Fiasco, joke, nightmare — call it what you want, but password management of security devices is far from what it should be. Ask a group of security techs from different companies how passwords are assigned and you will get many different answers, and few of them are satisfactory. Ask a group of security industry executives what their own personal approach is to password management and just wait for the excuses to roll in.
However, at least one security integrator, Alberta, Canada-based Contava, has it right. You see, Contava has deep IT roots and has assembled a strong group of personnel with IT backgrounds and mindset. Curtis Nikel, Contava’s CEO, first told me about his firm’s unique approach when we talked at Aronson Security’s event, The Great Conversation. It reminded me of the approach I’ve taken with my own passwords through a service called LastPass (DashLane is another).
Contava worked with an Australian company called Click Studios (www.clickstudios.com.au) using its “Passwordstate” offering. Described on the website, “Passwordstate is an on-premise web-based solution for Enterprise Password Management, where teams of people can access and share sensitive password resources.”
Contava implemented the Passwordstate software on its own secure server. The software enables creation, provisioning, and storage of passwords according to company-defined policies. The information is kept confidential via 256 bit AES encryption. “Since we’re IT people, we brought an IT perspective to password management, rather than an alarm perspective,” Nikel says. “This approach creates a process with real guidelines, bringing best practices to an area which sorely needs them.”
“We saw a serious need to not only protect our customers through our strength in physical security but to also be intentional about securing their information digitally,” adds Christian Peterson, Contava’s Lead Systems Analyst in IT. “Passwords are one of the largest vulnerabilities, but sometimes one of the most overlooked. There had to be a better way."
I agree. A technician shows up at a customer site, and via smartphone or laptop, communicates through a secure VPN into the password server. The technician can create a folder for that particular site, but there may be multiple site folders per customer. Adding a new password involves automatic generation of a policy-compliant password, which in Contava’s case is 10 characters (upper case and lower case letters, numbers and two special characters). The encryption keys are provisioned through a certificate process. Passwords may be copied and pasted from the laptop to the appropriate field in the security device (e.g. a camera), eliminating memorizing or retyping passwords, which are both subject to error.
Importantly, the tool provides for two-factor authentication, with the second factor being a four-digit token code provisioned by anonymous email. The token is valid for 60 seconds and is good for one login session.
Read, modify and administrator permissions can be granted to password lists and individual passwords. For Contava users, two or three levels of privileged access are assigned. Overall administrative access is policed through Windows Active Directory, and the application allows import of users and security groups from Active Directory, authenticating and applying permissions using these credentials, and keeping account status and security group memberships synchronized. Throughout, an audit trail is established showing password history, and who did what. Passwordstate records over 100 different types of audit events, all of which can be reported on when required.
I was surprised at the relatively modest investment required to implement this system. The primary component was staff time, estimated to be 40 to 60 hours to implement. Keep in mind that Contava had a secure server infrastructure to start with and the IT smarts to manage it. The initial one-time license provisioned for 70 users was in the $3-4 K range and annual support is less than $1000. “This investment of time and money is a commitment to our customers,” Nikel says. “It demonstrates what we are doing to protect them.”
Eliminating Passwords Completely
On a different note, SecureXperts, headed by Darnell Washington — and a recurring member of SD&I’s Fast50 — plans to make passwords obsolete. The company has developed a cryptographically secure MicroSD card that is NIST approved and FIPS validated, which it hopes to embed in physical security appliances and mobile devices. Washington has been working with Bosch in IP camera implementation for some time.
This chip provides a number of useful functions. First, it can prevent unauthorized rogue software from running on the appliance. Second, through certificates and key management, it can validate a user’s access to the device. The user’s PIN-protected Personal Identity Verification (PIV) card contains the needed certificates to be authenticated to a device or application. The embedded MicroSD card supports confidentiality through strong encryption — 1024 or 2048 AES in the commercial space.
SecureXperts’ work with the Federal government promises to get this technology into the mainstream, and hopefully get other manufacturers on board to create a critical mass of vendor support.
Personal Protection
Personal password protection such as LastPass can make one’s own digital life more secure and much easier. I am continually amazed how many professionals I encounter in our industry who are using archaic, insecure systems — often employing one or few passwords for everything. They are in great company with my 88-year-old mother-in-law.
Passwords stored in the LastPass cloud are encrypted by a strong password that is created and should be known only by the user. The master password is used to access and decrypt the vault to access all user passwords. Encryption and decryption are performed locally on the user’s machine. Use of a one-way salted hash function of the master password performed over a number of iterations blunts the opportunity for successful brute force attack. It is reassuring to know that all of my passwords are unique and complex and that I don’t need to remember them all.
Ray Coulombe is Founder and Managing Director of SecuritySpecifiers and RepsForSecurity.com. Reach him at [email protected], through LinkedIn at www.linkedin.com/in/raycoulombe or follow him on Twitter, @RayCoulombe.
