A Secret Server
Document Actions
A Secret Server
I ran across a very interesting password management solution recently, Secret
Server from Thycotic. This
product solves a very interesting problem, the secure storage and retrieval
of infrequently used or shared passwords. Now the concept of a shared
password may sound strange if you don’t work in an IT shop, but it’s pretty
common practice there. For instance an IT team often needs to use a single
user ID and password to get into a specific hardware device such as a
router. Another example is the root password for Unix and Linux systems or
the Administrator password on Windows servers. These are often accounts that
are infrequently used, but may be needed on occasion by one or more persons
on a team.The way Secret Server works is that a sys admin needing a password would log into the Secret Server with his Secret Server account or AD account and would be able to get the clear text password (if policy granted him access). That password access would be audited.
One interesting feature is that a specific password entry can be configured so that after it is accessed it is automatically changed to a new random value after a configurable delay, with a password change operation being done on the target system. In essence that makes the password a pseudo-OTP. I believe that this is currently limited to AD passwords.
There is also an online version which you can find here.
This is very different from normal enterprise password management system like BMC Password Manager. Those products allow an individual to reset their own passwords or a delegated administrator to set passwords for others, but can’t ever retrieve clear text passwords. It’s also very different from Enterprise SSO products like Passlogix v-Go. v-Go can retrieve and persons clear text password, but it’s for the purpose of replaying to a login form and the user never sees the clear text value.
[Full Disclosure: BMC resells the Passlogix v-Go product. BMC currently has no business relationship with Thycotic]
It’s an interesting approach, and I really like the name of the company. One question though, if I use Thawte as my CA to set up the Secret Server SSL, do I get Thycotic Thawtes?
_____
tags:
Forgot your password?
New user?
I've been using a web application that I wrote about 6 years ago to store and host my personal information online. I use it to keep passwords, scans of my driver's license, account information and basically all other vitals relevant to this modern era of information. I've found it to be immensely useful. I've enjoyed a fairly decent sense of security by encrypting all traffic to the application through SSL, using strong encryption on sensitive data within the database, using strong passwords, not storing encryption keys anywhere on the server or even in volatile memory, employing automated checks for tampering with the code to prevent man in the middle attacks, auditing access to the server/code, etc., and mostly due to the obscurity of the application. The interface is very simple. It's essentially a folder/tree structure that allows you to store anything inside of the entities. I use metadata to describe what can be stored in the entities. Access to my data is ridiculously simple, quick, and convenient.
I've often considered polishing the application and making it available to a larger audience. Recently, I decided that I would pursue this because I wanted to make another version of the application that could be accessed through a Google Gadget on iGoogle. I wished to make the gadget freely available and to have someone like Google or the open source community pick up on the usefulness of it and take it further. My first and biggest concern was to evaluate the security of it and redesign the security model to make it practical for a mutli-user system that would certainly be the target of attacks. This issue alone has caused me to stop short of pursuing this endeavor in the past and it was starting to take its toll again.
I began discussing with some peers about strategies and products available to use for security when one of my peers remembered a product/web site that was being discussed at a conference. He dug up the URL and I've now found myself looking at the Secret Server solution. What a relief! I can't tell you how thrilled I am to have found something that is somewhat mature relative to my application. It's obvious that their focus has been on the IT community, but you can see that everyone's eyes were opened to the possibilities when you look at the XML encoded metadata that defines what can be stored in the system. The extensible design allows for just about anything to be stored and people have defined templates for credit card data, banking info, etc.. Nirvana! I'm amazed that it's taken this long for someone to do this. I suppose I should have went further with things a while ago.
Anyway, I'm commenting to get your thoughts on the possible uses of this approach on a much broader scale with the average person in mind. I can't tell you how freeing it is to know that I can essentially land anywhere, naked, and with just an Internet connection, be just fine ... and possibly fined as well. I've used my own application in plenty of scenarios including signing up for banking accounts and cell phone accounts when I didn't have everything with me that I needed to set up those accounts ... I simply asked the employee if I could use their web browser and minutes later, I was good to go ... no need to make an extra round-trip home. I consistently use the application from wherever I am to access passwords for websites and grab account details when I need to make online payments, etc..
I consider Secret Server's interface to be a little clunkier than what I've been using to navigate through the data, but they were designing for a different problem. They are much closer to a full-fledged solution than I am for the public. A few tweaks and some alternate interfaces like Google Gadgets and they are there. They've already pursued browser add-ons and mobile phone access. I think their online version is very reasonably priced. I'm going to discuss my ideas with them and I hope they take them to heart.
What's your take on all of this? Why haven't we seen something like this sooner? Perhaps, liability issues? Perhaps, people's inherent fear of entrusting such vital info all in one place on an online service? Do you think you'd use a service like this to keep your own personal data online?
Be well,
Corey
Replies to this comment