A Software as a Service (SaaS) organization provides services to the healthcare, financial and other industries with many regulatory requirements and high security awareness. The organization has regular on-site customer audits and is in the process to provide a SSAE 16 SOC 2 report. The organization has been required by customers to improve its storage of passwords and encryption keys as well as implement two factor authentication for all privileged user accounts.
Passwords are stored in a password application that provides encryption of the data but lacks full audit trails and a two factor authentication. Encryption keys are stored in many different documents with different security controls. Privileged users require a user id and a strong password for authentication. The organization maintains approximately 400 shared/generic/service accounts and 200 encryption keys. The number of privileged users are 25.