Every piece of hardware and software that we use has privileged identities built in. These are basically secret keys which are added to the system by the manufacturer. These keys (or passwords) are found in all systems that organizations use. They are for example Administrator passwords in a Windows workstation, Root on Unix and DBAdmins in Oracle databases.
Manufacturers make products with these passwords so that they can effectively support these products. These same passwords are used by customers of these products for administration purposes.
These passwords are like master keys. They can open all modules and files of the system. This is why they are coming under increased scrutiny by various regulations. In U.S.A the Sarbanes-Oxley 404 law requires that companies prove that they have control over their financial systems. If an organization has key financial information whose administrative access is not secured or managed, then that organization is in violation.
Of more relevance to us are the Payment Card Industry (PCI) standards. These standards are one of the most explicit. PCI requires organizations to restrict access to the fewest number of custodians necessary. Companies are also required to store keys securely in the fewest possible locations and forms.
Another area that countries are requiring secure administrative passwords is in the health sector. The American Health Insurance Portability and Accountability Act (HIPPA) has a component on administrative standards that requires medical records be absolutely confidential and secure. It states that if an organization allows unsecured administrative access to medical records it will be in violation of this Act.
The global trend is that countries around the world are enacting tighter local regulations in the control of privileged passwords. Kenya, however, is yet to develop legislation and regulations that require organizations ensure control over secret keys/passwords of their systems.
Hackers look for these secret passwords because most of them are never changed. Most successful hack attacks are insider in nature and these secret passwords are used to obtain access to systems.
The primary motive of demanding organizations protect privileged passwords is to ensure that these secret keys are secure and their use (or misuse) can be tied to a specific member of staff.
Kenya therefore needs to develop a framework that encompasses all the critical sectors of the economy for example financial, health and utility systems. This framework should require entities in these sectors to conform to the fundamental requirement of securing secret keys or privileged identities.