147

I work as the primary developer and IT administrator for a small business. I want to ensure that business can continue even if I suddenly become unavailable for some reason. Much of what I do requires access to a number of servers, (through key-based ssh), cloud services, and other secure infrastructure of applications. Some of these services use MFA, either using dedicated MFA apps (like Amazon) or SMS.

How do I ensure that my "hit by a bus" plan and documentation is complete and comprehensive, but that this documentation is not itself a security risk?

The documentation will be hosted on a shared file server behind our VPN, but that can also be accessed using a third party web frontend that puts a "DropBox"-like interface on top of the base file server (i.e. authentication, desktop syncing, file sharing, etc). The files are in a location where only I, and other file server administrators can see them.

How should I manage the "secrets" (passwords, private keys, MFA access) in this documentation to ensure it remains comprehensive without compromising security?

Anko
  • 189
  • 10
AndrewSwerlick
  • 1,489
  • 2
  • 10
  • 7
  • 103
    I have worked in places where the approach was asking people to try really hard not to get hit by a bus... It's not a good approach, but at least they'd considered it... – Matthew Nov 30 '15 at 16:57
  • So many great responses. I'll try to accept one later this evening. – AndrewSwerlick Nov 30 '15 at 21:57
  • 5
    Not a "duplicate" because of its non-work context, but you should definitely check this highly-rated post: [How can I give my wife emergency access to logins, passwords, etc.?](http://superuser.com/questions/514558/how-can-i-give-my-wife-emergency-access-to-logins-passwords-etc). – KlaymenDK Dec 01 '15 at 14:02
  • 34
    @Matthew around the water cooler: "So John, I was almost hit by a bus last night, but then I remembered you asking me not to last week..." – Michael Dec 01 '15 at 15:53
  • 1
    Have your email client send your boss the "secrets" one week from now. Cancel and reschedule the email before this week ends. – mucaho Dec 01 '15 at 17:09
  • 39
    "Last Will and Testament: I bequeath my house and all personal belongings to my beloved wife. And here's one for my fellow admins: It was "pa$$word" all along" – Hagen von Eitzen Dec 01 '15 at 18:46
  • 3
    I like the Netflix Chaos Monkey concept. Extend it to people. Take some unexpected, unannounced time off. For that time it will be the same as if you had been hit by a bus. – emory Dec 02 '15 at 00:39
  • 8
    I've gone the company-safe-deposit-box route, with content (incl. private keys) printed on acid-free paper in an easy-to-OCR font. – Charles Duffy Dec 02 '15 at 16:50
  • 3
    perhaps this is a bit too philosophical, but why are you worried about this? you will be dead. – user428517 Dec 03 '15 at 23:58
  • 1
    Write the sensitive information on a piece of paper (or even better papyrus (I'm not joking)) - Seal it in an envelope and give it to your solicitor/lawyer to put in their safe (for a small fee) with instructions that X/Y directors must jointly request access before it is released. – Matt Wilko Dec 04 '15 at 09:00
  • 1
    @sgroves - being incapacitated and unavailable for work is not the same thing as being dead. No where does the original question imply death. – Davor Dec 04 '15 at 14:46
  • You should put in your budget a one way ticket to the Bahamas, to test your new procedure once it is implemented – Arlix Dec 04 '15 at 14:51
  • @Davor i guess i figured if OP were incapacitated, they would at least somehow be able to communicate with the company still. otherwise i don't get the point of asking this. – user428517 Dec 04 '15 at 16:14
  • @sgroves Some of us care about our work enough to think beyond a paycheck that can be cashed and spent. Either a Team-First attitude and/or family could be invested in some form in the business, owners to employees. – bland Dec 04 '15 at 18:56
  • @bland of course. i care enough to think past that too. but once i'm dead, i'm dead. i will not care anymore, so i'm not going to literally waste time worrying about it while i'm alive. that's all it is—wasting your precious time to live. – user428517 Dec 04 '15 at 20:23
  • 1
    @sgroves - even a most trivial surgery or an accident can take you out completely for several days. And if you hit your head good, you can be out for several months before waking up. – Davor Dec 04 '15 at 21:25
  • @sgroves "hit by a bus" is meant to be a humorous expression to imply unable or unwilling to continue performing the job. The idea is to put a transition plan in place so that even if I have to leave unexpectedly, the company is safe. This has the upside of making it much easier to leave expectedly as well. If you want something less morbid, I've heard people use the phrase "win the lottery" plan. (ie you win the lottery and suddenly quit your job) – AndrewSwerlick Dec 04 '15 at 23:09
  • 1
    I had a colleague who was the only one working on some project for two years, who was _literally_ hit by a bus. Nobody knew anything about how his code worked (mostly writing Linux kernel drivers, the rest of the company made websites). Anyway, his elbow was broken but he was able to return to work after a few weeks with his arm in a sling. This risk is obviously overblown :-) – RemcoGerlich Dec 05 '15 at 22:01
  • 2
    The reason for asking this question can be as simple as needing something to say if the boss asks what he/she should do in the event that you are hit by the bus. Telling the boss "I don't really care what you do cos I won't be here" might not be acceptable. – Dawood ibn Kareem Dec 06 '15 at 01:57
  • @AndrewSwerlick : It also depends on when you are. **For example** in my country, we recently [designed an article in a bill](https://www.republique-numerique.fr/project/projet-de-loi-numerique/step/projet-de-loi-transmis-au-conseil-d-etat "Chapitre Ⅱ article 28") describing a process to ensure the transmission of sensitive electronic data after the death of the person handling it. – user2284570 Dec 07 '15 at 16:15
  • Print it, envelope it and give it to your boss? That would be my approach – BlueWizard Jan 05 '16 at 21:45

