Password managers: A rough guide to enterprise secret platforms

The second installment of our series on password managers delves into enterprise-level solutions designed to manage API tokens, login credentials, and much more.

Today’s enterprises manage numerous servers, applications, services, APIs, and containers. To protect these assets, they require robust tools to handle sensitive information, including passwords, encryption keys, SSH keys, API tokens, and certificates.

The challenge is that these resources often exist across diverse platforms, such as on-premises servers, cloud services, and container orchestration systems, complicating efficient secrets management.

Enjoyed this content? Subscribe to our new newsletter – Daily Swig Deserialized

Often, this leads to employees resorting to insecure practices for managing access, such as saving secrets in plaintext or hardcoding tokens directly into code stored in public repositories, making them susceptible to breaches.

This phenomenon, known as ‘secrets sprawl’, can result in sensitive data being scattered across various locations—a scenario that frequently contributes to data breaches.

To combat secrets sprawl, organizations should consider a ‘secrets manager’, a specialized tool that securely stores and oversees secrets throughout their lifecycle. Secrets managers accommodate a wide history of secret types (passwords, API tokens, certificates, etc.) and can facilitate controlled access for users and services.

When choosing a secrets manager, here are several features to prioritize:

• Support for varied IT configurations: A quality secrets manager should seamlessly accommodate cloud, multi-cloud, on-prem, and hybrid IT ecosystems.
• Support for multiple authentication protocols: Beyond just passwords, it should enable management of certificates, encryption keys, API tokens, and other integral authentication systems.
• Support for different organizational structures: The system should allow you to tailor access policies according to your organizational tiers using roles, groups, etc.
• Support for diverse user types: Modern systems should manage not just human access, but also ensure appropriate rights for devices and services accessing digital assets.
• Integration capabilities: Look for tools that offer plugins, APIs, and command-line interfaces (CLIs) for seamless automation of secret management processes.
• Centralized control: Any secrets management solution should provide real-time insights and governance on how secrets are accessed across the enterprise.

Below is a brief overview of some well-known secrets management tools.

HashiCorp Vault

HashiCorp Vault stands out as a leading solution for storing and safeguarding passwords, tokens, encryption keys, and API keys.

Vault seamlessly integrates with major identity providers like Active Directory and supports management for a variety of systems including public and private clouds, databases, and messaging services.

A significant advantage of HashiCorp Vault is its capacity to generate dynamic secrets, alongside granular resource access control, allowing administrators to swiftly revoke permissions when needed.

With a robust API framework, developers can effectively integrate Vault into their applications, preventing reliance on hardcoded credentials.

However, potential users should be prepared for its complex interface, which might be daunting due to its reliance on command-line functionality, making it less user-friendly for manual operations.

HashiCorp Vault is available as open-source software, which allows for self-hosting, or you can opt for a cloud-hosted instance at a rate of $0.03 per hour.

• Pros: Broad support for diverse technology stacks, dynamic secret generation, strong API integration, open-source option
• Cons: Steep learning curve, non-intuitive UI

CyberArk Conjur

CyberArk Conjur is an enterprise solution for centralized identity and access management.

Conjur handles a variety of secret types, including passwords and API tokens, and integrates seamlessly with popular cloud infrastructures such as GCP, AWS, and Azure, as well as various database types and CI/CD platforms.

This platform allows for centralized admin control, enabling the configuration of resource access policies based on user roles and other entities. It also supports rules for password rotation and compliance auditing.

Conjur is also open-source, offering self-hosting options; however, it can be complex to set up and maintain.

• Pros: Versatile compatibility with various applications and platforms, rich integration options through plugins and APIs.
• Cons: Complicated initial configuration and maintenance

Enterprise Password Managers

While secrets managers offer extensive capabilities, they may be too sophisticated for smaller organizations or those without complex systems. For businesses lacking dedicated IT resources, a password manager could be a simpler and more effective solution.

Password managers efficiently store, access, and share passwords but lack the integration and automation functionalities typical of secrets managers. Nonetheless, they can still serve as reliable tools for safeguarding organizational credentials.

The Daily Swig previously assessed personal and family password managers; in addition, business-oriented password managers should come with the following features:

• Centralized management: Administrators should have access to reports on password usage and health metrics.
• Integration with identity providers: The managers should facilitate login through existing identity providers.

1Password

1Password is widely recognized as a leading password manager, compatible with all major platforms including macOS, Windows, Linux, Android, and iOS. It features a Chrome extension for effortless login filling and credential storage.

Users can create multiple vaults to categorize passwords, credit card info, API tokens, and other sensitive data. 1Password also offers controlled sharing features with user limitations such as expiration dates and restricted access.

The Watchtower service alerts users to reused or vulnerable passwords and compromised accounts. The business edition includes an extensive admin dashboard to oversee password security organization-wide with options for configuring permissions and access at scale.

Initially lacking single sign-on (SSO) support, 1Password has now introduced beta compatibility for SSO through Okta, with plans to incorporate Azure and Duo soon. It will also integrate with Azure AD, Google Workspace, Okta, and Slack.

1Password Business is priced at $7.99 per user monthly and includes a complimentary Families account for sharing with up to five family members.

• Pros: Flexible sharing options, organization-wide reporting, mass assignment capabilities, bonus family plan offer.
• Cons: SSO availability limited to beta at present.

NordPass

NordPass is known for its user-friendly interface, providing essential functions such as multi-platform support, autofill capabilities, and the accommodation of various credential types.

NordPass includes a breach monitoring feature that scans for security incidents affecting organizational credentials.

NordPass Business supplies a security dashboard delivering comprehensive insights into password health and activity, allowing users to share credentials among team members.

It offers centralized administration options, including the establishment of company-wide multi-factor authentication (MFA) and password policies, as well as user access management.

NordPass Business is priced at $3.59 per user per month, with an Enterprise plan available that supports SSO integrations (specific pricing not listed).

• Pros: Centralized management, comprehensive policy enforcement, streamlined access control.
• Cons: Basic plan does not support SSO features.

YOU MAY ALSO LIKE ‘Most web API flaws are missed by standard security tests’ – Corey J Ball on securing a neglected attack vector