was considered by involved parties as advantageous.
1. Reports. This requirement is connected with Audit. Once a system has an auditing feature incorporated, it is favourable to have also an opportunity to report results of the audit – e.g. password retrieval. Reporting would help administrators to retain access and operations overview.
18 2. Password search, history and age. This set of secondary features would help to organize passwords stored within a PM and enable an administrator to search within it quickly. It would be also beneficial to have a password age indicator which would inform a user that it is already necessary to change his passwords. Another option could be to set the software so that it would automatically demand changing stored passwords from a user. Advantages of these features would be clear arrangement of passwords, ability to search in history and presence. Primarily, the last named attribute could be considered one of the most important attributes from the security point of view. As Matt Bishop [11] points out: “Guessing of passwords requires that access to the complement, the complementation functions, and the authentication functions be obtained. If none of these have changed by the time the password is guessed, then the attacker can use the password to access the system.”
3. API (Application Programming Interface) integration. API [17] is a set of standards and instructions or methods. Using these methods a programmer can access a web-based software application or a web tool – or simply to manage software applications. API integration could be helpful for PM maintenance.
4. Password policy. As is mentioned on the web page of the SANS Institute [18], “a policy is typically a document that outlines specific requirements or rules that must be met. In the information/network security realm, policies are usually point-specific, covering a single area.” Such definition could be used as well for explaining the term password policy. It is a document or a statement containing a set of rules assembled for the purpose of enhancing computer security within a company. Such rules are designed in order to encourage users to employ passwords which are strong and use them in a proper way. By following a particular password policy it is expected to reach a high level of information security and prevent system vulnerability. It would be considered as advantageous to have a chance to set up and enforce multiple password policies within the PM software it would support the flexibility of the system.
5. Password generator and strength meter. As obvious, PMs have a master password feature integrated as a common functionality (section 5.1). a PM administrator has to create with this password, but on the other hand there is no need to deal with all the other passwords stored within a database. For that case it would be very useful to have a password generator integrated together with its strength meter. The characteristics of the generator should be customizable by an administrator.
19 6. Block Sync and No Sync attribute. In case synchronization of data stored within PM is allowed, it is important to be assured that this feature could be blocked for those users that do not have access to such data. Selected passwords should be also marked as non-exportable, i.e. one-time passwords (section 5.1). These features would contribute to the protection of confidential information within the system, and passwords definitely belong among the most confidential items. 7. Database backup and synchronization. There should be a possibility to have the database containing stored data backed up. In case of a distributed storage of information the database should have synchronization feature integrated. This would be effective because stored data would be always up-to-date and saved for possible emergency case.
8. Two-factor authentication (TFA, T-FA or 2FA). A definition is given in a book which deals with an issue of securing ASP.NET Web API applications [19]. The author describes that in general, “(...) there are three types of credentials through which a user can be authenticated: knowledge factor (what a user knows), ownership factor (what a user owns), and inherence factor (what a user is). When you have an authentication mechanism that leverages a combination of two of these factors, it is called two-factor authentication (...)”. The reason for requiring TFA is apparently the security of authentication. The web pageTechTarget.com (section 5.1) claims that despite the fact that there is a large number of vulnerabilities nowadays present in many TFA implementations, it is always better to use it when offered than not at all [20].
9. Email notifications. PM could be set up so that it would send emails to an administrator in case something within the information store changed. It could be e.g. a change of passwords, settings or access rights. This feature would contribute to keeping general knowledge of actions taken within the PM and to enabling flexible reactions to such changes if needed.
10. SIEM (Security Information and Event Management) systems integration. Shon Harris [4] mentions that these are nowadays very frequently implemented systems by various organizations.”These products gather logs from various devices (servers, firewalls, routers, etc.) and attempt to correlate the log data and provide analysis capabilities.” He as well points out that it is both mind-numbing and close to impossible to be successful in reviewing logs manually while looking for a suspicious activity. “So many packets and network communication data sets
20 are passing along a network; humans cannot collect all the data in real or near to real time, analyse them, identify current attacks and react–it is just too overwhelming.”
Another problem related to logs is that there are many different types of systems on a network and each one collects logs in a different proprietary format. Therefore a sort of centralization and standardization is needed. This problem could SIEM technology solve easily. According to Gartner [21], it provides:
• Security information management (SIM) – log management and compliance reporting, analysis of log data • Security event management (SEM) – real-time monitoring, incident management for security-related events from networks, security devices, systems, and applications
The main reasons to require SIEM systems integration within an enterprise company is to improve threat management as well as incident response capabilities. There is all together a larger number of advantages in using SIEM, such as user activity monitoring, application activity and data access monitoring or anomaly detection. All these features would be beneficial to have deployed within a large company. The reason is security again. Having a good overview about what happens within the system due to logs, reporting and detailed analysis together with monitoring as a part of SEM would help in defending a company against external (or either internal) threats.
