Workforce password management is something every organisation should have in place, regardless of size!

Intro

We all know that privilege is a necessary evil, we need it to do our jobs but it also offers a way for bad people to do bad things. The PAM market was created to solve these challenges by giving us tools and techniques to stop bad people from ‘getting in’

Have we succeeded? Lets be honest here, no!

Afterall, breaches still occur but this isn’t because of poor security solutions, monitoring, security team skills gaps or anything else. It’s because of the blind spots we have in security which are largely centered around our users.

Is this the fault of technology or specific vendors? Absolutely not.

Its:

It’s our approach to solving privilege problems (Focusing on technical users)

The simplicity in user experience of some of the solutions which leads to higher user adoption vs workarounds our users implement to circumvent hard to use solutions.

The pace of technology growth within our organisations vs the speed of our ability to respond to new threats.

Without saying users pose one of the largest security threats to our environment…. Well, I guess we’ve said it now

This isn’t intentional on a users part, well often not anyway, but we know our users are the target. Roughly 80% of breaches are due to stolen or weak credentials and it’s far easier to gain credentials and log in vs hack in.

There are now over 24 billion passwords and credentials for sale on the dark web with a mixture of consumer personas and business personas available.

What is Business or Workforce Password Management?

Business password management, or workforce password management as it’s also known, is simply a way of allowing our business users to store credentials in a secure manner.

A quick search of the internet reveals the average business around has over 70 passwords that they need to remember within the workplace. That’s a crazy number and honestly surprised me. Apparently, that already takes into consideration federation/SSO which would obviously reduce the number of credentials greatly.

To be honest, even if a user has 20 passwords to remember, are they even going to remember that many? IT Admin type users who are exposed to IAM/PAM and security in their working lives and are technically seen as more savvy would perhaps know to use a vault or they’d at least have a phrase pattern in place so they could make passwords all unique and easy to remember.

But our business users? I’m sure if quizzed, more people would just admit to using the same password across multiple apps and that’s really where the problem is. If someone gets hold of one password, it’s easy for them to move around and try that combination with other apps/systems commonly referred to as lateral movement.

Our users have access to all kinds of sensitive data which could hurt us. It’s not just our IT admins who we need to fear because of the access they have.

• It’s our finance people who have access to corp bank accounts
• Our marketing or social media teams who have access to various websites, social platforms
• Our HR team who has access to a whole database full of identity data

The list goes on and on but think of the damage that could be done with just the above 3 items.

Every user within your company has access to sensitive data, and that may even just be their own sensitive data, but it’s your responsibility to protect it.

What do our users do now?

Users do a variety of things some good, some bad, some secure, some borderline dangerous:

The good:

• Use an approved password manager
• Use unique passwords across all apps using a seed which is hard to guess, easy to remember
• SSO – remove as many passwords as possible from all users regardless of them being technical or not

The bad:

• Storing them in personal password management solutions (co-mingling with your Facebook, Gmail and whatever other passwords you may have)
• People using free/un-approved tools for storage (Shadow IT)
• Spreadsheets (protected by 123456 of course)

The ugly:

• Saving them in the browser (Simplicity at the expense of security)
• Good old sticky notes
• Using the same password for everything

Isn’t this PAM?

Yes, absolutely. It’s just unfortunately not quite what people think is PAM just yet.

PAM is about much more than technical users and needs to cater for all users who have access to sensitive data. Quite simple, it’s something that touches every user in the organisation. If you have a traditional PAM solution, you may well find that they offer workforce password management as part of that solution, in which case, great.

It’s usually an additional module for most, so we’d advise looking at the cost and then also consider looking at requirements to ensure your adoption rate will be high.

There are always trade-off’s with technology, we always used to joke about usability vs security but with technology such as this, you’re likely to the key challenge being consumer experience vs enterprise experience.

What we mean by this, is large numbers of our user population will have exposure to these technologies. It may be keychain on their phone, free consumer products, paid for consumer products. If so, they will almost definitely have an expectation when it comes to user experience.

What should we look for in a solution?

• Can my existing vendors offer this? If so, how is that priced vs dedicated vendors.
• Does the solution offer a dedicated vault/safe/storage area per user?
• Can users import credentials both from their browser and other solutions they may have implemented themselves?
• Does the solution integrate with my SSO provider?
• What accreditations / certifications does the solution have? SOC2, ISO27001 etc.
• Does it enforce/support MFA?
• Can you logically group/organise credentials?
• Can you share credentials with team members?
• Does it offer a browser extension for easy form fill?
• Does it offer a mobile/tablet app for access on the move?
• Does it support both credentials and passkeys?
• Can you store other data such as notes?
• How easy is it to manage?

What we recommend?

Hopefully business & workforce password management is something that you either have a solution in place for or are working on putting a solution in place for. It’s a major blind spot for many.

Just putting in place a management solution for these credentials often isn’t enough and we have to be honest about that.

These solutions unlike traditional PAM vaults, often do not rotate credentials automatically. One of the first things end users should do when using these solutions is change all the credentials to ensure they’re strong and unique.

Luckily most workforce password management solutions include a password generator to make this task easier.

At dotnext, we have partnered with Keeper Security to offer workforce password management to our clients as our first MSP offering. We can deliver a full end to end service managed entirely by ourselves, or we can just provide the initial setup and then handover to the client for management.

The things we love about Keeper:

• Simple user experience
• Time based sharing of passwords
• TOTP codes (It will complete MFA for you)
• BreachWatch – It will tell you if you’re passwords are at risk or are exposed in the wild
• Security Audits to help focus your attention on risky credentials
• Simple admin experience
• Great mobile app

As a side benefit, any workforce user also gets a free family license of Keeper for their personal use which can be shared with family members. This vault is separate from the corporate vault and ensures segregation.

What matters most to us though, is that this is something on your roadmap if it’s not something you’re doing today. We’re always on hand for advice, regardless of the technology.

Join using our next blog when we’ll be discussing our next topic – Discovery