Educational Employees Credit Union is using a little box and the software inside to replace lists of passwords it had kept on paper, passwords that provide access to the big California credit union's network of servers.
The device also provides extensive logging and recording of user sessions on those networks-arcane information to lay people but of crucial importance to IT infrastructure specialists and to the regulators who have to be satisfied that all is secure.
"One of the regulatory people were just here and told us he hadn't seen this before in a credit union and that he was quite impressed," said Keith Allington, network security manager at $1.7 billion EECU in Fresno.
Allington said five to seven people have server-level access to the credit union, and that the Privileged Password Management system from e-DMZ Security replaced what had been passwords kept on paper under lock and key.
"Obviously changing those passwords on a scheduled basis took a lot of time and energy," he said. Now it's automated, he said, something that saves a lot of time and energy when it comes to working with about 600 licenses and 75 servers at a 170,000-member credit union with 15 branches in 10 counties.
"We wrote up an explanation on what it would mean if all our systems had the same password and somebody was to find what it was. They could get into any of our systems and do whatever they want, if they knew what they were doing," he said. Now, a Web-based interface with an easy-to-learn menu system provides regular password changes, "It's raised the bar for anyone who tries to gain that type of access."
Rather than just log-in and password, the system also integrates log-ins with Active Directory functionality, allowing log-ins with regular network credentials and then controlling access to the new network passwords in the appliance. "We can tell the system who can get in and what passwords they can get access for. It also keeps an audit trail of all that," Allington said.
The e-DMZ solution protects UNIX and Windows systems at EECU right now and could be expanded to SQL-driven servers, Allington said. He said the credit union also is considering adding another e-DMZ module, a session-management tool.
The company's chief salesman endorses that idea. "We've had customers tell us that by using this, they have saved thousands of man hours in a forensic analysis that they spent digging through systems logs trying to rebuild what happened after someone just loaded a patch," said Marty Ryan, vice president of sales and marketing at e-DMZ Security in Wilmington, Del. He said the password- and session-management solutions address a problem that can exist at a lot of credit unions and many other organizations.