Audit Said What?! How you can Eliminate Hard-Coded Application Credentials and Manage Them

Josh Raduka, IAM Consultant, SecureITsource, Inc.
Did the findings of a recent security audit ruin your sweet dreams? Or maybe the thought of a never expiring password seen by countless eyes keeps you awake at night. Perhaps there are clear text passwords hard-coded directly inside your company’s applications or scripts, and now you are tasked with managing them!

Back in the day, changing the delicate hard-coded application passwords wasn’t even an afterthought and unfortunately that still carries over into today’s world. After all, the application uses it and no one wants the nightmare of breaking the application\script or creating additional IT challenges just to change a password. This is why I believe hard-coded application credentials became a “set it and forget it” type of deal… except developers don’t forget it, app support doesn’t forget it, and not to mention, any attackers poking around. Any idea how many developers have seen your privileged application credentials and left the company? Privileged application credentials are also a target for attackers and having them hard-coded in your application is not the right place to keep them.

Fortunately, there is good news, and no, it does not involve a commercial promoting the best sleep of your life as you fall asleep with a peaceful smile obviously not thinking about the any of the side effects.

Instead, there is a solution known as Application Identity Management, or AIM. AIM is a piece of CyberArk’s Privileged Account Security Solution designed to help you secure, manage, and automatically rotate credentials baked into application scripts, software code, and configuration files. Additionally, if your scripts are using SSH keys, these can be managed as well.

By now, you are about to start scrolling down or have already begun scrolling to find the good stuff, like how it works, and how can it be deployed, so allow me to explain.

Application Identity Management

As previously stated above, AIM can not only help your organization remove hard-coded credentials from applications, configurations, and/or scripts, but it can also rotate the passwords with little to no human interaction. So, if the hard-coded credentials are removed from the software code, then where are they? How does the application get the credentials and how are they rotated?

To answer the first question, you will need CyberArk’s Digital Vault. The Enterprise Password (EPV) technology acts as the highly secure, centralized storage location that will keep your passwords safe and available to only those that need them. It is a dedicated standalone server available in cloud and on-premises deployments. Multiple vaults can be deployed together for high availability and disaster recovery.

The next question focuses on how the application/script can retrieve the password and can be answered in multiple ways depending on the application’s requirements.

Secure local cache – This cache is supplied by an agent, known as the Credential Provider, which is installed on the application server (or server that runs a script). The local cache ensures the highest availability and performance, independent of network availability. In the event that your network crashes or a mysterious firewall rule gets in the way, you’re covered and your application will retrieve the password from the built-in cache. The agent communicates with the Vault via an API to retrieve credentials.
Central Credential Provider – An agentless deployment on the endpoints recommended for the non-critical applications, cloud service solutions, and desktop applications. Multiple applications can communicate with the Vault via web service call to retrieve credentials.
Application Server Credential Provider – This solution is built for data source credentials in Application Servers like IBM WebSphere, Oracle Weblogic, JBoss, and Tomcat. These credentials can be changed without any downtime ensuring business continuity.
And last but not least, how are the passwords rotated?

This job is completed by another CyberArk component called the Central Policy Manager, or the CPM. The CPM has the capability of automatically changing passwords on remote machines based on your company’s enterprise security policy. Whatever length of time your policy indicates a password change should occur (ex: 60, 90, 120 days), the CPM will automatically generate a new random password, change it on the target system, and store it in the Vault. If that password is used by an application that is linked with a credential provider, then the provider will also receive the new password and its local cache will be updated.

With careful planning, expert advice from SecureITsource, and all the right components in place, CyberArk’s AIM solution is your key to a good night’s sleep while managing and securing passwords and eliminating hard-coded credentials from applications.

SecureITsource is an authorized reseller and professional services partner with the industry’s leading Identity & Access Management solution providers. Our team of experienced consultants help our clients to achieve their IAM goals by providing strategy, design, and engineering expertise.