21 6 Survey of Enterprise Password Management Software on the Market A first necessary task of a practical part of the project was to create a list of requirements which the PM should fulfil. In order to propose a software that would exactly meet the requirements of an enterprise company it was necessary to consult them with IT and Security department, in this case with those of NetSuite Inc. The requirements were divided into two groups according to their importance – essential and optional. This chapter lists the requirements belonging to each of the groups together with their definitions and explanations of their importance within an enterprise. Another stage of this project was dedicated to searching for various PMs across the market and accumulating available information about each of them. Individual PMs are based on almost comparable core features, but differ in additional features, licensing and purchase conditions. After the market research a set of offered features was compared to already given list of requirements (chapter 5) and those managers which met the requirements were recommended for the Proof of Concept (chapter 7). Initially, PMs are divided again – as in chapter 3 – into two main groups according to their deployment. In the first group there are outsourced ones – cloud-based PMs, and those running on-premises fall into the second group. An important part of this chapter are two tables included at the end of the section 6.3. The tables contain all the PMs taken into account together with the list of requested features. They show how each of the PMs fulfils the essential and the optional features. Those cells that are left empty mean that it was not possible to extract information about the particular feature from the PM’s web page or from documentation (if available).
22 6.1 Cloud-based Software
The two following managers are outsourced cloud-based services. They are both commercial software.
1. Last Pass Enterprise – LastPass Corporate [22]. This PM claims to combine robust password vaulting with cloud single sign-on capabilities. It comes with a separate management console. Its part is also a Web client where an administrator can view contents of this vault. As one of the exceptional PMs, LastPass can run on Windows, Linux and Mac OS host side.
2. Passpack – Paspack Inc. [23]. Authors of this PM claim that collaboration is its core function. Therefore it is designed so that it can be used either by single users or by larger IT departments. In the second case, Passpack would serve as a shared central password repository available for both small and large companies. This is one example of software which is flexible thanks to its cloud basis. Passpack works with the latest versions of Google Chrome, Opera, Firefox, Safari and Internet Explorer 7+. Pricing is set as follows: regular fee is per month together with another five conditions, which are the number of passwords stored, the number of shared users, groups, note size and disposable logins.
6.2 On-premises Software
All of the following PMs are commercial products excluding one of them – WebPasswordSafe – which is open-source software.
1. Secret Server – Thycotic Inc. [24]. Secret Server is a web-based PM available in two editions – Enterprise and Enterprise Plus offering additional features. Its design is based on a web application built on 1 2 ASP.NET website and an integration with Microsoft SQL Server which works as a database back end. This PM has noticeably extensive functionality and licensing is set per named user with support included.
1 ASP.NET is a free web framework that is used for building web sites, services and ap- plications [25]. 2 MS SQL Server [26] is a database system running on Structured Query Language [27].
23 2. PowerBroker Password Safe – BeyondTrust Inc. [28]. The provider introduces this PM as an automated password and session manager which offers access control and auditing for privileged accounts and local administrative accounts. One of its key features is also complete support for operating systems, accounts, applications and devices plus a custom connector builder for all systems that support Telnet or SSH connections.
3. Password Manager Pro – Manage Engine (Zoho Corporation Pvt. Ltd.) [29]. Password Manager Pro is a centralized password vault offered in a compact web-based package. In contrary with other PM system, this one can run both on Windows and Linux host side. In addition, it is available also as a free edition which allows having 1 administrator and manage up to 10 resources with unlimited validity. Licensing of other registered versions is based on number of administrators and type of edition. One of the options is Standard Edition, the other is Premium Edition, which offers extra features such as remote password synchronization or reports.
4. Enterprise Password Vault (EPV) – Cyber-Ark Software, Ltd. [30]. EPV is a part of Cyber-Ark’s Privileged Account Security Solution [31]. The provider claims it helps to secure, manage and track usage of privileged credentials both ways – on-premise and in the cloud. The product is built on the Cyber- Ark Shared Technology Platform [32] which “allows customers to deploy a single infrastructure and expand the solution to meet expanding business requirements”. Cyber-Ark has a different approach than other companies: every request of either more information or purchase options must be performed via their partners. There is a contact list of those partners on the company’s web page.
5. Enterprise Random Password Manager (ERPM) – Lieberman Software Corp. [33]. Lieberman Software’s main idea is to strengthen privileged accounts and shared administrative access to local servers – both Windows and Linux. In addition to Windows and Linux service accounts, ERPM can handle passwords 1 on various other service accounts, e.g. IIS accounts, SQL Server and Oracle 2 database accounts etc., both physical and virtual servers. Lieberman software does not insist on AES-256 level of encryption, but offers AES-128 as well.
1 IIS (Internet Information Services) for Windows Server is a Web server for hosting tasks on the Web [34]. 2 Oracle database is an object-relational database management system [35].
24 6. Passwordstate – Click Studios Ltd. [36]. Click Studios offer an internally hosted web-based PM which could be run fully- functional for five users for free and with no time limit, which is not very common. In contrary with other PMs, this one could be fully 1 integrated with Remote Desktop Manager (RDM) which might be an advantage for those organizations that already have RDM in use.
7. WebPasswordSafe – open-source software by Josh Drummond [38], [39]. This is a web-based centralized password vault declared to be multi-platform (i.e. does not require Windows and MSSQL Server). It provides basic functionality, but on the other hand it is possible for a user to code and run his own additional features if needed as this is an open- source project. In contrast to other PMs, this one categorizes passwords according to free-form tags rather than according to a hierarchical structure. WebPasswordSafe’s prerequisites are slightly different than 2 those of other PMs as this one is open-source. These are JAVA SE 6+ , 3 4 5 Maven 3.0+ , Java Servlet Container and a JDBC compatible database.
