One only has to consider the case of Jerome Kerviel, the rogue trader at French bank Societe Generale, who used multiple shared passwords and accounts to execute fraudulent trades, to appreciate the risks shared account logons pose to the modern organisation. Kerviel's actions cost the bank €4.9bn and serious ramifications were felt across the global financial markets.
“... failing to manage shared passwords adequately can expose organisations to serious vulnerabilities, particularly in the case of privileged accounts where a disgruntled employee could potentially have the power to hold an entire network hostage”
- Stephane Fymat
The City of San Francisco found itself in a similar situation last year when a disgruntled network administrator, Terry Childs reset all administrative passwords to the routers for the city's wide area network. His actions prevented administrators from managing the system as he essentially held the City to ransom.
What these two stories demonstrate is that failing to manage shared passwords adequately can expose organisations to serious vulnerabilities, particularly in the case of privileged accounts where a disgruntled employee could potentially have the power to hold an entire network hostage.
Keeping track of privileged user and shared access accounts is also important for accountability. Unfortunately, however, many organisations simply don't know for sure who has access to shared passwords. Far too often, the entire IT department knows the details of what is supposed to be a limited-access password. According to a 2008 survey of its members by the Independent Oracle Users Group, nearly 40 per cent of organisations had no way of monitoring the abuse of data by privileged account users.
As a result of high-profile incidents like those at the City of San Francisco and Societe Generale, legislation and industry regulations such as PCI DSS are increasingly prohibiting the sharing of accounts between users. But this causes big headaches for many IT managers in both the public and the private sector, as shared and privileged accounts have become a necessary component of today's enterprise IT infrastructure.
All kinds of employees, from office administrators and temporary workers to nurses and civil servants require access to shared account logons for enterprise applications and systems for all kinds of reasons. IT managers therefore need to strike a balance between providing the flexibility required to meet end users' needs and ensuring security and compliance with corporate policy and the latest industry regulations and legislation.
So, how do they protect themselves from the risks in a cost-effective manner?