System administrators and IT support staff collectively require privileged access to every system within an organization. Along with the ability to manage systems, administrative credentials enable IT workers to bypass security controls, access confidential information and change controlled data. Mission-critical administrative credentials are often compromised as a significant amount of IT and security administrators admit to memorizing, writing down and sharing administrator passwords. Additionally, when IT staff leaves an organization, every credential they previously had access to must be changed. With many organizations having hundreds of credentials within their IT department, this process can be time consuming, costly and difficult.
ID-Archive securely manages large numbers of administrator credentials by frequently randomizing each privileged password and requiring IT staff to acquire the current password for a specific device through a central application. ID-Archive manages workstation administrator credentials by installing a service on each workstation. The service contacts a central server and coordinates individual workstation password updates.
To manage administrator credentials on servers, each ID-Archive server runs a password updating service. This service periodically runs a connector, also on the ID-Archive server, which communicates with a single target server and changes a single password. Upon successfully setting the new password, the service updates the ID-Archive server with the new password, thus making it available to IT staff. This process is repeated thousands of times daily for different types of servers (Windows, Unix, Linux, DBMS, mainframe, application, etc.), using different types of connectors. Connectors for more than 70 types of servers and applications are included with ID-Archive.
Once deployed, ID-Archive becomes an essential part of an organization’s IT infrastructure, since it alone houses administrative credentials to thousands of networked devices.
Since servers occasionally break down, ID-Archive supports load balancing and data replication between multiple physical servers. Any data updates written to its credential database are replicated, in real time, across all servers. ID-Archive includes a built-in database engine, which stores the same data tables, including encrypted credentials, on each server.
Communication from the main ID-Archive server to the proxy server(s) is encrypted, efficient and tolerant of high latency.
ID-Archive is not the only product on the market for periodically randomizing administrator credentials, as other products are available, either as software or as appliances. However, M-Tech is confident that ID-Archive is the most advanced and cost effective solution available for managing administrator passwords.
ID-Archive is designed to manage passwords on hundreds of thousands of devices. A reasonable use case that is expected to work is to randomize 100,000 passwords, on 100,000 devices, daily.
In contrast, competing products appear to be designed to manage passwords across several hundred devices with a monthly password change interval.
Since administrator credentials are changed regularly, it is important to safeguard uninterrupted access to them. This includes several important failure scenarios:
1. Hardware failure on a single server (e.g., disk crash)
2. Network outage to a single server
3. Facility disaster (e.g., fire, flood)
Using built-in data replication, ID-Archive supports the obvious approach to providing fault tolerance which is to replicate password storage across multiple servers. The built-in replication is bandwidth-efficient and intended to support replication across sites – i.e., with different ID-Archive servers located at different data centers.
Competing products fall into several categories, none of which is as attractive in terms of cost and capability:
1. No replication at all. All passwords are stored in a single server, which creates an unacceptable
2. Replication is a problem deferred to a database product. Customers are required to separately ac- quire and deploy an advanced RDBMS server product from Microsoft or Oracle. They must license special, replicated versions of the database, provide additional hardware, install and configure replication across sites and assign a database administrator to manage this infrastructure indefinitely.
This creates a significant cost. Also, off-the-shelf RDBMS products are not designed to efficiently replicate data across low-bandwidth, high-latency WAN connection
3. Replication is provided in the password storage product, but is not bandwidth-efficient, so requires that the servers be located together
The risk due to facility outage (fire, flood, etc.) remains.
One of the key challenges in managing administrator passwords is supporting workstations. ID-Archive includes robust technology to manage local administrator passwords on Windows, Linux and Unix workstations. In contrast, competing products simply do not support management of workstation passwords. This is both a technological limitation (no client software component) and a scalability problem (workstations are too numerous).
Connectivity and Firewalls
ID-Archive includes a proxy server provided at no extra charge which allows it to “hop over” firewalls. Most competing products do not include a proxy server and consequently cannot cross firewalls.
Every IT asset has a local administrator ID and password. ID-Archive can manage all of these credentials
as it includes connectors for more than 70 types of systems.
In contrast, competing products typically only support Windows, Unix, RDBMS and in some cases, scripted terminal-emulator sessions.
ID-Archive is fundamentally designed to support daily password changes. This means that if an IT employee is terminated today, he will lose access to any IT asset that he worked on today within 24 hours, even if no special action is taken by administrators to remove that access.
In contrast, according to press coverage, competing products are designed to trigger password changes monthly, and in some cases those changes are initiated manually.
ID-Archive is priced on a per-credential basis, with prices starting around $20 and declining with volume. This is appropriate given its design goals of managing 100,000 credentials. There is no charge for extra servers or for connectors.
In contrast, according to press coverage, competing products are priced per server plus per credential, with prices starting around $200 per managed credential.
Conclusion: ID-Archive is software from M-Tech designed to manage thousands of administrator credentials. ID-Archive enables organizations to regularly randomize administrative passwords on workstations and servers, while maintaining the ability of IT staff to retrieve current credentials for devices into which they must login.
M-Tech Information Technology, Inc.
#500, 1401-1 Street SE
Calgary, AB, Canada