8 Answers8

82

My advice would be to remove the secrets from the drop-box and store them elsewhere. Your instructions have to be easily human readable by anyone, but they can include instructions on how to get access to the properly secured part of the data. That lets you separate the accessibility side of things from the security side.

Once you can think about security on its own, you can start to ask the real question of how much do you need to protect these keys? This is a business logic question, so consult your management. You might:

  • Have a password to a file that everyone knows
  • Have a file set up with multiple passwords so that each individual maintains their own copy.
  • Have a file locked by a M-out-of-N algorithm (the digital equivalent of requiring two keys to unlock a safe).
  • Have a M-out-of-N algorithm with one 'master' password required regardless of which group of individuals unlocks the file, and that one master is physically kept in a tamper-evident safe that you check every now and then.

Use creativity here. Whatever you do, the decoupling of "instructions" with "sensitive information" frees you to properly safeguard the information, and then provide instructions on how to get that data later.

Your business logic decisions will also include uptime questions. If something goes wrong in your life, how long does another admin have to take over your work before business is affected? Consider how well replicated you want these instructions and sensitive information to be in case of server glitches. When I was administering a server and needed to store instructions on how to restore it from backup, I used the server's own wiki to store that information for easy viewing, but obviously that wouldn't be so useful in a glitch scenario, so I also had a copy on the dev VM of that machine, saved off copies of it on 3 separate PCs and a printout. I couldn't guarantee the printout would stay up to date, but I made sure that I could do my best.

This also points out something which is not always part of a hit by the bus plan: graceful degradation. Not all hit-by-the-bus scenarios involve getting hit by a bus. Some involve you just being inaccessible at an unfortunate time. Some involve you leaving the company, but being available for a question or two. Others... do not. Consider layering the plan. Small mishaps may be very well protected, while greater mishaps may still result in business loss while everyone gets things together, but nothing permanent. To use my backup restoration plan as an example, the printed version was almost guaranteed not to be fully up to date. But if lightning wiped out every computer for a city block, it was still more helpful than nothing. On the other hand, if the server just thew a harddrive, and I had to restore from backup, the version I kept sync'd on the dev box was almost certainly up to date.

