Phone Number +1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

Beyond Password Managers

mm

Written by Barbara Hoffman

March 16th, 2021

Passwords should be complex. Password management should be easy.

Consumer password managers are popular solutions for personal password storage. These digital password vaults make it possible for people to have complex passwords for each website and application they use and help them avoid bad habits like writing passwords down or using the same password for multiple systems.

Even more appealing to consumers, many of these basic password manager applications offer free versions. However, once you hit your password limit or you want more advanced functionality—or the vendor changes their pricing model—the price of the password management app goes up.

There are some things that a password manager is very good at.

With password managers, passwords are encrypted and can only be decrypted when accessed in conjunction with a user-generated master password. Most password managers store the credentials used to access multiple accounts and applications: username, password, application name, website URL, or IP address of the system. They can be installed locally, accessed in the cloud, or via mobile apps. And they’re designed to generate long complex passwords and auto-populate the password into the correct field, so people don’t have to manually key it in or cut and paste.

Does it make sense to use a personal password manager to secure enterprise privileges?

For an individual who wants to protect personal passwords, using a password manager might be OK. It’s certainly better than passwords written on Post-It notes stuck to a monitor or taped under a keyboard, saved in Excel spreadsheets or Google docs, or stored in plain text using a browser plug-in.

But does it make sense to use one of these personal password managers to secure enterprise privileges?

If your goals are enterprise security and efficiency, it does not.

Benefits of privileged access management (PAM) over personal password managers

A unified approach to password management with enterprise PAM is more secure and efficient than thousands of disconnected personal password managers.

Privileged access management is a more robust security solution, with features like high availability, compliance and regulatory security controls, automated privileged account discovery, the ability to configure access approval workflows, and integrations with enterprise solutions like ITSM, IGA, and SIEM.

Organizations use PAM software to control who can use a privileged account or access sensitive information with the ability to adjust permissions and change or delete critical data. They treat the privileged account as the object that is being protected, restricting password disclosure and sharing, while providing time-limited access to critical systems. Once a password is no longer required it’s rotated or expired so employees or third parties can’t continue to access sensitive information with old passwords.

Individual responsibility vs. corporate responsibility

Password managers require that individual users set up, maintain, and always use the app. The user assumes all responsibility for keeping the technology up to date and functioning properly.

With Lastpass, KeePass, Dashlane, and other consumer password managers, the user is accountable and responsible for password security. They must do the heavy lifting of set up, password rotation, and, most importantly, making sure the password vault is used all the time.

With an enterprise PAM solution, the IT team assumes responsibility for the tech behind password security. They do the work of getting it started and keeping it going. All the user has to do is enjoy it.

Integrating password management into users’ daily workflow 

Many business users don’t consider password hygiene a top priority, less so if it interferes with their productivity. They are more likely to adopt secure password practices if they’re integrated into the workflow and systems they use every day.

Personal password managers aren’t integrated into enterprise tools. They require a user to stop doing what they’re doing, open a separate tool, and then go back to their first screen to continue their work.

Privileged access management solutions, on the other hand, are integrated directly into a user’s workflow. In fact, many users never ever need to see the interface of an enterprise PAM solution like Secret Server, because the system takes action behind the scenes.

PAM solutions automatically create and rotate passwords, ensuring that when passwords are changed, all dependencies—systems that are connected to those passwords—can still authenticate and connect. With PAM, you can design sophisticated rules about what should happen after a password has changed.

Session launchers within PAM tools make it possible to give people access to your IT systems, even temporarily, without requiring them to insert or even see a password. This functionality is particularly helpful for organizations that engage with contractors and third parties.

Non-human privileged account management

Personal password managers work best with human-to-application credentials, but they fall flat with application-to-application and other non-human credentials. Once you need to protect devices, data, code, and applications in the cloud, a password management system simply can’t keep up.

With one solution for all types of privileged accounts, the organization can adhere to consistent policies

Enterprise PAM solutions manage more than privileged user accounts. They also manage service, application, database, and other non-human accounts. PAM protects all types of secrets, keys, APIs, and other credentials that control access to IT infrastructure, and provides fine-grained authorization. With one solution for all types of privileged accounts, the entire organization and IT environment can adhere to consistent policies and practices.

Central visibility and oversight

Personal password managers don’t offer the visibility and control organizations need to protect sensitive data, meet regulatory requirements, and manage at scale. When every user manages their own passwords, it becomes extremely hard to track how and where passwords are being used and stored, and whether those passwords are sufficiently protected.

Enterprise PAM solutions continuously discover and manage all privileged accounts and associated passwords throughout your organization. They provide central oversight such as session management and monitoring for privileged account behavior.

Auditing and reporting

To satisfy auditors, you need to do more than secure passwords. You must track the actions users perform while accessing privileged accounts, then report on that activity without spending hours combing through logs.

Consumer-grade password manager tools typically don’t include an immutable audit log, customizable reports, and session monitoring or recording.

Enterprise PAM solutions offer session recording capabilities to enable forensics and generate compliance reports that satisfy auditor requirements.

Are you comparing password managers and enterprise PAM?

You can learn more about the difference between personal password managers and enterprise PAM in our solution brief: Secret Server for Business Users or in the on-demand webinar: Beyond Password Managers to Privileged Access Management. Which is Right for You?

FREE Privileged Account Management for Dummies book

FREE Privileged Account Management for Dummies book

Get smart about Privileged Account password security with this quick read

 

Like this post?

Get our top blog posts delivered to your inbox once a month.

SHARE THIS