e-DMZ Announces Free Remote Access Security Toole-DMZ Announces Free Remote Access Security Tool

For companies subject to government or industry regulations like Sarbanes-Oxley, PCI DSS or HIPAA, sending database passwords "in the clear" -- unencrypted, and readable by any network eavesdropper -- spells compliance disaster. Even for companies not subject to regulatory compliance, it's still a security vulnerability.

And as more database admin gets done over the company network, or even by an IT services provider remotely over the Internet, rather than from a console attached directly to the server, passwords are at risk. And, according to Kris Zupan, CTO, e-DMZ Security, a privileged user and privileged access management vendor, most databases do password management in the clear.

To aid businesses in managing this risk, e-DMZ Security has announced a free remote access security tool for password management, for use with the Privileged Password Management module of its Total Privileged Access Management (TPAM) suite.

e-DMZ's TPAM lets companies meet security and compliance requirements associated with privileged identity management and privileged access control -- managing privileged users, access, accounts and rights, as well as monitoring and recording all activities,

The new security feature enables database administrators, including IT staff, contractors, service providers and others doing database administration, to perform password administration over unsecured LAN and WAN connections.

"We had several customers managing passwords for databases" -- and some of these were not directly at the server, but were connecting either from elsewhere within the office, or via the Internet, according to Zupan. "This presented a major compliance issue."

To secure the connection using optional security packages from the database vendors can be quite expensive, according to Zupan. "Oracle's advanced security package can cost hundreds of dollars per seat and thousands per CPU -- that's prohibitively expensive, especially for companies looking just to secure the connection." Additionally, says Zupan, this approach requires a separate solution for each vendor database involved.

e-DMZ's secure password administration feature establishes an SSH (Secure Shell) tunnel between the administrator and the server, which encrypts communications between the two ends. According to Zupan, the new feature provides the required security while avoiding the need for expensive, database-specific add-ons.

"Sending passwords in the clear is always bad, even a brief exposure can be susceptible to compromise, and you're setting yourself up for a compliance audit failure," says Perry Carpenter, Research Director, Information Security and Privacy, Gartner Research.

"Auditors are becoming aware that there are vendor solutions to this problem that are reasonably priced and can be deployed with a reasonable degree of certainty of addressing the issue," says Carpenter. "So it's very likely that they will start requiring these solutions be employed. If a company can get the 'fix' for this as part of another security utility, all the better. SMBs, particularly, are drawn to single platform purchases that have the ability to perform multiple security functions."

A VPN (Virtual Private Network) wouldn't be sufficient, Zupan notes, "because VPNs normally terminate at the edge of the network, not all the way to the database, so the traffic would be clear text for that last stretch."

This new feature is an enhancement to the current release, and is included at no additional cost with e-DMZ's Privileged Password Management module for TPAM. (Basic pricing for TPAM is around $10,000 to $13,000.)