Example of this failing: I was a user on a network managed by KERBEROS by an admin that was distrustful of others and did not have a hit-by-a-bus plan. When he... left, we had a hacking party to try to break his server. In the end, our best impromptu hit-by-a-bus plan was to wipe the machines (every one of them) and start from scratch. Note that, while this wasn't the best plan (in fact, I think its the worst plan?), the business kept moving. We just got stagnated for about two days and had a bunch of grumpy customers. In the words of Frank Herbert's Dune, "The spice must flow." Even in the worst case (which may involve a curious incident involving your server's harddrive flung out of the bus and hitting you on the head, destroying all record of the hit-by-a-bus plan), business does have a way to keep moving... but I approve of trying to raise the bar a wee bit more than that!

Cort Ammon
  • 9,216
  • 3
  • 26
  • 26
  • 2
    It was hard to pick a single answer for this one because there were so many good recommendations, even in the comments. I ended up accepting this one because the comments about graceful degradation made me think through some key concerns I hadn't been thinking about before. – AndrewSwerlick Dec 01 '15 at 03:37
  • 7
    While I agree with much of this, I think it could benefit from emphasising "Type it up, print it out, and put it in a fire safe". That can contain everything other than your SSH keys/passwords, which can be in a (backed up) keeppass style database on a USB key in the same safe, and accessed by a password in the printed plan. Job done. – Jon Story Dec 02 '15 at 14:04
  • @JonStory That is an important part about it. The other half that is important is the management of access to the safe. Managing that for when you get hit by a bus while not creating unacceptable weaknesses for your company while you're still working normally, that's the really interesting bit to me, because there is no easy provable answer. Everything is shades of grey and business cases for that part of the problem. A hit-by-the-bus plan that opens a hole for an exploit because someone got access to passwords can be dangerous. – Cort Ammon Dec 02 '15 at 14:57
  • And store the combination to the safe securely on your server's hard drive. No, wait ... – Dawood ibn Kareem Dec 06 '15 at 02:00
  • By 'M out of N Algorithm' you are probably actually referring to a threshold cryptosystem. – trognanders Dec 06 '15 at 09:56
73

Get a USB device. Put all secrets on the USB, preferably in a KeePass file. In the documentation, tell the new person where the USB is and how to unlock it, but put the device in a secure physical location like the owner's office, the company safe, a secure deposit box, etc. Somewhere out of the reach of the public, and away from the prying eyes of other employees.

The advantages of this plan are:

  • It's not on the internet or internal network
  • You can be assured the new employee has at least managed to convince the person in charge of the storage location that they are authentic (and most likely will be flanked by high-level employees to even get near your storage location).
  • If someone tries to get at the flashdrive before you, er, get hit by the proverbial bus, that someone should probably think to themselves, "Hmm, Andrew is still alive. Why is someone touching this?"
  • If someone finds your documentation, the amount of damage they could do is limited (especially if they managed to break in over the internet -- very few people are going to road trip for your information).

To find the goodies, they need 1) your documentation, 2) physical access, 3) you to be 'pining for the fjords'. The USB is also a neat little package for the next person -- plug and play! Or panic, depending on how important you are to the company.

