CyberAdviser News Portal

Password managers: A rough guide to enterprise secret platforms

admin013 mins

The second installment of our password manager series explores advanced solutions suitable for businesses to manage API tokens, login details, and much more.

Password Manager Solutions

Modern businesses operate numerous servers, services, applications, APIs, containers, and other technologies.

To protect these assets, organizations require tools for managing sensitive information, such as passwords, encryption keys, SSH (Secure Shell) keys, API tokens, certificates, among others.

The challenge arises from the distribution of these resources across multiple platforms, including on-premise servers, cloud services, serverless applications, and container orchestration tools, complicating efficient secret management.

Enjoyed this article? Subscribe to our new newsletter – Daily Swig Deserialized

Consequently, employees often resort to unstructured and insecure methods for managing authorization, including storing credentials in plaintext files, hardcoding tokens in source code uploaded to GitHub, and keeping encryption keys in unprotected S3 buckets.

This results in ‘secrets sprawl’ – a scenario where logins and credentials are scattered across multiple locations, contributing to many instances of data breaches.

A viable solution to combat this sprawl is the implementation of a ‘secrets manager,’ a tool designed to securely store and manage sensitive data throughout its lifecycle. Secrets managers can securely handle various types of sensitive information (passwords, API tokens, certificates, etc.) and control access for individuals, devices, and services.

Here are a few essential features to consider when selecting a secrets manager:

  • Support for diverse IT environments: An effective secrets manager should adeptly support cloud, multi-cloud, on-prem, and hybrid IT systems.
  • Support for a range of authentication methods: The solution must accommodate certificates, encryption keys, API tokens, and other authentication systems that form the security foundation of your IT infrastructure.
  • Flexible access management: The technology should enable customization of access policies based on organizational roles, groups, etc.
  • Support for multiple user types: Many IT systems must manage not just human access, but also the access of machines and services to digital resources.
  • Integration capabilities: The product should provide plugins, APIs, and CLI tools to automate the management of secrets.
  • Centralized oversight: A secrets management installation should provide real-time visibility and control over user, service, and device access to sensitive information across the organization.

Below is a brief overview of some of the leading secrets management products.

HashiCorp Vault

HashiCorp Vault is a renowned enterprise solution for managing and securing passwords, tokens, encryption keys, certificates, API keys, and other sensitive information.

Vault connects with your primary identity provider, such as Active Directory, LDAP, or your preferred cloud platform. It supports secret management for over 100 different systems, including both public and private clouds, databases, messaging queues, and SSH endpoints.

One of the standout features of HashiCorp Vault is its ability to support dynamically generated secrets. It also grants fine-grained access control and allows administrators to revoke permissions swiftly in case of any issues.

Vault offers a robust API that integrates seamlessly into applications for secret retrieval, guiding developers away from hardcoding passwords and tokens.

However, the advantages of HashiCorp Vault come with some drawbacks. Users may find the interface non-intuitive and the learning curve steep. Most functionalities are managed through a CLI interface, which is efficient for automation but not ideal for manual operations.

HashiCorp Vault is open-source, offering the option for self-hosting, with a cloud-hosted instance available at a rate of $0.03/hour.

  • Pros: Extensive support for various cloud and on-premises technologies, dynamic secret generation, strong API capabilities, open-source.
  • Cons: Steep learning curve, challenging user interface.

CyberArk Conjur

CyberArk Conjur serves as a secrets management tool focused on centralized identity and access management across enterprises.

Conjur supports various secret types, such as passwords, service account tokens, and API tokens. It integrates seamlessly with leading cloud infrastructures including GCP (Google Cloud Platform), AWS, and Azure, in addition to various database types, CI/CD platforms, and container orchestration tools.

Like HashiCorp, Conjur interfaces with existing authentication solutions, such as OAuth, LDAP, and other identity providers.

With a centralized management system, administrators can define resources along with users, roles, devices, scripts, services, and other entities that need to access secrets. They can also set enterprise-wide policies regarding secrets, including password rotation and auditing requirements.

