Third-Party System Credentials Security
A common question raised by various Iotellect partners is "why are the passwords stored in plain text and can be viewed/exported by Iotellect operators?"
Being a monitoring and control system, Iotellect connects to and authenticates on various external devices, systems, and databases. To be able to do this, Iotellect Server must store authentication credentials for third-party systems.
This simple fact effectively means that any intruder that has administrator-level access to the operating system of the machine Iotellect Server is installed on will be able to get access to all passwords Iotellect Server uses to connect to third-party devices and systems.
There is no way to avoid that: even if all passwords were encrypted with some cipher, Iotellect Server source code will always contain sufficient information to decrypt them.
The same applies to Iotellect Server users: any Iotellect Server user that has non-restricted access to all system objects (such as the default administrator) will be able to get access to passwords used by Iotellect Server to access external devices/systems.
Password Protection Policies
According to the below, a number of rules should be followed by Iotellect Server administrators to avoid password compromise.
The below rules assume that a trusted user is a person that is legally allowed to access any device/system Iotellect Server connects to.
Password protection rules:
OS-level access to the machine Iotellect Server is installed on should be limited to trusted users only.
If any non-trusted person must for some reason have access to the Iotellect Server machine, this person must not have read-level access to the Iotellect Server installation folder and any data folders (e.g. database folder). Such a person must be also blocked from accessing Iotellect Server process memory.
Any non-trusted Iotellect Server user must not have read-level permissions for variables and execution permissions for functions whose values contain passwords.
Was this page helpful?