In today’s IT environments, having a password manager is essential. There are so many different devices attached to modern networks that no one could memorize the access credentials for them all. In addition to that, storing everything in an Excel document has been shown time and again to be far from the most secure way to protect such an important set of assets.
The problem of storing and updating machine access credentials is compounded for managed services providers (MSPs) or other IT professionals. Overseeing multiple customers, dozens or even hundreds of machines, and a vast number of users means handling a tremendous quantity of access credentials, not to mention critical business data and intellectual property. In this situation, having tight controls over machine access is absolutely critical, because the legal ramifications of compromises can be catastrophic.
Securely storing your credentials
This is where password management solutions come into play, as they help technicians and service providers securely store and easily access the credentials required to unlock machines and provide support. However, not all password management solutions are designed equally. Currently, the majority of technicians use standalone password management software where they store all their passwords—often professional and personal—in the same system. When they need to access these credentials during a remote session, they open their password management system by typing in their master password, accessing the vault, and finding the correct credentials for that machine or user. They then enter the credentials manually, use copy and paste, or let the software automatically populate the authorization fields to unlock the machine.
So what’s wrong with this system?
While this solution helps the technician manage a large number of credentials, it creates several serious security vulnerabilities. First, the technician could potentially memorize (or even just write down on a Post-It note) the credentials, placing them outside the strictly controlled context of a remote session. Second, using copy and paste to input the password during a session exposes that set of credentials—while they reside on the cut/paste clipboard—to others who may pick up the session or use that workstation.
The answer here is to have a password management system that is fully integrated into the technician’s remote support workflow, and only the remote support workflow. This offers significantly increased security and convenience to boot. Not only does it ensure that all actions are accountable, it means the credentials, and the technicians, never need to leave the remote support product flow.
An integrated solution
With a fully integrated password management solution like Secrets Vaults in SolarWinds® Take Control, technicians can simply type in their master password as part of starting a session. This instantly unlocks the systems they need, all from within the remote support and remote monitoring system. The credentials are automatically injected into the authorization fields without the technician ever actually seeing them. This means it is possible for a senior technician to add a set of credentials to a vault, and then provide a junior technician with access to that vault, thereby allowing the junior technician access to the required systems without having direct access to credentials, and preventing the risk of a leak or misuse.
How is this possible? With a “double secured” vaulting system like Secrets Vaults, credentials are input once into a vault, and then that vault is locked with a recovery code and a master password—neither of which are stored by SolarWinds. Using them is the only way to re-enter the vault, and only the party that created the vault has access to these two security tokens.
Not only is each vault well sealed, but permissions can be set so that only specific technicians have access to it. And even though they have access, they will never be able to actually see the content of the vault, because the contents are “blind injected” into the authentication fields of the machines the technician wishes to unlock (this feature is also compatible with other resources protected by the operating system, such as network shares or RDP sessions). Finally, injecting the credentials is protected by cryptographic and authentication processes; this ensures the credentials are completely secure, from the moment they leave the vault to the moment they are delivered to the operating system.
So to unlock machines, the technician navigates to the vault where the machine’s credentials are stored and inputs their master password to authenticate them as a qualified user of that vault. The credentials are then injected into the authentication fields as required, and access is granted.
Another advantage to having Secrets Vaults fully integrated into the remote support solution is that every action taken around creating or using a vault is recorded, fully logged, and auditable—when the vault was created and by whom, each time that vault is accessed and by whom, and when vault content was modified and by whom.
For busy IT professionals and MSPs, the benefits of having an ultra-secure password management system fully integrated into their remote monitoring system is clear: tamperproof safety, controlled access to critical data, and full auditability.
José Serrano is senior engineering manager for the SolarWinds Take Control team.
To find out more about how SolarWinds Take Control can help you securely manage your remote controls needs, click here
Get the latest MSP tips, tricks, and ideas sent to your inbox each week.