Re: NOC password management

["Ryan Chow" <rynchow () gmail com>]

Firstly common to all solutions is ensuring:

Ability to audit the process - that is knowing who accessed the
password(s) and when.

Password Management Policy - how long passwords are valid for,
complexity requirements, reset procedures, what happens when an
Administrator leaves.

Access control - processes to grant and restrict access to password storage.

I've not seen a software based solution in place.  However in such a
solution I would be looking closely at ensuring that the password data
is encrypted at rest and the machine is physically secured when not
needed (in a safe).  As loss of the password database would be
problematic to say the least!

I've seen paper based solutions where all passwords are stored in a
safe, each in tamper evident envelopes and written down.  Access is
controlled physically to the machines that are administrated and to
the safe.  Auditing is made more difficult unless access can be logged
from the safe.



On 3/15/07, List Subscriptions <lists.canuck.eh () gmail com> wrote:
> As the security administrator I constantly get complaints from the
> network admins about how hard it is to remember all the passwords.
> What are the best practices for enterprise password management?  What
> products are available?  They came to me with Mandylion labs password
> management token ( http://mandylionlabs.com/).  Has anyone used this
> product or have any insight into the best solution?
>
> Thanks in advance