8. Enterprise Password Safe – Funky Android Ltd. [44]. This PM does not stand out, but has a basic level of functionality. It requires only a Java 6 or 7 supporting operating system and can use a wide range of database systems. The current version uses 1024 bit RSA and 128 bit AES encryption, which is considered to be sufficient from the security point of view. Nevertheless, there is one exception which makes this PM different from the others: there is an online demo version available on its web pages. It could be either downloaded and installed on-site or tried out on Funky Android’s shared demo server. Both versions are free of charge, but the first one is under one month trial license condition (with the license key available on the web page).
1 RDM is an application used for centralization of remote connections, passwords and other credentials [37]. 2 Java Platform, Standard Edition [40] is a tool for developing and deploying Java applica- tions on desktops, servers and in embedded environments. 3 The Apache Maven [41] is a software project management and comprehension tool. 4 The Java Servlet Container [42] is a part of a web server which interacts with Java-based interface. 5 Java Database Connectivity API [43] “is the industry standard for database-independent con- nectivity between the Java programming language and a wide range of databases”.
25 6.3 Availability of Trial Versions
In order to perform the testing, a trial version of every PM has to be requested. Approaches of individual vendors slightly differ, most of the providers offer a trial version in various forms, but there are exceptions as well. Some of them have a trial package available for direct free download on their web page, whereas others (a majority of them) provide it after a request is sent via a form. In contrast to direct downloading, requesting a license could be a little lengthy according to support service of particular PM. Such forms of trial licenses are obviously conditional. They are limited by many factors, which are e.g. time, number of users or administrators, number of stored passwords. Time limit of particular PMs could be possibly lengthened. Unfortunately, not every provider is compliant with granting a trial license for non-commercial purposes as there is no perspective of future business. Some companies also select a different way of providing a trial version – via a free of charge account with limited access. Following list depicts particular licensing conditions of all the already above mentioned PM providers.
• Last Pass Enterprise – 2 weeks free trial accessible after creating a personal account, no other information on the website. • Passpack – no free trial but Free Account version. Subscribed for one year, 1 shared user, no groups and 100 stored passwords. 1280 note size available and 3 disposable logins. • Secret Server – free trial license valid for 30 days, access available for 10 users. Full technical support is included, the license could be extended if needed. It is necessary to create a personal account to which an assistant is assigned afterwards. The license is sent back almost immediately after requested through the account, the communication with support is very swift with no problems.
• PowerBroker Password Safe – free trial version is available upon a request. There is not specified for how long and for how many users or administrators the trial could be run. Nevertheless, in order to perform the installation a customer has to be sent a USB flash drive with virtual appliance from the provider. • Password Manager Pro – evaluation download available directly from the website. The license is valid for 30 days and it can support 2
26 administrators. Free technical support is available if requested. • Enterprise Password Vault (EPV) – Cyber-Ark’s software is not available for evaluation. As mentioned in section 6.2, this company delivers its software through partners. Those partners also provide technical support and allow representatives of potentially purchasing companies to be shown how the software works in their artificial environment. In the Czech Republic, there are two representatives of Cyber-Ark. These are companies, RAC [45] and S&T [46]. • Enterprise Random Password Manager (ERPM) – according to the information confirmed by ERPM’s support specialist it is not possible to obtain a trial version for public download. For commercial evaluation it is necessary to complete a request form or contact support. Installation and configuration assistance is free for evaluators.
• Passwordstate – free fully functional version for five users with no time limit available for download from the web page after registration. • WebPasswordSafe – there is no trial version of this PM as it is open- source software. • Enterprise Password Safe – one month trial license is available on the web page for 100 users that can access stored passwords, no limit on the number of stored passwords. In addition, free demo of the PM is accessible from the web page [47].
27 Last Pass EnterpriseLast Pass Passwordstate WebPasswordSafe SafeEnterprise Password Secret Server Safe Password PowerBroker Pro Manager Password Enterprise Vault Password Enterprise Random Manager Password Passpack ESSENTIAL FEATURES ACL ü û ü ü ü AD integration ü ü û û ü ü ü ü Audit ü ü ü ü ü ü ü ü Categories ü ü ü ü ü ü Search ü ü ü ü ü ü Toggle Show of ü ü ü ü ü ü ü Passwords Strong ü Encryption ü ü ü ü ü ü ü ü ü SSL ü ü ü ü ü ü ü Database Lockdown ü ü ü ü ü Master ü Password ü ü ü ü ü ü ü AutoLock ü ü ü ü ü ü RBAC ü û ü ü ü ü Password ü Sharing ü ü ü ü ü ü ü Password Expiration ü ü û ü ü ü ü Break the Glass ü ü ü ü ü OTP ü û ü ü ü ü Table 6.3.1: List of Essential Features.
28 Last Pass EnterpriseLast Pass Passwordstate WebPasswordSafe SafeEnterprise Password Secret Server Safe Password PowerBroker Pro Manager Password Enterprise Vault Password Enterprise Random Password Manager Passpack OPTIONAL FEATURES Reports ü ü ü ü ü ü ü Password Search ü ü ü ü Password History ü ü ü ü ü ü Password Age ü ü û ü ü ü ü API ü ü ü ü ü ü Password Policy ü û ü ü ü ü Password Generator ü ü ü ü ü ü Password Strengthmeter ü ü û ü ü Block Sync û û No Sync û ü Database Backup ü ü ü Database Synchronization ü ü TFA ü ü û ü ü ü ü ü Email Notifications ü ü û ü ü ü ü ü ü ü SIEM û ü ü ü ü Table 6.3.2: List of Optional Features.