Ohnana
  • 4,727
  • 2
  • 24
  • 39
  • 3
    How can this deal with frequently-changing secrets such as passwords? Every time you change a secret, you need to physically access the USB and update it. It only takes one frequently-changing secret to cause this problem. – Martin Nov 30 '15 at 18:42
  • 2
    Yes, that is a drawback. It does require upkeep. However, disaster contingency is not a "one-and-done" process. A frequently changing secret forces you to keep your secret database up to date, and see any problems before you are out the door. – Ohnana Nov 30 '15 at 18:45
  • 48
    What about this? Use a public/private key pair to encrypt frequently-changing secrets, and the USB contains the information needed to decrypt them. The encrypted secrets could be stored anywhere that's easily-accessible, and updated as needed, without needing to physically access the USB. – Martin Nov 30 '15 at 18:48
  • 7
    heh "plug and panic" – Chris Thompson Nov 30 '15 at 21:10
  • 26
    Make several copies. USB drives can go bad. Also, everything should be on paper with the USB drive. – Jim Garrison Nov 30 '15 at 22:18
  • 6
    what if the place where the drive is burns? or the drive fails? make copies and put them in more than one place – njzk2 Nov 30 '15 at 22:45
  • 1
    "*very few people are going to road trip for your information*" - depends on the kind of information, I'd say. – Bergi Dec 01 '15 at 12:32
  • I am not very important, but my passwords are in a sealed envelope and the boss knows where it is. Obviously I can't do this with all passwords, but if you have the one you can get at the rest. – RedSonja Dec 02 '15 at 11:54
  • 2
    @njzk2, safe deposit box facilities are, as a rule, well-secured against fire. – Charles Duffy Dec 02 '15 at 16:50
  • @RedSonja The problem with that someone (your boss, if no one else) could then log in as you and do nasty things… – Blacklight Shining Dec 03 '15 at 07:45
  • @JimGarrison In short , handle usb get hit by bus situation – Tachyons Dec 03 '15 at 08:08
  • I think that a secure physical media which can only be physically accessed by whoever happens to be the CTO of the company is a good way to go here. – Max Williams Dec 03 '15 at 09:27
  • @Blacklight that's what he said too, but as long as no-one broke the seal it's still ok. He is the boss, after all. Theoretically the system admins could do it too, but they never seem to. – RedSonja Dec 03 '15 at 09:34
  • @njzk2, I would consider this a non-issue for the most part because the whole point here is a redundancy. The likelihood of being hit by a bus at the same time as the secure facility catching on fire is extremely, extremely low. Not impossible, mind you, but perfect safe measures are impossible to achieve. We can only make things less likely to happen. – Kat Dec 03 '15 at 21:47
  • Depending on the size of your company, the importance of the data, etc, it may be worthwhile to have duplicate USB sticks in several different physical locations (different states, or countries even). This way something like a flood, an earthquake, a bomb, will not result in loss of the critical data. – Steven Gubkin Dec 03 '15 at 22:06
  • 1
    Supposedly, many USB flash drives will lose their data in ~1yr of being unplugged (varies a fair bit depending on ambient temperature, exact flash used, etc.). Some more expensive ones claim ten years, make sure to at least be using one of those! (And a brand new one, writing wears them out, lessening the unplugged duration). Consider archival grade DVD-R. That should give you much longer. Or of course acid-free paper—will outlast your company if stored in a dark, dry place (like a safe). – derobert Dec 04 '15 at 21:56
  • @RedSonja I would hope that sysadmins would have to either do something like `sudo -iu $username` or take the system down and mess with it in order to get logged in as someone else. The former would be logged; the latter presumably noticed by someone else. – Blacklight Shining Dec 08 '15 at 12:35
28

Create 'emergency use only' accounts

For most systems, you will have some kind of privileged accounts that are used in their everyday administration, those may or may not be personalized depending on your organization policy.

As for any credentials, you may lose access to them for various reasons - either by the person knowing them getting hit by a bus, or by losing the intended secure storage of that credential (e.g. losing a computer in a fire) or by somehow managing to change a password to something they don't know, etc.

What may be useful is to create separate accounts for key systems that have full access, but are not intended for everyday use. This implies:

  1. At the moment, noone is unable to access them - no person knows the required passwords.
  2. If someone accesses them, everyone should be informed (as it's not supposed to happen in normal circumstances). For example, automated scripts that email multiple key users upon login, all the actions from those accounts get logged and your everyday monitoring would light up if something is run from those accounts.
  3. When required, people can get access to these accounts - a simple way is to generate a long password or key, print it out, put it in a sealed and signed envelope, and lock it in a safe.

Put your back-up procedures and credentials there

When you maintain your procedures, hit-by-a-bus plan and lists of secondary credentials in whatever way that's convenient for you - just make sure that these documents or password databases are also accessible from the emergency use account.

