Password managers: A rough guide to enterprise secret platforms

The second installment of our password manager series delves into enterprise-level technology designed to effectively manage API tokens, login credentials, and similar resources.

Modern organizations operate a vast array of servers, services, applications, APIs, containers, and other technologies.

To safeguard these resources, organizations require tools to manage sensitive information, encompassing passwords, encryption keys, SSH (secure shell) keys, API tokens, certificates, and others.

However, these assets are frequently dispersed across various platforms, inclusive of on-premise servers, cloud-based services, serverless applications, and container orchestration tools. This fragmentation complicates efficient management of secrets.

Enjoyed this article? Subscribe to our newsletter: Daily Swig Deserialized

As a result, employees often resort to makeshift and insecure practices to manage authentication, such as saving secrets in plaintext files, embedding tokens in source code shared on GitHub, and placing encryption keys in exposed S3 buckets.

This leads to ‘secrets sprawl’—login information and other credentials dispersed across multiple locations, often contributing to data breaches.

A viable solution to prevent secrets sprawl is the implementation of a ‘secrets manager’, a tool that securely preserves and governs secrets throughout their life cycle. Secrets managers can store various types of secrets—including passwords, API tokens, certificates, and more—and regulate access for individuals, machines, and services.

Crucial features to consider in secrets managers include:

• Compatibility with diverse IT setups: An effective secrets manager should support cloud, multi-cloud, on-prem, and hybrid IT architectures.
• Support for an array of authentication protocols: Beyond just passwords, the solution should accommodate certificates, encryption keys, API tokens, and various authentication systems that form the security framework of your IT operations.
• Adaptability to different organizational structures: The technology should enable customization of your secrets access policies based on roles and groups within the organization.
• Versatility among user types: IT systems should control access not only for humans but also for machines and services requiring access to digital resources.
• Integration capabilities: Any product should provide various tools such as plugins, APIs, and CLIs to automate the handling of secrets.
• Centralized management: A secrets management solution should offer real-time oversight of how users, services, and devices engage with secrets across the organization.

Here’s a brief evaluation of several notable secrets management products.

HashiCorp Vault

HashiCorp Vault is a widely-used enterprise solution for managing and safeguarding passwords, tokens, encryption keys, certificates, API keys, and various other secrets.

Vault integrates seamlessly with your primary identity provider, such as Active Directory, LDAP, or your selected cloud platform. It can manage secrets for over 100 systems, encompassing both public and private clouds, databases, messaging queues, and SSH endpoints.

Among Vault’s strengths is its support for dynamically generated secrets. The product also provides fine-grained control over access to distinct resources and allows administrators to revoke permissions swiftly in the event of issues.

Vault features a robust API that can be easily integrated into applications to retrieve secrets, thereby discouraging developers from hardcoding passwords and tokens.

However, the advantages of HashiCorp Vault come with some trade-offs. The user interface is not particularly user-friendly, presenting a steep learning curve. Most functionalities are managed through a CLI interface, which, while beneficial for automation, can be cumbersome for manual use.

HashiCorp Vault is open-source, allowing for self-hosting, or you can opt for a cloud-hosted instance priced at $0.03/hour.

• Pros: Extensive support for various cloud and on-prem technologies, dynamic secret generation, strong API support, open-source
• Cons: Steep learning curve, less intuitive UI

CyberArk Conjur

CyberArk Conjur serves as a solution for centralized identity and access management across an organization.

Conjur supports a variety of secret types, including passwords, service account tokens, and API tokens. Additionally, it integrates with major cloud infrastructures like GCP (Google Cloud Platform), AWS, and Azure, along with a range of databases, CI/CD platforms, and container orchestration tools.

Similar to HashiCorp, Conjur also supports integration with existing authentication systems like OAuth, LDAP, and other identity providers.

Conjur features a centralized management system, allowing administrators to define resources and specify which users, roles, devices, scripts, services, and other entities can access secrets. They can also establish rules for the organization’s secrets, such as password rotation and auditing.

Application managers and developers utilize plugins and APIs to incorporate Conjur into their CI/CD pipelines, cloud applications, or other resources that require access to the secrets store.

Conjur is open source, with an option for self-hosting, though both initial setup and ongoing management can be complex.

• Pros: Versatile support for a variety of applications, cloud providers, and container orchestration tools; availability of plugins and APIs for diverse integrations.
• Cons: Challenging setup and administration

Password manager security: Which is the right option for me?

Enterprise Password Managers

While secrets managers are effective tools, they may be excessive for smaller businesses or entities without a complex digital footprint. Due to the high technical barriers associated with secrets managers, organizations lacking dedicated IT teams might find them cumbersome to utilize.

For these companies, a password manager may be a more suitable option. Password managers are focused solely on securely storing, accessing, and sharing passwords. Although they lack the integration, programming, and automation features of secrets managers, they can effectively secure credentials across an organization.

The Daily Swig previously reviewed personal and family-oriented password managers in a previous article. Beyond personal password manager features, a business-oriented password manager should encompass the following:

• Centralized management: Administrators should be able to generate reports on employee password health, usage, sharing, and more.
• Integration with identity providers: Companies should be able to utilize their existing identity providers (AD, Azure, Okta, etc.) to access their password manager.

Below are two widely-used business-focused password managers worth exploring.

1Password

1Password is a well-regarded password manager compatible with all major platforms, including macOS, Windows, Linux, Android, and iOS. It also features a Chrome extension that streamlines the login process on websites and the storage of new credentials in its vault.

Users of 1Password can create multiple vaults to store passwords, credit card details, API tokens, crypto wallet recovery keys, and other sensitive information. Additionally, 1Password allows users to share secrets with others while offering options to limit password sharing through expiry dates, visibility, and specific email addresses permitted to access a shared link.

The application’s Watchtower feature monitors for reused passwords, vulnerable passwords, and accounts that may have been compromised.

The business version provides administrators with a comprehensive view of password security within the organization and includes detailed access features, empowering them to set permissions, groups, roles, and vault access at scale.

1Password did not initially support single sign-on (SSO), but it has recently launched beta support for SSO login via Okta, with Azure and Duo integrations planned. The vendor is also working on connectivity with Azure AD, Google Workspace, Okta, OneLogin, and Slack.

The cost of 1Password Business is $7.99 per user each month. Additionally, each Business user is provided with a complimentary Families account, allowing sharing with up to five family members.

• Pros: Flexible password sharing options, administrative dashboard for organization-wide health reports, mass assignment capabilities, bonus Family plan
• Cons: SSO currently in beta testing

NordPass

NordPass is a user-friendly service featuring the essential components expected from a password manager, such as cross-platform support, auto-fill functionality, and various credential storage.

NordPass also includes a breach monitoring feature that scans the internet for security incidents involving your organization’s credentials.

NordPass Business offers a security dashboard for acquiring enterprise-wide reports on password health and activity records, along with team members’ ability to share passwords and credit card information.

This technology also includes centralized administration tools, enabling the establishment of company-wide multi-factor authentication (MFA) and password policies, as well as managing employee access to password vaults.

The pricing for NordPass Business is $3.59 per user per month. An Enterprise plan, which supports SSO with Okta, Azure AD, and Microsoft AD, has a pricing structure that is not publicly listed.

• Pros: Centralized administration, company-wide policy applications, and the ability to manage employee access easily
• Cons: The basic Business plan does not support SSO integration

YOU MAY ALSO LIKE ‘Most web API flaws are missed by standard security tests’ – Corey J Ball on securing a neglected attack vector