A computer network within an organisation will typically contain a number of devices, which may include PCs and servers, but also switches, routers, wireless access points, IP cameras, projectors, network attached storage and so on. Each device will have a management interface, which may be web-based or may be accessed as applications running on general purpose operating systems such as Windows or Linux. In addition to physical components of a network, a device in this context may itself be an application running on a physical component or over the Internet.
Devices may be controlled by users logging in to user or admin accounts. Some devices may provide only a single management user or admin account, while others may allow many accounts with various levels of functionality, or even integrate directly with organisational user directories. Each user or admin account will typically require a password which is generally required to be regularly changed in accordance with local security policy.
As used herein, the term “password” encompasses any data that may be used to log in to a user or admin account for controlling a device. Accordingly, a password may comprise a user ID and secure data, such as a text string, identifying that user.
Where an organisation has many IT staff there arises the issue of managing multiple admin accounts and maintaining an audit trail of which admin user logged on to which device and when. Additionally, network security may be compromised where the password for an admin account is stolen or misused, allowing access to multiple devices across the network. Matters are compounded when an organisation wishes to allow external users, outside of the organisation's network, to access admin accounts.
This issue has given rise to “single sign on” (SSO) solutions, where an admin user may log on once but gain access to a number of devices and to “privileged user management” where an administrator may be given an appropriate level of access to a device.
SSO solutions may be provided by simply storing passwords, or login credentials, in a database. A user, who may be external to the computer network to be accessed, may transmit a request to the database for password data allowing access to one or more devices as part of a network administration role. In other, less technological SSO solutions, a user may keep a physical record of password data for accessing a device as part of a network administration role in what may be termed a “run book”. In these systems, the user consults the run book to identify password data and information allowing access to devices within the computer network.
It is usual for organisations to implement regular back-ups of their systems so that in the event a device fails it can be restored to its original state from the latest back-up. Alternatively, where a particular device cannot be restored, the back-up data may be used to set up a replacement device. A back-up usually comprises a copy of all files and other data held on and used by a particular device. However, back-ups may also be incremental. Back-ups may be stored separately from the devices, often at a different location or in the cloud. The frequency and content of back-ups is generally determined by an organisation's requirements and policy.