Any organization that accepts, stores or transmits data has likely heard of PCI DSS compliance requirements. Created and enforced by the credit card payment industry (Visa, MasterCard and American Express, among others) this mandate establishes 12 basic requirements and 200 sub-requirements to protect against credit card fraud.
Given that most data storage these days is digital, there is a major burden on IT departments to ensure networks are protected and employees follow policies for network and password security.
IT accounts, such as IT admin accounts or application/service accounts, each grant a specific level of access on the network. Typically IT teams share these credentials amongst themselves to gain access to equipment as needed. This makes it very difficult to know who exactly is accessing which device and to restrict access amongst IT staff.
The second security issue is the potential for hundreds, if not thousands of accounts, each with their own password. To improve security posture, each password should be quite long, comprised of random characters, and changed regularly. For many organizations this means serious man-hours wasted by highly-paid IT professionals performing manual password changing on these accounts.
Key solutions for IT teams
Thycotic developed Secret Server Password Management Software specifically to address compliance for IT departments. The tool creates a centralized, encrypted location for password storage, the ability to restrict access by role, full auditing of credential usage and automatic password changing.
Add your security policy to Secret Server to automatically change passwords at required times, enforce password length and complexity requirements, and ensure sensitive systems maintain a high level of access control and oversight over privileged accounts.
Securing end-user accounts is very important for overall network security, especially because of their susceptibility to malware and employees’ penchant for using weak passwords. To fortify a network, these accounts must have strong, regularly rotated passwords. Often the number one problem with a strong end-user password policy is the more complex an employee’s password is, or the more often they’re required to change it, the more likely they are to forget it!
Key solutions for end-user password resets
Security rules for end-user passwords, such as length, complexity and rotation requirements add protection to the network, but can quickly increase help desk cost when employees forget their login credentials. Added costs can include expanding help desk staff to field high-volume password reset calls, or missed deadlines when employees cannot log in to the network.
Password Reset Server eliminates the need for employees to call the help desk to reset their AD password. Now, they can simply answer security questions through Password Reset Server and automatically reset their password any time of the day, from any location. IT security teams can also configure Password Reset Server to enforce password length and complexity requirements, ensuring password compliance is met by all employees.
In addition to controlling account credentials and enforcing stronger password practices, it is important for organizations to limit risk from internal threats, such as disgruntled employees. One key solution is locking down access to company resources. For example, making sure employees in the marketing department only have access to marketing files and cannot access payroll files. This can be done by adjusting permissions in Active Directory (AD). Typically, the IT department will make AD changes, but from a security standpoint, this adds potential for error since the IT administrator is not always familiar with the complexities of each department’s AD groups and may inadvertently assign an employee to the wrong group.
Key solutions for AD group management
Active Directory (AD) group management may not be the first topic that comes to mind when creating a security policy. However, it is an important example of how system design can produce errors ripe for exploitation later on. Delegating one point of contact in IT to make AD group changes is a typical practice in most organizations. That person is responsible for adding newly hired employees to the appropriate AD group. For example, a new marketing associate would be given access to marketing files and email distribution lists. But without being privy to specific department workflows, the IT admin might mistakenly sign up the new employee for the wrong access. This problem typically gets worse as employees change teams, roles and responsibilities within the organization.
Auditing and restricting access not only applies to critical systems and servers, but controlling security within AD group management as well. These controls can easily be added through Group Management Server, a tool that enables non-IT team leaders to make AD group changes for their department. With Group Management Server, the marketing manager can add new employees to the marketing AD group, or make changes within that group. For security, all changes are audited and each manager’s ability to make changes is restricted to their direct AD groups.