29 6.4 Rejected Software for the Proof of Concept Purposes
There were two reasons for rejecting a PM for the proof of concept purposes. Rejected was the software which either did not have a trial version available or which did not meet the essential requirements from the list (see section 5.1). Some PMs had hardly any information about their functionality available on the providers’ web pages and documentation was either not available or not sufficient which caused excluding them from the testing. Communication was also one of the factors which differed a lot in particular cases. Some assistants cooperated without any problems and arranged quickly what was needed, whereas others did not respond on a single email for weeks, did not share information with other involved assistants or it was necessary to ask them for help repeatedly.
6.4.1 Rejected Because of No Trial Version Availability
• PowerBroker Password Safe – there was a serious problem with communication through email with the regional sales manager. Despite the fact that he promised to assist with the evaluation request shortly, there was no answer for two weeks. Afterwards, list of requested features was sent to the manager aiming to consult whether all of them are met by this PM. Again there was no answer for another three weeks because of “some internal issues”. The communication as a whole was very lengthy and there was no time left for actual evaluation. The main reason for that was the fact that the trial version of this PM is installed on a USB flash drive which they need to ship from the USA first. Unfortunately, this message came after a few months of communication as a new one.
• Enterprise Password Vault – as it is not possible to easily download and evaluate this software, I contacted those two partners in order to find out if there is any other way how to get to this PM. At first, I contacted a representative of RAC and received a reply that it is possible to have installed a trial version, but the process is very time-consuming and requires special technical support. The proof of concept done by the RAC assistants is for free, but subjected to future purchase, which is unacceptable. Otherwise, 24.000 Czech crowns (VAT not included) would be charged for one day of installation plus other expenses (the installation takes from 1 to 14 days).
30 I contacted the other partner, S&T. Their overall approach differed from the previous company a lot. They offered to install a one month free trial licence without any charge. Unfortunately, the original plan was not accomplished because even the limited version of Cyber-Ark’s vault requires distinct computing supplies which were not provided by NetSuite because of its security politics. For more information about this issue see the Appendix section.
6.4.1 Rejected Because of Not Meeting the Enterprise Requirements
• Passwordstate – the PM was rejected because according to the information which is posted on its web pages it does not fulfil some of the essential requirements. E.g. there is no information about the ACL management, categorization of stored information, search ability within it, usage of SSL protocol on the interface or Break the Glass feature implemented. Named missing features are considered to be important, therefore this PM was not even tested.
• Last Pass Enterprise – this software (one of the two cloud-based PMs) did not pass because of similar reason as the previous one. There was no mention of ACL management, ways of auditing, categorization, searching or SSL on the web page of Last Pass. It is not even possible to find any note about its encryption as one of the core features. This information is hidden within other answers of the help centre. Information about RBAC or OTP is available neither.
• WebPasswordSafe – as another PM which does not meet some of the required features, this one was excluded as well. It does not have AD integration, RBAC, password expiration feature or OTP. WebPasswordSafe has only basic level of functionality which is expected from PM software.
• Passpack – this is the second cloud-based PM. There is a possibility to choose from five different types of accounts. However, those accounts differ only in the number of permitted passwords to have stored, number of groups and shared users, number of disposable logins and in note size. Personally, I would expect also additional functionality, but this PM offers only the basic features. Such elementary tools are e.g. password sharing, emailing, master password and encryption, TFA. On the other hand, ACL management or AD integration was not mentioned within Passpack’s features overview. All the above listed reasons led to excluding this PM from the testing.
31 • Enterprise Password Safe – this is another PM which offers only limited functionality such as basic operations with passwords, setting up users and groups, audit log, alerts and certain encryption standard. AD integration and other essential functionality criteria are not met, therefore it belongs to excluded software list.
6.5 Software Selected for Testing
In the beginning, the aim was to select 4 to 6 PMs which would fit most of the requirements on the list. In the end three PMs were selected to be tested for the proof of concept. These three PMs have a highest level of functionality and support and two of them offer free trial license. They stand out among the others and all of them have as well sufficient and clearly organized documentation, which simplifies the work of a possible customer a lot. Rejected PMs were no longer taken into account.
• Password Manager Pro – in addition to the essential requirements, this PM offers a sufficient level of reporting, password history, search and age features, API, well-configurable password policy, adjustable TFA (there are three possible options which kind of TFA to choose), configurable email notifications or SIEM integration. These are all valuable features which makes this PM be an interesting candidate.
• Secret Server – this PM fulfils all the essential requirements from the list and thus belongs between the leading candidates. It has also a wide range of additional features, such as advanced reports, web services API, password history and generator, email notification and SIEM integration. The co-operative support is also one of its main advantages.
• Enterprise Random Password Manager – this PM was a sort of special case. As it fulfils all the essential requirements it was considered to be one of the most effective software. a license valid for 90 days and for 100 users was received from Lieberman company for NetSuite testing purposes. The software was installed on-premises, helpful support was provided during configuration and searching through all the features took place. Unfortunately, this was the only PM which was tested on-premises of NetSuite, deployment of the other trial versions was denied because of legal reasons.
32 There was no chance to test the other chosen software because of legal issue which interrupted the process. Afterwards when new testing was planned outside NetSuite, it was no more possible to receive a trial license from the Lieberman Software company because they did not agreed on non-commercial testing.