Peteris
  • 8,389
  • 1
  • 27
  • 35
  • 2
    This is what we did at the last two places I was the [only] "IT guy." We then put all those credentials and the like onto two USB sticks, encrypted them with a password the owner/CEO chose, and stuck one in the safe in his office, and the other in the fire-proof safe we used for our archival backups. – HopelessN00b Dec 03 '15 at 04:55
11

Maybe a better solution to your situation is to design the system such that even if you are hit by a bus, and your credentials are lost forever, nothing bad happens.

Perhaps it's best to think of the problem as two problems, authentication and authorization.

Authentication establishes that you are who you claim to be. Some system can know that a request it really came from you because only someone with your credentials could have made the request, and only you know the credentials.

Authorization establishes that you are allowed to do a certain thing. A request can be authentic but not authorized.

If at least two people are authorized to do a thing, then it doesn't matter if one of them is hit by a bus. Alice may be killed by a bus, and knowledge of her credentials lost forever. But Bob knows his own credentials, and he's authorized to do anything Alice could do.

If the system is designed in such a way that anyone could be literally hit by a bus and killed, it also means it's possible to revoke one person's credentials. Former employees, especially those that leave on bad terms, are a security liability. You can't force a former employee to forget a password, so to be safe you should change all your shared passwords whenever an employee leaves. In practice this is too much of a pain and it isn't done. Not sharing passwords in the first place solves the problem.

Never sharing passwords also preserves accountability. You can't run a business with no administrators, but you'd like to have the ability to know if a particular admin abuses his powers. Ultimately the threat of termination or litigation dissuades any admin from abuse. If passwords are shared then "must have been one of the other admins with the password" is a plausible defense.

Sometimes you run into situations where it seems impossible to avoid sharing a password. But there's usually a solution, even if it's not immediately obvious.

Do you need to share root passwords? No, you can not have a root password at all, and instead use sudo.

What about AWS root credentials? You can use IAM instead.

Maybe you have an especially brain-dead web application you can't avoid? You may not be able to fix this one but you can cover it up: use a password manager that allows sharing credentials among multiple users. (I know LastPass can do this). While you are still sharing the password, you at least have an automated means for changing it and distributing knowledge of the new password. Change the password at least whenever an employee leaves, but preferably more frequently.

Phil Frost
  • 725
  • 4
  • 10
  • Great in theory, but I have never, ever worked in an environment where this was 100% possible. Given that the OP is working in a small business, there is an even greater chance that this will not be feasible. – schroeder Dec 01 '15 at 22:16
  • @schroeder I think it's more possible than people realize, and when it's really not possible, there are solutions that at least make the situation less horrible. Edited to call out some likely scenarios. – Phil Frost Dec 01 '15 at 22:27
  • I worked in a place that actually had Bob and Alice, and they were forbidden to do dangerous things at the same time. Being human, they went rock-climbing together. Fortunately they survived, but really. – RedSonja Dec 02 '15 at 11:56
  • 2
    Just don't let Eve provide the rope. – Dawood ibn Kareem Dec 06 '15 at 02:05
6

Most of the answers here relate to the handling of credentials, probably due to this explicit question in the OP:

What's the best way to manage the "secrets" (passwords, private keys, MFA access) in this documentation to ensure it remains comprehensive without compromising security?

However, the title asks a different question, which I don't see addressed:

Developing a secure hit by a bus plan

The answer the that question is automation.

In devops, I find that most of the server side of the position falls into two categories:

  • Fix the infrastructure: Here is usually nothing to automate: every problem is different. In those cases familiarity with the infrastructure (servers, network, how the devs interact with the Git repos) is key.

  • Maintain the infrastructure: Create new VM instances, set up Apache, enable dev access to resources, etc. This is the place where automation is most visible.

