3 Must-Have Password Management Best Practices
These days, no one stays in their jobs forever. Try as you might to hold on to your most talented techies (or, let's face it, your less talented ones), eventually, life circumstances will take them away from your managed service provider (MSP) business, and with them, all the passwords for the customer accounts they worked on. Earlier in 2013, we surveyed the attendees of a webinar we gave. I was not at all surprised to learn that 74 percent of the IT companies attending the webinar had experienced staff turnover in the past year. When a staff member leaves your business, you can take away his key card, but you can't erase from his memory the passwords he used to access your clients' systems, applications, and networks.
Data is more valuable than it has ever been. Many businesses are a single data breach away from a business-closing disaster. Your clients put their trust in you that your IT services will protect them from that risk. What would they think if they knew someone—your former IT technician—was out there with the key in his head to unlocking their data and exposing it to the world?
As an MSP, you must take the security of your passwords and your customers’ passwords very seriously. To protect the passwords that protect your customers' data, you need a plan that takes password management best practices into account.
Password Management Best Practices
I say you need a plan because so many businesses I work with don't have one. They may or may not have centralized systems where they store password information, like on an Excel spreadsheet or even just a Word doc, but that hardly qualifies as a plan. Among its many shortcomings, storing credentials on a spreadsheet, Word doc, or out-of-date personal password managers requires human intervention to change passwords. This is an opportunity for human error, either through entering the wrong information or not doing it at all. Too many times, the MSPs I work with tell me they spend an inordinate amount of time reconciling the passwords internally with the passwords used in an actual application, if they bother to try to keep them in sync at all. It’s really difficult.
When I talk about password management best practices with MSPs I always highlight the three must-have features: access control, auditing, and automation. Each of those broad categories can be broken down further:
A good password management system should have:
- A way to control who can access passwords.
- A way to control what someone can do with passwords (create/read/write/delete).
- A way to centrally store and access passwords from virtually anywhere (where practical and appropriate, of course).
Access control allows you to restrict access to vital password information on a "need to know" basis. The most common form is "role-based access control" which allows you to assign broad roles (with a set of password permissions) and then assign users to those roles. It simplifies password security and this form of access control allows you to manage the password permissions of a broad set of users at once.
This is the element of password management that involves checking that everything in the system is as it should be. It should include:
- A way to see who has accessed the stored passwords.
- A way to check that stored passwords meet complexity and compliance rules.
- A way to check that stored passwords actually match what is being used on systems and services.
- A way to inform those with authority when something is wrong or goes against the password management process.
This comes back to the former employee situation I discussed as the beginning of this blog post. Best practices for password change automation include:
- A way to automatically change passwords when required and is possible.
- A way to automatically inform those with authority when a password requires manual intervention to be changed.
It’s clear from these password management best practices that a spreadsheet just isn’t going to cut it when it comes to protecting your customers’ valuable data (and your own, for that matter).