How does your company manage credentials?

Question

This is a call for suggestions and even possible solutions. I haven't been at a company that really seemed to get credential management 'right'.

I've seen excel/word documents and even post-it note 'solutions'.

But my main question is what is the right way to do it?

I have initially thought it would revolve around KeePass a bit, but how would you manage those databases among users?

Also, of all the online password managers I have seen, none are really multi-user.

Hopefully this can bring a bit of perspective and shine a little bit of light on something that I haven't seen any great answers to.

Answer 1

To answer your question: very poorly.

We're looking to standardize on public keys for password-less authentication and shared group/passwd files. Our testing looks good so far, but we're still trying to smooth over some rough edges.

Answer 2

The company I work for sells data center automation tools to assist with exactly this. I'm not going to say who I work for, nor how much it costs (but it's distinctly NOT cheap).

The basic approach we take with that tool (used by hundreds of large companies) is to integrate LDAP/AD authentication against the corporate directory server. Then, as agents are deployed to the managed servers, permissions control can be setup in the product, which then manages access based on your user/group permissions to a given device group / server class / facility / etc.

As for how we, internally, manage credentials - I'll second @irixman's comment - we do it very very poorly :)

Answer 3

This is a very good question. The two companies I've been at don't have a good handle.

I'd like to hear from some people that have had experience doing this in a way that is manageable and works. My sense of this is that it is a widespread issue that people don't talk about but just sort cope with it.

+1 for the question and a star :-)