Those the role of automation in the latter is obvious, the key to successfully fixing problems in the former is automation in the latter. The automated Python and Bash scripts serve as living documentation of what is expected of the servers and network: when the workflow changes it is the scripts that change. Git records changes that may be applicable to older servers, and git commit messages are explicit.

dotancohen
  • 3,696
  • 3
  • 25
  • 34
  • 3
    *"[t]he owner of the company has my user password for logging in"* You should never share your credentials with anyone, once someone else has access to them it's not your account any more. Implementations like the ones described by [Cort Ammon](http://security.stackexchange.com/a/106859) or [Peteris'](http://security.stackexchange.com/a/106865) provide a higher degree of security. – Albireo Dec 01 '15 at 13:43
  • 1
    @Albireo: It was never _my_ account, even though it is called "dotancohen". It is the company owner's account, just like all the rest of the hardware and intellectual assets are. I am merely the primary user of that hardware and that account, in order to fulfill my job! Note that Cort Ammon _exactly_ describes this type of password-sharing in his very first bullet point. Furthermore, the solution mentioned in Peteris' post is not conductive to our organizational structure, though I completely endorse it for the use case from where it is known: missile launch codes. – dotancohen Dec 01 '15 at 13:57
  • 1
    Your password is not just about your *authorization* (the privileges that attend to your account) but also about your *authentication* (proof it's *you*). An account assigned to you for your use should *never* be accessible by *anyone*, not even the owner of the company, because then there is no ability to presume that actions taken by your account were actually performed by you--so it is a different kind of risk for a business to share passwords because then no one can be held responsible for anything, "hey, other people know the password to my account, it must have been one of them." – ErikE Dec 01 '15 at 18:54
  • @ErikE: Your point is well made, and you are correct. Fortunately at our company of <20 people that was not an issue. Furthermore, I personally consider the plausible deniability to be a feature, not a bug! – dotancohen Dec 01 '15 at 19:52
  • 2
    It's so easy to create another account that is used for particular scenarios that in my mind, there's no excuse, no matter how small the company, for a person's personal account used for daily logins to be used by more than one person. – ErikE Dec 01 '15 at 20:09
  • 1
    @Albireo: I removed the controversial section that you and others object to. I see that it was distracting from my pertinent advice regarding automation. – dotancohen Dec 01 '15 at 20:30
  • @ErikE: I removed the controversial section that you and others object to. I see that it was distracting from my pertinent advice regarding automation. – dotancohen Dec 01 '15 at 20:31
2

This isn't another idea on how to do it per se, rather a point to flag up something that has not yet been discussed but is very important. I'm proceeding from a standpoint that these secrets are really business critical.

Testing.

Some disaster recovery scenarios have been posited. Some are simple, some are more complex. The more the complexity, the more reason to test. This issue comes from how do you test some one being 'removed' from the scene in a business critical environment? Putting a 20mm round through your production server during Christmas trading, with your primary IT guy incommunicado will be difficult to get though the board of your toy factory. This is the dilemma facing the board. If it's important, you need to test it. Is it too important to test though?

Simple things will catch you out. Some one has mentioned putting data into safes. Great. A lot of people keep their safes in the basement where it's secure and away from people. It's also the place that initially fills with water following a minor fire. Another; your dodgy payroll clerk has been doing really dodgy stuff with your payroll. The police come in and confiscate all your servers for the ensuing investigation. It takes a year to get them back. Don't roll your eyes - it happens.

Business continuity is a fairly established art, so just do what NASA, Google, Barclays, the army and nuclear power stations do. Make redundancy. I'm sorry to say it Andrew, but you're the principle risk to the company in this scenario. The board need to be made aware of this, and you and at least some of your kit needs to be made redundant (in the duplication sense).

In the meantime, get your ops director to get some critical person insurance and /or business continuity insurance.

Paul Uszak
  • 21
  • 1
1

I'm in a very similar situation as the sole IT admin for a mid-size company with a lot of scattered, loosely related custom software on different platforms. Worse than that, I wrote all the software for the company over the last ten years, from their POS system to online reservations, a homebrew CMS, employee training software, etc. At this point I'm the only person who understands or has ever even seen the source for those things. As the company has grown, I've been asked more than once not to get hit by a bus. I'll tell you what our solution to this has been.

