A severe cybersecurity incident is the most dangerous risk most companies face. It is the greatest threat to a company’s ability to deliver for its customers, and so it’s value. This is the fifth in a series of posts about cybersecurity risk, and how you can reduce it to give customers and investors confidence.
It's just not possible to be secure without a password manager
As I write this post I have access to 768 credentials across personal, family and work contexts. Almost all of modern life seems to have a digital account associated with it and so most of you reading this will be the same. Some passwords you will memorise (and re-use), others will be stored in your web browser, often by accident. Without conscious management you will leave a trail of often duplicated and sometimes poorly secured passwords across your devices (and nearby scraps of paper). You may recognise the irritation of signing in on a different device to where you normally sign in, the browser offering the wrong password (or a variety of duplicated options) and then you doing yet another password reset!
Passwords have long been recognised as a critical vulnerability in cybersecurity. Memorising unique, strong passwords for every login is virtually impossible, so reusing passwords, or writing them down, is the common fallback. The tech industry has created passkeys to try and solve this but have of course now created a new problem - the security of the passkey storage!
The complexity of managing secrets and credentials feels overwhelming to everyone, but hopefully this post includes some tips to help think through your approach.
Some technical considerations
There are a number of technical considerations that you want to keep in mind when choosing your password manager and the specific license tier offered.
- Encryption architecture. The most critical consideration is how the encryption architecture of the vendor works. You are looking for a Zero-Knowledge model so that if you lose your secret account keys the vendor cannot recover your vault contents. This means that in the event the vendor is hacked, your credentials won't be amongst the compromised data.
- Login with SSO. You want to select a vendor that supports SSO; this way you extend some of the security benefits of SSO across all the apps that people access using credentials in your password manager, but where you can't implement SSO for cost or technical reasons.
- SCIM provisioning. As you scale you will want to automate activating and deactivating new staff members to minimise operational overhead. Crucially this also means if you cut a user's access, they lose access to secrets in their work password manager vaults too. It's worth paying very close attention to how a vendor manages SCIM provisioning, as it will provide insight into the practical implications of their security architecture.
- Domain capture. You want to select a vendor that guides credentials using your work domain to your work account storage vaults.
- SIEM tool integration. You want to select a password manager that enables SIEM (Security Information and Event Management) tool integration, so that activity and security logs can be monitored by your security team.
Make doing the right thing the default and easiest option
There are a number of steps that you can take to increase the likelihood of roll out and adoption success:
- Enabling the right defaults with managed devices and managed browsers. Browsers usually offer to save credentials when you sign into a service. If you restrict the browsers that can be used on managed devices, then use browser management to preload those browsers with the relevant app extension and turn off their native password storage options, you make the default action the correct action. If your chosen service has a native app, you can pre-install that on managed devices too and block the installation of other apps.
- Operating system agnostic and user friendly. When selecting a corporate password manager you want to choose one that works across all device platforms and has a excellent consumer user experience and reputation. The best place to get a feel for this is the App Store and Google Play Store listings of the various contenders. Check browser extension reviews as well.
- Employee personal licenses for continuity. Some vendors will include the option for each employee with an active corporate account to get a free family account. This increases the likelihood of adoption as then users get used to going to a specific app for all their credentials. They can be signed into personal and work accounts on all their devices and save down credentials into the relevant accounts and vaults. Some vendors will signpost the right account based on the domain of an email address in a credential.
- Drive the cultural change. Lead by example and champion the use of the chosen password manager, sharing tips with colleagues. Many password managers provide insights reporting into reused passwords and user adoption so you can publicly recognise those who are leading the way and modelling the best behaviours.
Bottom line
Password managers are no longer optional, and making sure credentials are being stored in the right place so that your organisation stays in control is key. One of the foundation stones of any sensible cybersecurity strategy, they leverage strong encryption to guard against the worst case scenario of the vendor being hacked; they secure the corners of your tech stack that SSO doesn't reach; and they help drive a cultural change in security mindset so that secure behaviour becomes second nature.
If you are navigating some of these challenges at the moment we can help. Our mission is to help you reduce your cyber risk, and so our help can be in whatever form is most helpful to you, from conducting an assessment of your current setup, to advising on system architecture and config, introducing trusted partners, training up staff or helping with op model development or hiring. Please reach out below 👇