Breakglass account and key management

Hades

Hades

Hades

Man of Honour
Joined
19 Oct 2002
Posts
29,758
Location
Surrey
I'd be interested in peoples experience with tools to manage privaledged keys (userid's). e.g. tools that you use to sign-out an emergency userid, or possibly tools that allow you to sign-out an id and also track the actual usage of it.

Does anyone have an experience or recommendations?
 
Thanks for the reply. But what I'm really after is some kind of tool that's used to manage userid's in the following way:

1) Something breaks. An alert occurs.
2) Operations team phones out 24/7 support.
3) Support bod drags himself out of bed. Asks for the sysadmin userid.
4) Ops use the 'breakglass' system to checkout the sysadmin password to him.
5) Ops manager approves the use of the userid.
6) Support bod fixes problem.
7) Ops check the userid back in, resetting the password so it can't be reused by the support bod.
 
Nikumba said:
When you have a situation like that, can you just not re-enable the sysadmin account, hand over the password.

Once done, change the password and then disable the account?

Granted its not a bit of software, but you could probally script it

Kimbie
Click to expand...

That's what's happening at the moment. And what will still need to happen. But what I'm looking for is something which tracks the usage of it:

Option 1 - A system (e.g. web based) that you "check out" the current password. When you "check in" the userid after it has been used you will probably have to manually reset the password. But you then store the password in the system. What this gives you is that it is clearly audited when (and who) checked out the password. It also stores the current password so it can't be viewed without signing it out again. The person who signs it in and out would not be the person who needs it. It would be a central team of "trusted" people and it would require dual control. So the user would not know the new password.

Option 2 - A more complete solution which has an agent on the machine itself. This agent will change the password for you and track any commands you enter. This is a better solution but more complex (do they exist?)
 
You must log in or register to reply here.
Back
Top Bottom