33 7 Proof of Concept All of three finally selected software belong to the category of on-premises software. Because of some complications of a legal character which appeared during the testing the software was tested on a personal laptop instead of on- premises of NetSuite company. This chapter briefly describes the environment on which the software was run, its installation and configuration and main aspects in which the three PMs differ and which they have in common. After the installation and configuration phase, resource management and database backup was compared as their core functionality. The end of this chapter refers about my personal recommendations which software could be considered as the most suitable for the purposes of a company.
7.1 Test Environment
In order to evaluate all software under the same conditions, one virtual environment was installed. Initially the goal was to create as close test environment to the production environment as possible. After the complications with legal department this had to be modified because some of the resources for testing were not available any more. The final test environment was made of six virtual or hardware machines (in the following text we will name them hosts) with following operating systems:
• MS Windows Server 2008 R2 Standard • MS Windows Server 2012 R2 Standard • MS Windows 7 Professional • MS Windows 8.1 • CentOS 5.6 • VMware ESXi
34 The applications part was represented by the following list:
• MS SLQ Server 2012 Express Edition, • Postgre DB • MySQL DB (MariaDB) • SSH
Originally also following operating systems and applications should have been tested but since the situation changed these could been tested unfortunately:
• Mac OS X • Red Hat >5 • Xen Virtualization • oVirt Virtualization • Oracle DB • Cisco network devices • Juniper network device • HP iLO
It was an advantage that all of the PMs had approximately comparable hardware and software requirements. This following three chapters describe installation of PM software, it’s configuration, import of hosts, software and service accounts, managing password policies, backup of the PM and in the end summarization about pros and cons.
7.2 Password Manager Pro
7.2.1 Requirements, Installation and Configuration
The minimum requirements for installing Password Manager Pro (PMP) are 2 GB of RAM, 200 MB for product and 10 GB for databases. For both operating system (OS) and database (DB) solution PMP is very open and friendly: as an OS it is possible to use MS Windows starting from Windows 2000 Server to Windows Server 2012 R2 and from Windows XP to Windows 8. As Linux distribution a user can select any flavor of Linux according to PMP’s support. For DBs the Postgre is bundled with-in the installation file but also MS SQL and
35 MySQL are supported. For our test environment we used MS Windows Server 2012 R2 as an OS and MS SQL 2012 Express as a DB server. The installation of PMP was straightforward and the only remarkable task was the installation and configuration of an SSL certificate for ensuring high level of security while connecting from PMP to MS SQL database. Integration with AD for user management and authentication was also easy due to the existence of a feature “Import users from Active Directory” in the Admin section of PMP’s web interface.
7.2.2 Resource and Password Management
Resource management is done through the Resource section. Resources can be added either one by one or in multiple using the import feature from a CSV file or from Active Directory. Following resource types are predefined: Windows/Windows Domain/ Linux/Mac/Solaris/HP UNIX/IBM AIX/MS SQL Server/ MySQL Server/ Oracle DB Server/ VMware ESXi/ Sybase ASE/ LDAP Server / HP ProCurve/ HP iLO/ Cisco IOS/ Cisco CatOS/ Cisco PIX/ Juniper Netscreen/ File Store/ Key Store/ License Store/ Website Accounts and it’s possible to define more types. In my case I have created template for Postgre DB. I have also setup importing resources from Active Directory so all Windows based systems were imported after providing the necessary credentials and initial scan. An interval of 15 minutes was defined to re-check for new systems created in Active Directory. For easier management we’ve created a groups and subgroups of resources. These can be browsed through a group-tree which provides better visibility. Password management is done through feature called “Scheduled Password Rotation” which can be setup to reoccur once, daily, monthly or never (this is more for a temporary disable of password rotation). If an immediate password reset for all passwords is needed – after a security incident for example – the feature “Remote Password Reset” comes in place. Of course for all management tasks dealing with passwords a notification can be set up.
36 7.2.3 Backup of Database
Data stored in database are of critical importance and there is a constant requirement for backing up the data for reference purposes or for disaster recovery. A task could be scheduled to back up the database contents periodically. The backup will be stored as a .zip file by default in the host where SQL server is running. All sensitive data will remain encrypted in that file. In next step the database backup should be back up to an external storage or tape-library to fulfil the basic backup principles.
7.3 Secret Server
7.3.1 Requirements, Installation and Configuration
The minimum requirements for Secret Server (SS) are dual-core CPU, 2 GB RAM, 1 GB of disk space for database plus 10 MB per user per year, 500 MB of disk space for web application server. The following versions of Microsoft OS are supported Windows Server 2008 (including R2), Windows Server 2012 (including R2), Windows Vista, Windows 7 and Windows 8 (including 8.1). For database Microsoft SQL Server 2005, 2008 (including R2) or 2012 (Express Edition or higher) come in account. Other requirements are IIS and .NET Framework 4.5.1 or 4.5.2. The installation process is slightly more complicated compared to PMP but not hard to achieve. Initially .NET Framework and IIS need to be installed. Once this is done the database should be deployed and as the last part the Secret Server itself. In this last step there was the main difference because this step had two sub-steps: first installation of the executable file and then finishing the installation with several tasks on the newly deployed website (checking permissions, creating unique encryption key, specifying the DB info, creating user with administrative access and importing license). Setting up synchronization of users and authentication to Active Directory was again quite easy due to well documented user guide but there were more possibilities to tweak the settings comparing to PMP.
