Recently, a network admin for the city of San Francisco locked his supervisor and other administrators out of the computer system by changing their passwords. After ten days in jail—while his former coworkers frantically tried to get into the system, which was running unmonitored during that time—the guy gave the mayor the information needed to get back into the system.

"It's a perfect example," says Jeff Nielsen of Symark Software, of a situation where Symark's PowerKeeper 3.0 security appliance could have prevented the virtual hijacking. PowerKeeper is an appliance-based password management solution that automates password management, particularly in the tricky area of managing and securing privileged or administrative accounts. PowerKeeper replaces embedded credentials with one-time-use passwords and uses a process-based procedure that leaves a trail for auditing.

PowerKeeper works like this: You place a request with PowerKeeper for a password and it approves or sends the request out through a workflow process for approval. After approval is granted, PowerKeeper lets you check out a one-time-use password that authorizes you to perform the tasks you need to. When you're done, PowerKeeper resets the password so you can't use it again. It stores records of the previous 30 days of password entitlements so you can view and audit the history of all access requests that have been granted. "We keep it in an appliance because if you put it in software on a server, you enable it to be cracked. If it were on a server, someone could delete the password store," Nielsen says.

PowerKeeper 3.0 uses the HP ProLiant DL360 G5 server for greater scalability and includes support for application-to-database connectivity and application-to-application (A2A) processing. In the case of A2A processing, an app must request permission from PowerKeeper to run. "We create an identity of that app by using program factors—what it runs and what it runs in—hash, name of hash, MAC address, user, and all available factors—and the admin can choose which factor to approve on. When the app sends the request to PowerKeeper, PowerKeeper checks the credentials. If they match, it grants approval," Nielsen says.

To learn more about PowerKeeper, see the Symark website at http://www.symark.com/index.html.

To learn more about the San Francisco network admin story, see Eweek's story at 

http://www.eweek.com/c/a/Security/SF-Mayor-Breaks-Up-IT-Standoff/.