Thousands of IT assets:

Who has the keys to the kingdom?

  • Servers, network devices, databases and applications:
    • Numerous.
    • High value.
    • Heterogeneous.

  • Workstations:
    • Mobile -- dynamic IPs.
    • Powered on or off.
    • Direct-attached or firewalled.

  • Every IT asset has sensitive passwords:
    • Administrator passwords:
      Used to manage each system.
    • Service passwords:
      Provide security context to service programs.
    • Application:
      Allows one application to connect to another.

  • Do these passwords ever change?
  • Plaintext in configuration files?
  • Who knows these passwords? (ex-staff?)
  • Who made what changes, when and why?