37 7.3.2 Resource and Password Management
SS uses another approach when it comes to dealing with resource records. They are called Secrets and their security can be centrally managed through View/ Edit settings for each individual Secret. Additionally the folder structure allows Secrets to inherit permissions from a parent folder. All Secret field information is securely encrypted within the database with a detailed audit trail for access and history. The earlier mentioned folder structure has similar functionality to groups and subgroups of resources in PMP. Discovery of local or Active Directory accounts (secrets) is also supported but there is additional dimension brought – importing dependencies. Once the discovery is finished, the results page (Discovery Network View) will display the OUs and machines on the domain as well as any domain accounts found on those machines running Windows Services, IIS Application Pools, or Scheduled Tasks. Password rotation is done through “Remote Password Changing” feature which provides again more granularities in its settings. Instead of having change processes based on type of resources (PMP) “Password Changing Types” was presented. From the very start there are 30 “Password changers” defined (HP iLO Account Custom (SSH), SQL Server Account, Unix Account (SSH), Windows Account, Windows Live Account...) and a user can add more based on the needs. Yet another valuable feature is the “Launcher”. Launcher opens a connection to the remote computer or device or logs into a website using the Secret’s credentials directly from the Web page. This provides a convenient method of opening RDP and PUTTY connections without users being required to know their passwords. a user can still gain access to a needed machine, but is not required to view or copy the password out of Secret Server.
7.3.3 Backup of Database
Backup feature and settings benefit from the native backup of MS SQL Servers so a user only needs to add basic information like paths, number of stored backups and schedule. This approach is similar to the one of PMP.
38 7.4 Enterprise Random Password Manager
7.4.1 Requirements, Installation and Configuration
The software requirements for Enterprise Random Password Manager (ERPM) are the highest from the three candidates (Windows Server 2008 R2 x64, MS SQL 2005 or later or Oracle 11g database) and the same goes for hardware requirements: 2 GB of RAM for the ERPM application, at least 4 GB of hard drive space for local log files, Intel or AMD multi-core or multi-proc/multi- core processors, 4 GB RAM for the program database, IIS 7 or above, .NET Framework version 3.5 with service pack 1 and .NET Framework version 4.0. Installation process of ERPM is without doubts far most complicated. Even though the documentation is precise and describes every step needed it is expected that the person installing this password manager is well experienced with systems management. Beyond the installation of IIS 7, MS SQL 2008 Standard also database connectors for Oracle, Sybase ASE, MySQL and DB2 are required. Also tweaking of remote COM+ and IIS access and creating of specific service accounts is required. It is even required to have the service accounts created in Active Directory. The last part of installation process is installation of password management console and a web application. Again enabling of AD authentication is well documented so it is not hard to achieve it.
7.4.2 Resource and Password Management
ERPM steps towards fully automated processes. It can be seen from the list of systems adding options:
• add from domain systems list • add from network browse list • add from shell network browse list • add systems manually by name • add from Active Directory
39 • add from scanned IP ranges • import/export system list from text file • IP scanner • database query - using any provider installed on the host system
The number of systems that can be precisely discovered is large as well: 44 types of systems. During PoC “add from Active Directory” and “add from scanned IP ranges” was tested and the results were 100% successful. These imports are enhanced by possibility to use filters to sort which systems we want to add to which management set. For instance I have tested sorting systems with different Windows OS versions to different management sets. Management sets are equivalent to groups in PMP and folder structure in SS. There is a significant difference between ERPM and the other tested solutions in functionality provided by the web application. Whereas PMP and SS offer particular settings to be done by the application, the ERPM concentrates the management on the console application which is on the other hand only a way of approach.
7.4.3 Backup of Database
The database backups are not managed through the PM’s interface and it matches to the generally different architecture and style of this password manager. It is expected that the systems administrator will be able to back up the database through the database utilities. The truth is that the same backup functionality as provided by PMP or SS is provided by the MS SQL Management Studio.
7.5 Conclusion of Testing and Recommendation
I had tested three password managers and it is clear that all the three solutions provided the expected functionality but still there was a big difference between them. The easiest to deploy and manage was Password Manager Pro but lacks some features on the other hand. The second password manager – Secret Server – provided some additional features and especially more mature and user friendly import system and user interface. The last password manager - Enterprise Random Password Manager – offered rich feature set which was hard to test precisely in the scope of this PoC but could be beneficial for huge environments.
40 On the other hand when considering a full integration of this solution we might be speaking about significant amount of time. So all three systems provided great value and the suggestion which of the systems was the best is not clear. It depends mainly on the fact how automatized system is the customer looking for. The least automatized password manager was PMP and it might get best of use in smaller environment since also deployment won’t take long. As already mentioned for huge environment (AT&T, Honeywell, IBM, etc.) the best candidate would be ERPM as their environment and processes will already need this kind of solution. The Secret Server might be the best candidate for NetSuite and similar sized companies.
