Password managers: A rough guide to enterprise secret platforms

The second installment of our password manager series delves into advanced technologies for businesses to effectively manage API tokens, login credentials, and more.

In today’s modern environments, enterprises often operate numerous servers, applications, APIs, and other technological solutions.

To safeguard these assets, organizations require robust tools to manage secrets such as passwords, encryption keys, SSH (secure shell) keys, API tokens, and certificates.

The challenge arises due to the dispersion of these resources across multiple platforms, including on-premise servers, cloud services, serverless applications, and container orchestration tools, making efficient secret management challenging.

Interested in more updates? Join our new newsletter, Daily Swig Deserialized.

Often, this scenario drives employees to resort to insecure methods of handling authorization, such as leaving secrets in plaintext, hardcoding tokens within source code published to GitHub, or keeping encryption keys in unsecured S3 buckets.

This behavior leads to ‘secrets sprawl,’ where logins and credentials are scattered in various locations—a common factor contributing to data breaches.

An effective solution for avoiding secrets sprawl is employing a ‘secrets manager’—a tool designed to securely store and manage secrets throughout their lifecycle. Secrets managers can safeguard various types of secrets (like passwords, API tokens, and certificates) while controlling access for humans, devices, and services.

When choosing a secrets manager, consider the following essential features:

• Support for diverse IT configurations: A competent secrets manager should accommodate cloud, multi-cloud, on-premise, and hybrid IT systems.
• Support for various authentication protocols: In addition to passwords, it should support certificates, encryption keys, API tokens, and other authentication systems that underpin your IT security.
• Adaptable access policies: The technology should allow you to customize your secrets access policy based on organizational roles and structures.
• Support for multiple user types: IT systems must manage access not only for humans but also for machines and services interacting with digital resources.
• Integration capabilities: The solution should offer various tools, including plugins, APIs, and CLIs, to automate secret storage and retrieval.
• Centralized management: A secrets management installation should ensure real-time visibility into how users and devices access secrets throughout the organization.

Below is a brief overview of some prominent secrets management solutions.

HashiCorp Vault

HashiCorp Vault is a leading enterprise solution for managing and securing a plethora of secrets including passwords, tokens, encryption keys, and more.

Vault can be integrated with your primary identity provider such as Active Directory, LDAP, or your chosen cloud solution, and it can handle secrets for over 100 different systems including public/private clouds, databases, messaging queues, and SSH endpoints.

A key advantage of HashiCorp Vault is its support for dynamically generated secrets, offering fine control over access to various resources with the option for quick permission revocation if any issues arise.

Vault features a robust API for seamless integration with applications to fetch secrets, discouraging developers from relying on static passwords and tokens.

However, the benefits of HashiCorp Vault come with challenges; its user interface is not user-friendly and involves a steep learning curve, as most functionalities are managed via a CLI interface, which is optimal for automation but less ideal for manual use.

HashiCorp Vault is open-source, providing the option for self-hosting, or you can utilize a cloud-hosted version starting at $0.03/hour.

• Pros: Extensive support for diverse cloud and on-prem technology stacks, strong API, open-source flexibility.
• Cons: Steep learning curve, challenging UI.

CyberArk Conjur

CyberArk Conjur offers a centralized identity and access management solution for enterprises.

It supports various secret types, including passwords and API tokens, and integrates seamlessly with major cloud platforms like GCP, AWS, and Azure, alongside numerous database types and container orchestration systems.

Similar to HashiCorp, Conjur connects with existing authentication frameworks, including OAuth and LDAP.

Conjur’s centralized management enables administrators to define resources and specify user roles and entities needing access to secrets, along with implementing rules for password rotation and auditing.

Application developers utilize plugins and APIs to integrate Conjur into their CI/CD processes or cloud applications granting access to the secrets store.

As an open-source solution, Conjur can be self-hosted, but, like HashiCorp, it has a reputation for being complex to set up and maintain.

• Pros: Versatile support for a variety of applications and cloud services; offers several integration plugins and APIs.
• Cons: Complicated setup and management.

Enterprise Password Managers

While secrets managers are effective, they may be unnecessary for smaller businesses or those without intricate infrastructures. Given their complexity, companies lacking a dedicated IT team might find them daunting.

For such organizations, a password manager could be a more suitable choice. Password managers are designed specifically to securely store, access, and share passwords, lacking the advanced integrations and automation features found in secrets managers, yet still presenting valuable tools for securing credentials.

The Daily Swig previously examined personal and family-oriented password managers in an earlier article. In addition to what a personal password manager offers, business password managers should include:

• Centralized management: Administrators should have access to reports on employees’ password health and usage.
• Integration with identity providers: Businesses should be able to use their current identity provider (such as AD, Azure, Okta) to access their password manager.

Here are two well-regarded business-oriented password managers to consider.

1Password

1Password is a widely-used password manager accessible across all major platforms, including macOS, Windows, Linux, Android, and iOS. It also offers a Chrome extension for autofilling login details on websites.

Users of 1Password can create multiple vaults for storing passwords, credit card details, API tokens, and other sensitive data, plus share secrets with others while controlling access through expiration dates and restricted views.

A feature called Watchtower checks for reused or compromised passwords, enhancing overall security.

The business version provides administrators with a comprehensive view of password security across the organization and grants capabilities to configure permissions and access at scale.

1Password now supports SSO login through Okta, with planned support for Azure and Duo, as well as integration with Google Workspace and Slack.

Costing $7.99 per user per month, each 1Password Business account also includes a complimentary Families account, allowing sharing with up to five family members.

• Pros: Flexible password sharing, robust admin dashboard, convenient mass assignment, bonus Families plan.
• Cons: SSO login still in beta.

NordPass

NordPass is user-friendly and encompasses essential password manager features such as cross-platform compatibility and auto-fill functionality.

Additionally, NordPass offers breach monitoring, scanning the internet for incidents involving the organization’s credentials.

The business version features a security dashboard for reporting on company-wide password health and allows users to share sensitive information amongst colleagues.

NordPass also includes administration tools for setting company-wide multi-factor authentication (MFA) and password policies, as well as revoking employee access as needed.

The pricing for NordPass Business is $3.59 per user per month. An Enterprise plan is available, with pricing upon request, that supports SSO with Okta, Azure AD, and Microsoft AD.

• Pros: Centralized administration, comprehensive policies, and easy management of employee access.
• Cons: Basic version does not offer SSO.

YOU MAY ALSO LIKE ‘Most web API flaws are missed by standard security tests’ – Corey J Ball on securing a neglected attack vector