Evolve has administrator access to the majority of its clients. Naturally, there is a great responsibility to not allow this trust to be used inappropriately- by Evolve, or others. As such, I have created a series of policies that govern how administrator access to client systems is handled.
Evolve’s administrator access password policy is this:
- All passwords are auto-generated and unique to the client.
- All passwords are stored in a client-specific keychain file.
- All passwords are strong, according to the Mac OS X password generator.
- Any Evolve accounts on a client’s machine must have an equivalent account for internal client use.
- Evolve account passwords are not shared with the client.
- Any shared-password account, such as airport admin passwords, is marked as such in the keychain.
This policy is in place to protect both Evolve and the client. It performs several goals:
- No cross contamination of passwords between clients, which reduces the likelihood of any potential security breach traveling between clientele.
- Log entries on client systems for system activities mentioning Evolve are always performed by Evolve, provided the account has not been breached itself. Because the user account is not shared with the client, it also allows for detection during a security breach. This is especially imperative with accounts that allow Evolve to VPN into their networks.
- Clients have the ability to lock out the Evolve account at any time. This is useful, if they decide to terminate the relationship without administrator functionality being lost.