A Simple Solution: Randomize Passwords
The obvious way to eliminate static and shared privileged passwords is to change them regularly. If every sensitive password were randomized daily, control problems would be alleviated.
Since IT users often need to sign into privileged accounts, randomizing passwords is only half of the solution. Additional functions are required to control access by IT users to these accounts:
- Authentication of IT users who wish to gain privileged access to a system.
- Access control over which accounts IT users may access and when.
- Audit logs recording such access, to create accountability.
The combined solution, capable of both randomizing large numbers of passwords and controlling access to password values or to the underlying accounts, can be complex. The following section describes some of the technical challenges that must be overcome in order to successfully deploy such a solution.