41 8 Conclusion
The thesis was divided into two major parts, the theoretical and the practical one. The main goal of the theoretical part was to introduce the role of password management software, define basic terms connected with protecting privileged information and present the motivation for deploying password management software within infrastructure of a company. Two different approaches of the software were introduced with special concentration on their security aspects. In the practical part, a description of the list of enterprise-requested features was covered together with the reasons for demanding each one of them. Afterwards, the survey of software was realized, ten solutions were chosen for more detailed review and one of the most lengthy parts of this project started, which was the searching through the functionality of each one of them. This phase was challenging as not all of them offer the documentation. In some cases it was difficult to extract all the necessary information from providers’ resources which contributed to excluding particular software from further testing. The last phase of the practical section was to select the most suitable software for the proof of concept testing. At the end there were three solutions considered to be the most successful in meeting the initial requirements. These solutions were installed on a personal hardware and their performance was compared within a test environment. The main concentration was on their installation and configuration difficulty, ways of resource and password management and database backup performance. In order to test the software more extensively it would be better to have advanced hardware resources than a personal laptop and to take more advantage from the software support specialist. I must say that it was sometimes really difficult to get in touch with them at the time when I needed some advice of technical character. Despite the fact that I met several obstacles while working especially on the practical part of this thesis I made efforts to gain as much information about each of the software as possible. The proof of concept testing revealed that each one of the selected software offers very good performance and a wide range of
42 functionality. Nevertheless the decision whether to prefer one over the others depends also on the pricing. For smalle business both the Password Manager Pro and the Secret Server could be suitable, whereas larger companies would appreciate expensive in cost, but more automated functionality provided by Lieberman Software’s solution.
43 Bibliography
[1] GALBRAITH, J. and R. THAYER. Network Working Group: Request for Comments: 4716, Category: Informational: The Secure Shell (SSH) Public Key File Format [online]. Published by Trust, November 2006 [cit. 2014-12-05]. Available from:
[2] BUNSON, Margaret R. Encyclopedia of Ancient Egypt, Revised Edition. New York: Facts On File, Inc., c2002. ISBN 0-8160-4563-1.
[3] ANDERSON, Ross J. Security Engineering: a Guide to Building Dependable Distributed Systems. The United States of America: Wiley Computer Publishing, 2001. ISBN 0-471-38922-6.
[4] HARRIS, Shon. CISSP All-in-One Exam Guide. Sixth Edition. McGraw-Hill, 2013. ISBN 978-0-07-178171-8.
[5] VERIZON. 2014 Data Breach Investigation Report (2014 DBIR) [online]. Published: 04/14 [cit. 2014-05-02]. Available from :
[6] ARMBRUST, Michael, FOX, Armando, GRIFFITH, Rean, JOSEPH, Anthony D., KATZ, Randy, KONWINSKI, Andy, LEE, Gunho, PATTERSON, David, RABKIN, Ariel, STOICA, Ion and ZAHARIA, Matei. a View of Cloud Computing. Communications of the ACM [online]. April 2010, volume 53, issue 4 [cit. 2014- 05-04]. Pages 50-58. Available from:
[7] SCHNEIER, Bruce. Schneier on Security: Cloud Computing [online]. Posted on 4th June 2009, last revision on 6th June 2009 [cit. 2014-05-04]. Available from:
[8] RESCORLA, E. Network working Group: Request for Comments: 2818, HTTP over TLS [online]. Published by The Internet Society, May 2000 [cit. 2014-12-05]. Available from:
[9] SCHNEIER, Robert L. InfoWorld: Cloud Computing Channel: What to do if your cloud provider disappears. Posted on 20th April 2009 [cit. 2014-05-06]. Available from:
[10] JANSSEN, Cory. Techopedia: Dictionary: On-Premises Software. [cit. 2014-05- 06]. Available from:
[11] BISHOP, Matt. Computer Security: Art and Science. Third printing. Boston: Addison-Wesley, Pearson Education, Inc., 2003. ISBN 0-201-44099-7.
[12] DESMOND, Brian, RICHARDS, Joe, ALLEN, Robbie and LOWE-NORRIS, Alistar
44 G. Active Directory: Designing, Deploying and Running Active Directory. Sebastopol, CA: O’Reilly & Associates, Inc., April 2013, 738 p. ISBN 978-1-4493-2002-7.
[13] SVATÁ, Vlasta. Audit informačního systému. 2. vyd. Praha: Professional Publishing, 2012, 219 s. ISBN 978-8-07431-106-2.
[14] PORNIN, Thomas. Information Security Stack Exchange [online]. Last revision on 6th of September 2012 [cit. 2014-04-15]. Available from:
[15] HICKMAN, Kipp E. B. The SSL Protocol [online]. Last revision on 29th November 1994 [cit. 2014-05-04]. Available from:
[16] WIGMORE, Ivy. WhatIs.com [online]. Last revision in September 2013 [cit. 2014-04-18]. Available from:
[17] LI, Thomas.WhatIs.com [online]. Last revision in March 2010 [cit. 2014- 04-18]. Available from:
[18] SANS [online]. [cit. 2014-04-23]. Available from: < http://www.sans.org/ security-resources/policies/>.
[19] LAKSHMIRAGHAVAN, Badrinarayanan. Pro ASP.NET Web API Security: Securing ASP.NET Web API. XVII. Apress. 416p. ISBN 978-1-4302-5782-0.