  1. Understand that there will be disruption. Manage expectations. If the company doesn't want to hire a redundant person, presumably a well-paid one, to learn everything you know, then they need to expect there will be a very steep learning curve for anyone who needs to come in during an emergency and try to fill your shoes. This is true no matter how great your documentation is.

  2. Make sure the service bills are going to the company, not to you.

  3. Continuity of business document. At a point I was asked to write a doc that lays out in plain English, that the CEO of the company can read, exactly what servers we have, what is on each server, what each piece of software does, and the passwords for those accounts. Within that are notes and tips for anyone who came along and needed to keep it running. However per (1) it is understood that it would take a book to explain in detail the functions, known issues and limitations, and structure of all the software. So this document contains the bare essentials, with the hope that once someone got into the code they will start looking at cron tasks and reading comments and get a handle on how it works.

I update the continuity document when necessary, PGP encrypt it so it can only be opened by the CEO of the company and myself, and upload it on their webserver to an address he knows. The CEO is responsible for keeping his PGP key safe. That's all there is to it.

And listen - if they're not even gonna let you relax after you're dead, it's time to ask for a raise.

joshstrike
  • 111
  • 1
-1

Your solution, in order to be comprehensive, must be a combination of procedural and technical controls. The best way to understand it is to see technological controls as providing the capability to enhance your procedural security. They make some controls possible, and others easier to execute.

With this in mind, it will largely depend on how you're using your PKI. If you're in a smaller organization, budget constraints may limit what you can do, but if possible, I'd recommend a Hardware Security Module (HSM) to protect your private keys--at the very least, the private keys of your internal CA, if you have one. Vendors in this space include Thales and SafeNet.

As for passwords, there are a number of password management solutions designed to service organizations. The most important thing to look for is either one of two things: A solution which offers the ability to entitle a user with the access privileges necessary to do their job within a pre-defined time window without having to give said user the actual password to the system/application, AND/OR a system designed to support split-secret knowledge (where no one individual has the complete password).

Some security vendors offer a means to create additional role separation in what an AD Domain Admin or DB admin can do (for example, they may be able to add users to groups, but not enable the ability to actually open/modify files that membership of that group normally entitles them to--that ability would be handled by yet another admin who likewise cannot add/remove users to groups). One such vendor is Vormetric--they do this with their data at rest encryption product.

While executive support is important to the success of any organization's security strategy, it becomes especially vital in the absence of a vendor solution which provides these capabilities--because that means you'll likely need to step up your security awareness programs to foster the kind of culture change that will support the necessary procedural controls most IT users aren't used to--where domain and enterprise admin privileges are strictly controlled, and entitled only after change management approval is granted, and only during a specific time window. IT admins must incorporate multi-person password + Physical controls.

Examples include using 2-4 people to generate halves of a 12-character password. One pair of personnel generates the password and enters it into the "New Password" field. The second pair re-enters the password components that the first pair created (to help ensure one of the first pair is not maliciously or unintentionally mis-typing the password each time, rendering the account inaccessible once the password is changed). Using a second pair of personnel also ensures that the passwords are legible as-written. Once the password is changed, the password fragments are then stored in separate opaque envelopes, sealed, labeled, and deposited in tamper-evident bags. Bags can then be dropped in a physical safe. Replicate the process for off-site backup storage, but incorporate processes to ensure password updates are replicated each time for each site. If tamper-evident storage is not enough, look for a GSA-approved double-combination safe (X-10 Kaba Mas, for exmaple), and incorporate the same split-knowledge procedure. For additional protection, store the safe in a location with a CCTV camera system monitoring the area, and incorporate a warning to all employees that anyone found in the area without prior written permission to enter may be subject to termination--again, this should come from the top.

It really just depends on your threat model and what appetite your organization has for security.

Daniel
  • 324
  • 2
  • 6
  • 9
    I think you misread the question. It is not about the content, but about the secure storage and eventual communication of the content to his successor. – schroeder Nov 30 '15 at 17:32