Solved

DBA password documents for continuity

Posted on 2013-01-11
11
580 Views
Last Modified: 2016-03-23
First off – I am not an oracle DBA; I work in a risk role.

However, for audit/risk purposes, I am told is common for DBA’s to have documents containing passwords about the Databases they support, and host servers, in plain text. I believe this is for continuity purposes. Is this true?

For what reasons do you keep passwords in documents and what do you refer to such documents as?

Is there a risk in not having passwords documented anywhere?  Please elaborate in layman’s terms.
0
Comment
Question by:pma111
  • 3
  • 3
  • 2
  • +2
11 Comments
 
LVL 142

Accepted Solution

by:
Guy Hengel [angelIII / a3] earned 125 total points
ID: 38766699
consider this situation: there is only 1 dba account, and it's password is "lost/forgotten".
the only way to change it is with DBA powers, but that's exactly the issue ... you don't have DBA access...

so, the normal process is to have a secure place (like a "bank safe") where a dba or his replacement could just open it with a proper process and use it... and then normally change it...

the "workaround" is to have multiple dba accounts, but still at some point you come to the same "risk" analyis: 1 dba is off, the one "on shift " is ill, and third one will only come for the next shift in 8 hours and is right now not available by phone... : but you have a major database crash.
the risk is very low, but should be considered.
0
 
LVL 3

Author Comment

by:pma111
ID: 38766729
Ok thanks. Is this document referred to anything? I want to ask our DBA's on their procedures for securing such documents, but I am not sure how to phrase the name of the document?
0
 
LVL 76

Assisted Solution

by:slightwv (䄆 Netminder)
slightwv (䄆 Netminder) earned 125 total points
ID: 38766836
I'm not sure if there is a standard name for this practice.  If your organization has a name for it, your system securitry folks should have it in policy somewhere.

Our security policy separates login accounts into two categories: user accounts and service accounts.

Service accounts are system level accounts like the admin accounts( DBA/sys admin), and application specific accounts.  Service level account passwords are stored in sealed envelopes and placed in a safe.

These are to be used in an emergency situation and once the envelope is opened, the password must be reset by the primary keeper of the accounts, placed in a new envelope and placed back in the safe.

This ensures there is not a single point of failure in the human aspect of systems.  It helps ensure continuity of operations (COOP).
0
 
LVL 36

Assisted Solution

by:Geert Gruwez
Geert Gruwez earned 125 total points
ID: 38767122
it also depends on how many passwords you have "memorize"

we have a password excel which is locked with a password.
then someone saved the file over the original one with a different password and left the company due to some disagreement

next thing was to invent "password algorithms"
like if you have PRD database and DEV database, you put some prefix and suffix...
passwordPRDforDba
passwordDEVforDba
this required only memorizing the algorithm
then you get people who don't really like that algorithm and start new algorithms on different systems
in the end you have an excel containing all the algorithms for the password and it's best to lock that with a password.

See where were going ?
Save it in an ordinary text file on a server directory where only the dba's have access to
> if the dba's are all sick, ask a network admin for admin access to the server directory and hey presto no more problems with passwords

you could also setup a database containing all the passwords
> but where do you save that password ?
0
 
LVL 76

Expert Comment

by:slightwv (䄆 Netminder)
ID: 38767140
>>Save it in an ordinary text file on a server directory where only the dba's have access

I have to disagree with saving it electronically.  A compromised system is a compromised system.  I might compromise the server with the spreadshet then I now have access to your databases.

Even with the password protected Excel spreadsheet you mentioned:  Do you know how easy it is to crack password protected MSoft docs?

If you are going to store them, do it in a non-electronic method.

>>then someone saved the file over the original one with a different password and left the company due to some disagreement

FYI:  This is why backups exist?  If you have a good tape rotation, you should have been able to recover some version with the correct password.  Granted the passwords might be old but some should have been valid.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 23

Assisted Solution

by:David
David earned 125 total points
ID: 38767416
In a previous assignment, the client had switched to Cyber Ark to manage over five hundred privileged accounts, including the generics for schema owners, admins, queries, and power users.  Not a plug intended, so here's the wiki instead of the vendor site: http://en.wikipedia.org/wiki/Cyber-Ark.  In addition, password rotation enforcement was diligent.  Other auditing steps I'm not at liberty to discuss.

Another excellent alternative to a spreadsheet is Roboform, which I've used for many years.  Encrypted storage, with multiple password levels.

If I have to use a site's spreadsheet, I'm going to push for it to be on an off-network node, encrypted, and ACL enabled.
0
 
LVL 3

Author Comment

by:pma111
ID: 38767444
Any specific term you use for the documents/respositiories storing the passwords, or are they included in another document set?
0
 
LVL 23

Expert Comment

by:David
ID: 38767562
My SSO was sufficient for access to the browser-based front-end, and my access was role based.  Obviously, when leaving employment, Security disables the LAN account immediately.  For the lessor-privileged accounts, the business process owner (BPO) had ownership of who could use the generic accounts.  As per common best practices, schema owner accounts were locked down except for scheduled DDL and maintenance.

Does that answer your question?
0
 
LVL 36

Expert Comment

by:Geert Gruwez
ID: 38776353
>>the LAN account
most people in IT have passwords to several accounts
0
 
LVL 36

Expert Comment

by:Geert Gruwez
ID: 38776363
>slight, disagree with saving it electronically
anybody can run off too with a piece of paper
0
 
LVL 76

Expert Comment

by:slightwv (䄆 Netminder)
ID: 38776492
>>anybody can run off too with a piece of paper

But you know 'someone' accessed it if secured in an envelope and it is stored in a secure location.  Then the 'audit' can start.

It is all about mitigating unauthorized access.  You will never stop it.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This article explains how to reset the password of the sa account on a Microsoft SQL Server.  The steps in this article work in SQL 2005, 2008, 2008 R2, 2012, 2014 and 2016.
Ever wondered why sometimes your SQL Server is slow or unresponsive with connections spiking up but by the time you go in, all is well? The following article will show you how to install and configure a SQL job that will send you email alerts includ…
This video shows how to copy an entire tablespace from one database to another database using Transportable Tablespace functionality.
Viewers will learn how to use the SELECT statement in SQL and will be exposed to the many uses the SELECT statement has.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now