[20] COBB, Michael. SearchSecurity [online]. Last revision in September 2013 [cit. 2014-04-24]. Available from:
[21] NICOLETT, Mark and KAVANAGH, Kelly M. Magic Quadrant for Security Information and Event Management, Gartner Research Note G00212454 [online]. th Last revision on 12 May 2011 [cit. 2014-04-25]. Available from:
[23] Passpack Inc. Passpack [online]. [cit. 2014-13-05]. Available from:
[24] Thycotic, Inc. Secret Server password management software [online]. [cit. 2014- 06-05]. Available from:
[25] ASP.NET. [cit. 2014-06-05]. Available from:
45 [26] SQL Server 2012-2014. [cit. 2014-06-05]. Available from:
[27] Wikipedia. SQL [online]. Last revision on 30th April 2014 [cit. 2014-06-05]. Available from:
[28] BeyondTrust, Inc. PowerBroker Password Safe: Automated Password and Session Management [online]. [cit. 2014-06-05]. Available from:
[29] ManageEngine, Zoho Corporation Pvt. Ltd. Password Manager Pro [online]. [cit. 2014-12-05]. Available from:
[30] Cyber-Ark Software, Ltd. Enterprise Password Vault [online]. [cit. 2014-12- 05]. Available from:
[31] Cyber-Ark Software, Ltd. Privileged Account Security Solution. [cit. 2014-12- 05]. Available from:
[32] Cyber-Ark Software, Ltd. CyberArk Shared Technology Platform. [cit. 2014- 12-05]. Available from:
[33] Lieberman Software Corp. Enterprise Random Password Manager [online]. [cit. 2014-5-12]. Available from:
[34] Microsoft. IIS [online]. [cit. 2014-12-05]. Available from:
[35] Oracle Corp. Oracle Database. [cit. 2014-12-05]. Available from:
[36] Click Studios Ltd. Passwordstate [online]. [cit. 2014-12-05]. Available from:
[37] Devolutions Inc. Remote Desktop Manager [online]. [cit. 2014-12-05]. Available from:
[38] WebPasswordSafe [online]. Last revision on 7th July 2013 [cit. 2014-13-05]. Available from:
[39] DRUMMOND, Josh. WebPasswordSafe Blog [online]. Last revision on 7th July 2013 [cit. 2014-13-05]. Available from:
[40] Oracle Corp. Java SE at a Glance [online]. [cit. 2014-13-05]. Available from:
46 [41] The Apache Software Foundation. Apache Maven [online]. Last revision on 21st February 2014 [cit. 2014-13-05]. Available from:
[42] Oracle Corp. JSR 340: Java Servlet 3.1 Specification [online]. [cit. 2014-13-05]. Available from:
[43] Oracle Corp. The Java Database Connectivity (JDBC) [online]. [cit. 2014-13- 05]. Available from:
[44] Funky Android Ltd. Enterprise Password Safe [online]. [cit. 2014-13-05]. Available from:
[45] Risk Analysis Consultants, s.r.o. [cit. 2014-14-05]. Available from:
[46] S&T CZ s.r.o. [cit.2014-14-05]. Available from:
[47] Funky Android Ltd. Enterprise Password Safe Demo [online]. [cit. 2014-15-05]. Available from:
47 Appendix
Legal Issue
This thesis was initially meant to be written for the purposes of NetSuite Inc. Nevertheless the original intention had to be changed because problems of legal character appeared while I was working on the project. I would like to briefly explain which obstacles I had to pass through in this chapter. At the beginning in Autumn 2013 I was promised by my IT manager that necessary hardware resources will be provided to me in order to fully test selected software for the proof of concept. After I had passed through the first phase which required to search through available password management software on the market I developed a plan to test five types of software on the premises of NetSuite. These were password managers from Cyber-Ark, BeyondTrust, ManageEngine, Thycotic and Lieberman companies. The following phase was to contact the sales representatives of each one of the companies and ask for the trial versions. Despite the fact that there were major differencies in the way how each one of them communicated, I was finally promised to be provided with licenses. On the beginning of January 2014 I was prepared to install the first selected software which was the Enterprise Random Password Manager provided by Lieberman Software company. Everything went well and valuable technical support was provided to me. I completed the testing plan. During that time the manager asked me about the process, so I provided him with the results. Unfortunately a new message came saying that I am prohibited to continue with testing because it is necessary to obtain a legal review of the trial licenses. This information was not previously provided to me so I automatically expected that legal review is not needed in case of deploying only trial versions of software. Nevertheless I agreed on arranging the review. This proces took four months. During that time I was in continuous contact with an outsourced lawyer who was adjusting trial EULAs of the software for
48 me in order to be assured that they comply with security politics of NetSuite. Another problem appeared, this time the point was that not all of the software providers have the EULAs for trial version, they simply provide it for free for limited time. A lengthy emailing took place, some of them provided me directly with their trial EULA, whereas the others had to create it first. Not every representatives agreed with our lawyer’s changes in their EULA, so the process was very time-consuming. Finally, in the beginning of April 2014 I completed all the necessary documents that had to be handed in and waited for receiving the approval for testing together with signatures of my V.P. of prepared and adjusted EULAs. At that time I was prepared to go on with the testing and install the other four software on already prepared virtual environment. Unfortunately, nothing of this happend, I was told that the business priorities have changed and thus I will receive neither the signatures nor the approval for testing. That was the last message from the NetSuite representatives involved. Therefore I had to apologize to all the people concerned with this project for waisting their time because of the legal review request and test all the remaining software on my personal laptop, which was slightly challenging but I hope I have fulfiled the assignment of this thesis.
49