Tombola’s story: “This is how we improved network password security and availability”
(Last updated on November 30, 2018)
Specops customer Tombola, an online bingo community in the UK, performed a penetration test as a PCI DSS merchant and realized they needed to improve network password security and availability.
After extensive research they decided to go with Specops Password Policy and Specops uReset. Tom Blackburn, who is a Jr. Operational Support Engineer at Tombola, has written a blog about why they chose Specops’ solutions and the implementation.
You will find an extract of the blog below, and the full version here.
Due to the growth of Tombola we recently became a PCI DSS Level 1 merchant, meaning we are required to perform in-depth PCI auditing with an external auditor. As part of this process we brought in a Penetration Test company to help find issues that we needed to respond to.
The penetration test shone some light on some weaknesses that we hadn’t been aware of and really encouraged us to fix some issues. One of the areas that was highlighted from this was the strength and management of network user passwords. This prompted us to implement a system to improve the strength of our passwords.
In order to keep our whole infrastructure in-line with our password policies we have been moving to migrate our in-house applications to use Active Directory integration. As Tombola is running 24/7 it is important that these accounts are available to our staff at any time of the day, without requiring the assistance of the support team. This was our motivation to implement a password reset portal.
Creating a dictionary list of common words allows us to prevent easily predictable passwords such as ‘tombola’ or ‘bingo’ from being used. We can also enable the usage of passphrases, which are often recommended. This allows the user to bypass some of these rules as long as their phrase is >=20 characters. At this length password-cracking tools become nearly useless, and the passphrase is easier to remember for the user.
To attempt to combat poor password practices and the increasingly likelihood of them being cracked, we implemented Specops Password Policy.
The great thing about Specops is that it gives us options to set different policies for different groups of users. Whilst all users are required to meet a compliance-required minimum complexity, we have created policies to enforce more complex requirements for privileged user accounts.
As our sites are live and active 24/7, it is critical that network accounts remain available for our Chat Moderators and Customer Service staff. The business requires accounts to be unlocked and passwords reset at any time of the day, without requiring an on-call engineer to deal with them.
For this reason we implemented Specops uReset.
We weigh and layer the 20 identity services to require extra identification based on job role. Each identity service is allocated a ‘star-rating’ which shows how secure it is. We also vary the requirements for authentication based on the user’s access to confidential data; privileged accounts require a higher level of authentication than standard accounts.
Through the implementation of Specops we aim to reduce helpdesk requests and improve account availability by letting users manage their own accounts, whilst still maintaining the security of the accounts and the password reset process.
Specops will serve as a valuable tool in protecting our users but we are still aware that the users are the most critical part of our security. We hope that empowering our staff to manage their own accounts will encourage better password management and security standards.