Hit by a Bus/Keys to the Kingdom

[streaker69]

My fellow BOFH's, I recently got audited, a rather minor and lame audit, but it was an audit all the same. One of the things that came up of course is who has all the passwords to the network. My response was, "just me", which is true, I'm the only one that holds all the passwords, effectively the keys to the kingdom.

The auditors of course didn't like that, because after all, what happens if I get hit by a bus. The company could have a lot of trouble recovering passwords from all the equipment and servers. I had always been meaning to come up with a plan for all that important information, that is needed, but you don't want just anyone to know.

I'm curious as to what you guys that are in similar positions as I am do. Most small to medium size companies normally have 1 or 2 people in IT, so policies are normally left up to them, and just reviewed by superiors but with no real input from the superiors.

[thorin]

IMHO. Singular IT Human Resources are a valid Single Point of Failure issue.

There are a number of ways to handle this including: safe deposit boxes, firesafes, etc. Unfortunately the majority of solutions require a second person have access to the information (though indirectly).

My best suggestion would be a dual lock kind of situation where no other single person can get them. I.e.: A firesafe with dual locks, a safe deposit box that requires signatures from two different people, etc.

The answer to this question really requires a Threat & Risk Assessment all its own.

[streaker69]

IMHO. Singular IT Human Resources are a valid Single Point of Failure issue.

There are a number of ways to handle this including: safe deposit boxes, firesafes, etc. Unfortunately the majority of solutions require a second person have access to the information (though indirectly).

I agree with you, which is why I was looking to see what others in my position do. I did implement a plan, but before I say what I did, I was curious as to what others were doing.

[theprez98]

You could just escrow all your keys with the government, a la the Clipper Chip.

[Barry]

I'm telling ya, post-it notes in the hardware.

[webtrol]

I guess any plan would have to somehow address the following:
1) ability to retrieve the keys by company without help from you.
2) log of that retrieval and sufficient safeguards to make it not as easy as 1-2-3
3) security for the keys.
4) has to make sure the plan can withstand a lawsuit based on information lost if key ever got out (legal duty etc)

Solution/Problems:
1) safety deposit box - only available during bank open hours.
2) lawyer - employees of the law firm might have access to it.
3) encrypted file with logging to Permanent storage device - as good as implementation.
4) second user with the evil root rights. - "You can keep a secret that is known to 3 people ...only if the other 2 people are dead."

I would go with bank if it is ok to wait for it to open, or lawyer with specified agreement that the keys can be retrieved at any time day or night etc.

Sincerely,
Trol

P.S never had this problem in RL.... so this is all speculation for me. Cant wait to hear how you did it.

[streaker69]

Here's what I did.

I created an Acrobat PDF template file that lists all appropriate user accounts (domain, root and such) as well as lists all the infrastructure devices that have logins. Also is a list of websites that I have 'company' accounts on, sites that I purchase from, sites that hold some of our license and maintenance agreements, generally any site that I use.

I use the sheet as a checklist when it's time to change passwords, once completed, I electronically sign the form and print it. I then secure the form that it cannot be opened with a password, this is only done because to electronically sign it, I have to save it.

Once it is printed, I place it inside a sealed envelope that I then sign and date it across the seal and place it inside our tape safe, which is fire rated and waterproof. Only myself and two other people know the combination to the tape safe, which is also locked inside our file room.

Each time I update the list, I pull the old one out and run it through the crosscut shredder. The only people that know that this procedure is in place is my direct supervisor and the Executive director, so no one else even knows to look for any such document.

I'm open to suggestions on improvements.

[BlackRS]

I keep all but the three most important passwords in an encrypted folder. The three big ones (firewall,domain admin,routers) I seal in a signed and dated envelope that is stored in a firesafe in the CEOs office. I do not have access to the safe. It forces me to commit the most important passwords to memory. I have only once had to ask the CEO to unlock the safe.

[imported_BaconZombie]

In my last job where I was the only IT person onsite so I had to write and deal with ALL the fecking IT SOX documenting and auditing.

On the password side I have to write out all the Usernames\Password, and the get the SPOC {Single Point of Contact} who was the Financial Director and MD to co-sign it. The seal it in an envelope which was then put in a fire-proof box and store in a banks safe.

And due to the fact that are local bank {which we had all are account} was within 2Km of the Office I was not able to us them because if there was a bomb, "Terrorist",ICBM {joking} or Nuke {no joking} attack it would be inside the quarantine zone.

The bank had a very select group of people {3} who could access to the records, and this was audited by a auditor during are quarterly audits.


*/

If this does not make sence it due to lack of sleep, will review and edit if needed after some coffee

*/

[Archangel-Amael]

If I remember correctly when I was in the service in order to access a restricted area (like an arms room) first thing to do was get the keys to a safe that were stored in another safe off site, with logging. Then we opened the second safe with said keys again with logging. Then we took yet another set of keys to gain access to the secured area now the keys only opened one door and then in order to open the other door one must know the access code. Once on the other side there was another access code that must be entered in order to completely shut down the motion sensors and alarms. Those were monitored by the Military Police. So effectively this has at least seven people involved in the process. But no one person could have access to the other person's secrets as it were. Now if that is not complicated enough then there was the aspect of random inspections and audits of the program. Now there are cameras and RFID tags w/readers around as well. The camera should be obvious but each individual that had access to a certain portion of the "puzzle" also has to insert the access card with RFID chip into a reader in order to continue each process. So I guess you could keep your passwords locked up in such a fashion.

Now with the government money usually is not object. But I guess a company could do the same thing. Course I guess that might be over kill depending as others have stated the value of said data. But when you are dealing with National Security secrets or Machine guns it might be appropriate.