Effective password policy is needed to prevent the passwords from being guessed or cracked. The password policy applies to passwords of various types of user accounts, system accounts, database accounts, application service accounts, etc., while the password policy can be relatively easily enforced for human user accounts, it is difficult to enforce for the passwords used in application to application communication. This article talks about the challenges and possible solution to eliminate embedded passwords in application.
Credentials used for application to application (A2A) authentication are typically hard-coded or embedded in the configuration files of the applications. These credentials, including SSH keys are easily sought after and can be potentially exploited by cyber attackers when left unprotected. Maintaining an inventory of these accounts, securing and enforcing a password rotation policy on these credentials impose significant challenges and overhead costs to IT departments. In addition, embedded passwords are also hard to change, since they have to be modified in at least two places. This requires downtime and coordination with multiple teams. As a result, in many applications, these application credentials are never changed, leaving the organization vulnerable to an attack.
In the Identity and Access Management space, Privileged Access Management (PAM) products have components which can be used to eliminate the storage of embedded passwords.
Removal of embedded/ hard-coded passwords in applications typically involves initial one-time configuration and integration of vendor provided library or web service call to fetch the password of the account and establish the connection. Essentially, the embedded or hard-coded password is removed and in that place, an API is integrated such that the application connects to PAM tool to fetch the password every time it needs to establish the database connection. Similar integration is required to eliminate the passwords in scripts, retrieval of SSH keys, etc. With this solution, the passwords are not stored in the configuration files there by preventing the personnel having access on the server to view the password.
To minimize frequent hits to the PAM server, most of the PAM solutions provide password caching on the local server. The API checks the password from the local cache based on the configuration and connects to PAM to refresh or update the password if it finds the password to be obsolete or if it has passed configured time. This feature is to provide high availability in terms of preventing the application down-time in case the PAM server is not reachable. To ensure security of the cached passwords, these are stored in encrypted form. Each vendor employs their own scheme of securing the cached passwords. The application passwords are randomized/rotated at the interval configured by the PAM administrator.
The high level migration approach for replacing embedded hardcoded passwords with PAM solution is provided in the section below. This is only an indicative plan and the actual implementation plan varies from organization to organization and applications considered.
Identify various scenarios where passwords are embedded and select one application per scenario, environment and platform. Implement PAM for the selected pilot application to identify the implementation challenges in the enterprise. Ensure the program is fully understood by all key stake holders and supported by Senior Management. Conducting a pilot helps in identifying specific challenges and gives an opportunity to address the challenges before actual implementation. Next step is to prepare a detailed migration plan classifying the applications based on the environment, feasibility of changing source code and platform. The benefits of static embedded passwords are listed below:
- Mitigate Threats: The critical business applications are secured by eliminating embedded passwords in applications, scripts and configuration files. By eliminating embedded passwords, both internal and external threats can be mitigated.
- Ensure Business Continuity: Caching of passwords locally on servers provides High Availability and reliability to reduce the risk of downtime to applications.
- Reduce Manual Process: Automate the management and rotation of application credentials to reduce the IT operational resources required to secure application passwords and SSH keys.
- Meet Audit and Compliance Requirements: Comply with internal and regulatory requirements for regularly changing application passwords.
- Monitor Privilege Access: Integrate with SIEM products to regularly monitor privilege access to critical resources