UK debit card processor updates password management

Von Todd R.

With more than 800 hardware and software passwords to track across its IT operations, British debit card transaction vendor Voca Ltd. decided that its outmoded handwritten paper and pencil system had to be replaced.

"With the growth of the company, and multiple site locations, it became impossible to manage passwords properly," said Keith Reeve, manager of certification authority and access control at the London-based company. "We knew for some time that we needed to do something."

So when one of Voca"s facilities was relocated last year, and after an IT security audit that recommended action, the company decided to solve its password management challenges.

In January, Voca deployed Network Vault software from Cyber-Ark Software Inc., Reeve said. The application, installed on its own in-house Windows server, creates a special ultra-secure "vault" on a standard hard drive where passwords are automatically stored, maintained and cataloged. The server is on a network but is protected with various levels of security, including encryption and authentication, allowing it to be accessed only by authorized workers.

The company, which is responsible for debits and credits for bank accounts in the U.K., handles about 4.5 billion transactions per year.

Until the company rolled out Network Vault, its password records were kept on paper by IT workers who stored them in on-site safes at each facility, Reeve said. The safes took up floor space, and the manual entries were labor-intensive. Keys for the safes had to be safely stored, and workers had to travel to make off-site password changes, adding to the costs of password maintenance. Some of the passwords were changed infrequently, while others were changed on a regular basis for security.

"You start adding that up on a weekly basis and that was a lot of activity by a lot of people," Reeve said.

By moving to the automated system with Network Vault, Voca expects to save about US$115,000 in related costs this year, he said. "It"s a godsend."

He declined to say how much Voca paid for the rollout.

Richard April, a vice president of marketing at Dedham, Mass.-based Cyber-Ark, said the company"s product separates access passwords from data using multiple layers of security to protect the information. The company"s approach is similar to banks, he said, in that a bank has guards, alarms and cameras to ensure security, but the safest place in a bank is still inside its vault.

In addition to Network Vault, Cyber-Ark also offers a Central Password Manager module that allows users to automate password changes and maintenance. Multiple vaults can be set up across locations and can communicate with one another across a network, he said, depending on how users want to configure the system.

The vaults can also be used to store critical documents with a full medley of compliance and auditing capabilities, April said. A disaster recovery module is also available to allow real-time duplicates of the password records to be created off-site.

Pricing begins at $30,000 for 25 users for Network Vault alone, or at $45,000 for 25 users including Network Vault and the Central Password Manager option.

Jon Oltsik, an analyst at Enterprise Strategy Group in Milford, Mass., said password management can be a key tool for corporate computing managers. "Any security person would tell you that this is one of a thousand things that fall through the cracks and that make companies much more vulnerable. Any sizable company is going to have thousands of routers and servers with passwords and if any use default passwords, they"re going to be very easy to get in to," he said.

"Companies tend to think of this stuff," Oltsik said, but it is difficult to constantly do manual password audits, which can involve a lot of people, time and processing. The alternative, he said, is to automate password changes and tracking -- but that can also be time-consuming, he said.

"Most companies will say they"re not in the security business" and won"t go the extra mile to pay close attention to their password management, he said.

Competitors in the password management space include Applications Security Inc., which maintains passwords for databases, and Cloakware Corp., which focuses on passwords for application-to-application communications and scripting.

Pete Lindstrom, an analyst at Spire Security LLC in Malvern, Pa., said the very nature of passwords makes them tricky to manage.

"The notion of administrative passwords is that they"re extremely sensitive, but in order to get things done ... you have to share those accounts and passwords with many folks very often," Lindstrom said. "Cyber-Ark is an opportunity for folks to provide more strength around their password management for the accounts that are basically the keys to the kingdom."