Application managers and developers utilize plugins and APIs to integrate Conjur into their CI/CD pipelines, cloud applications, or other resources that require access to the secrets store.

Conjur is open source and can be self-hosted, but it may also present challenges during initial setup and ongoing management.

  • Pros: Versatile support for multiple applications, cloud providers, and container orchestration tools; extensive integration capabilities through plugins and APIs.
  • Cons: Complex setup and administration processes.

Assessing Password Manager Security: Which Option is Right for You?

Enterprise Password Managers

While secrets managers are powerful tools, they may be unnecessarily complex for smaller organizations or those with less intricate digital environments. The significant technical expertise required for secrets managers may hinder companies without dedicated IT staff from utilizing them effectively.

For such businesses, a password manager could be a more suitable choice. Password managers primarily function to securely store, access, and share passwords. Although they lack the integrations, programming, and automation capabilities of secrets managers, they offer robust solutions for securing credentials across an organization.

The Daily Swig previously reviewed personal and family-focused password managers in an earlier article. Beyond the features of a personal password manager, a suitable business password manager should include:

  • Centralized management: Administrators should have access to reports detailing employee password health, usage, and sharing behaviors.
  • Integration with identity providers: Organizations should be able to connect their existing identity providers (AD, Azure, Okta, etc.) to access their password managers.

Below are two well-regarded business-focused password managers that are worth exploring.

1Password

1Password is a widely used password manager compatible with all major platforms, including macOS, Windows, Linux, Android, and iOS. The platform also features a Chrome extension for easily filling in login details on websites and for saving new credentials in its vault.

Users can create multiple vaults within 1Password to store passwords, credit card information, API tokens, cryptocurrency wallet recovery keys, and other confidential documents. It allows sharing of secrets among users, with password sharing being controlled through expiration dates, limited views, and specific email addresses.

The Watchtower feature monitors for reused passwords, vulnerable entries, and potentially compromised accounts.

The business version provides administrators with a comprehensive view of password security across the organization, along with advanced access control features for managing permissions, groups, roles, and vault access at scale.

Previously, 1Password lacked single sign-on (SSO) support, but it has now introduced beta SSO login capabilities through Okta, with plans to add Azure and Duo support shortly. Integration with Azure AD, Google Workspace, Okta, OneLogin, and Slack is also forthcoming.

1Password Business is priced at $7.99 per user per month, and as an added bonus, each user receives a free Families account to share with up to five family members.

  • Pros: Flexible sharing options, an admin dashboard for organization-wide health insights, mass assignment capabilities, and a complimentary Family plan.
  • Cons: SSO is currently in beta.

NordPass

NordPass is a user-friendly password manager that encompasses essential features such as cross-platform support, autofill capabilities, and various credential storage options.

NordPass includes a breach monitoring feature that scans for security incidents online that may affect organizational credentials.

NordPass Business boasts a security dashboard that offers company-wide reports on password health and activity logs. Users can share passwords and credit card data with team members.

The application provides centralized administrative tools, allowing for the implementation of company-wide multi-factor authentication (MFA) policies and password regulations, alongside control over employee access to password vaults.

NordPass Business is offered at $3.59 per user per month, and an Enterprise plan is available (price unlisted) which supports SSO via Okta, Azure AD, and Microsoft AD, as well as user provisioning through Active Directory (AD).

  • Pros: Centralized administration, organization-wide policies, and straightforward access control for employees.
  • Cons: Basic Business plan does not include SSO functionality.

YOU MAY ALSO LIKE: ‘Most web API flaws are overlooked by standard security tests’ – Corey J Ball on securing an often neglected attack vector.

Based on an article from ports.wigger.net: https://portswigger.net/daily-swig/password-managers-a-rough-guide-to-enterprise-secret-platforms

Leave a Reply

Your email address will not be published. Required fields are marked *

Related News

Back To Top