| Emergency application accounts are typically created due to an unforeseen operational event or could ostensibly be used in the event of a vendor support visit where a support representative requires a temporary unique account in order to perform diagnostic testing or conduct some other support related activity. When these types of accounts are created, there is a risk that the temporary account may remain in place and active after the support representative has left.
In the event emergency application accounts are required, the application must ensure that accounts that are designated as temporary in nature shall automatically terminate these accounts after an organization defined time period. Such a process and capability greatly reduces the risk that accounts will be misused, hijacked, or application data compromised.
To address the multitude of policy based access requirements, many application developers choose to integrate their applications with enterprise level authentication/access mechanisms that meet or exceed access control policy requirements. Such an integration allows the application developer to off-load those access control functions and focus on core application features and functionality.
Examples of enterprise level authentication/access mechanisms include but are not limited to Active Directory and LDAP.
The application must provide or utilize a mechanism to automatically terminate accounts that have been designated as temporary or emergency accounts after an organization defined time period.
Application servers provide either a local user store or they integrate with enterprise user stores like LDAP or Active Directory. When the AS is the authoritative user store, the application server must be able to automatically terminate accounts designated as being used for emergency purposes after the DoD defined time period. |
