The second part of our password manager series looks at business-grade tech to handle API tokens, login credentials, and more
Modern enterprises run dozens (and sometimes hundreds) of servers, services, applications, APIs, containers, and other technologies.
To secure these resources, enterprises need tools to manage secrets, including passwords, encryption keys, SSH (secure shell) keys, API tokens, certificates, and more.
The problem is that these resources are often spread across many platforms, including on-premise (on-prem) servers, cloud-based services, serverless applications, and container orchestration tools, making it very difficult to manage secrets in an efficient way.
Liked this article? Sign up to our new newsletter – Daily Swig Deserialized
Not infrequently, this leads to employees using ad hoc and insecure methods to manage authorization, such as storing secrets in plaintext files, hardcoding tokens in source code files uploaded to GitHub repositories, and storing encryption keys in unprotected S3 buckets.
This results in ‘secrets sprawl’ – logins and other credentials stored in many places – a practice that is often a contributory factor in data breaches.
One way to avoid secrets sprawl is to use a ‘secrets manager’, a tool that securely stores and manages secrets throughout their lifecycle. Secret managers can store all sorts of secrets (passwords, API tokens, certificates, etc.) and control how humans, devices, and services access them.
There are a few key features to look for in secrets managers:
- Support for various IT configurations: A good secrets manager should equally support cloud, multi-cloud, on-prem, and hybrid IT systems.
- Support for range of authentication protocols: Aside from passwords, the solution must support certificates, encryption keys, API tokens, and other kinds of authentication systems that constitute the security backbone of your IT system.
- Support for various authentication organizations: The technology should enable you to adjust your secrets access policy based on your organizational structure using roles, groups, etc.
- Support for different types of users: Many IT systems must regulate not only human access but also how machines and services access digital resources.
- Integration: Any product or service must provide various tools such as plugins, APIs, and CLIs to automate the storage and retrieval of secrets.
- Centralized management: A secrets management installation should provide real-time visibility and control on how users, services, and devices access secrets across the enterprise.
Here is a quick evaluation of a few popular secrets management products.
HashiCorp Vault
HashiCorp Vault is a popular enterprise solution for managing and securing passwords, tokens, encryption keys, certificates, API keys, and various other secrets.
Vault integrates with your main identity provider, such as Active Directory, LDAP, or your chosen cloud platform. The technology can manage secrets for more than 100 different systems, including public and private clouds, databases, messaging queues, and SSH endpoints.
Among the strengths of Hashicorp Vault is support for dynamically generated secrets. The product also provides granular control over access to different resources and a facility for administrators to revoke permissions as soon as something goes wrong.
Vault has a strong API that is easily integrated into applications to retrieve secrets, which discourages developers from relying on hardcoded passwords and tokens.
However, the benefits of Hashicorp Vault do not come without tradeoffs. The user interface is far from intuitive and has a steep learning curve. Most functionality is controlled through a CLI interface, which is good for automation but awkward for manual use.
HashiCorp Vault is open source, giving you the option to host it yourself. Alternatively, you can use a cloud-hosted instance of the secrets manager at $0.03/hour.
- Pros: Large support for different cloud and on-prem technology stacks, dynamic secret generation, strong API support, open source
- Cons: Steep learning curve, poor UI
Secrets managers securely store and manage secrets throughout their lifecycle
CyberArk Conjur
CyberArk Conjur is a secrets management solution for centralized identity and access management across an enterprise.
Conjur supports various secret types, including passwords, service account tokens, and API tokens. It also supports integration with popular cloud infrastructures including GCP (Google Cloud Platform), AWS, and Azure, as well as a range of database types, CI/CD platforms, and container orchestration tools.
Like HashiCorp, Conjur supports integration with existing authentication solutions, including OAuth, LDAP, and other identity providers.
Conjur has a centralized management system where administrators can define their resources and the users, roles, devices, scripts, services, and other entities that want to access secrets. They can also define the enterprise’s secrets along with rules such as password rotation and auditing.
Application managers and developers use plugins and APIs to integrate Conjur into their CI/CD, cloud applications, or other resources that want to grant access the secrets store.
Conjur is open source and you can self-host the application. Like HashiCorp, one of the downsides of Conjur is the difficulty of both initial set-up and ongoing management.
- Pros: Versatile support for various applications, cloud providers, container orchestration tools, etc; plugins and APIs for different types of integrations.
- Cons: Complex setup and administration
Password manager security: Which is the right option for me?
Enterprise password managers
While secrets managers are useful tools, they might be overkill for smaller organizations or other entities that operate without a complex digital footprint. Given the high technical barrier of entry for secrets managers, companies without a dedicated IT team might not be equipped to use them.
For these businesses, a password manager might be a better option. Password managers only serve to securely store, access, and share passwords. They lack the integration, programming, and automation features of secrets managers, but can be great tools for securing credentials across an organization.
The Daily Swig reviewed personal and family-focused password managers in a previous article. In addition to the features of a personal password manager, a business password manager should provide the following:
- Centralized management: The administrator should be able to obtain reports on employee password health, usage, sharing, etc.
- Integration with identity providers: Businesses should be able to use their current identity provider (AD, Azure, Okta, etc) to log into their password manager.
Here are two popular business-focused password managers that are worth considering.
1Password
1Password is a popular password manager supported across all major platforms, including macOS, Windows, Linux, Android, and iOS. 1Password also has a Chrome extension for auto-filling login information on websites and storing new credentials in their vault.
1Password users can create multiple vaults to store passwords, credit card information, API tokens, crypto wallet recovery seeds, and other sensitive documents or data. 1Password also allows you share to secrets with other users and can limit password-sharing through expiry dates, limited views, and specific email addresses that can access a shared link.
A Watchtower feature monitors for reused passwords, vulnerable passwords, and potentially compromised accounts.
The business edition provides administrators with a zoomed-out view of password security across an organization. It also provides granular-access features, enabling administrators to configure permissions, groups, roles, and vault access at scale.
Previously, 1Password did not support single sign-on (SSO). But it has recently added beta support for SSO login through Okta, with Azure and Duo to be added soon. The vendor is also adding integration with Azure AD, Google Workspace, Okta, OneLogin, and Slack.
1Password Business costs $7.99 per user per month. As a bonus, each 1Password Business user gets a free Families account, which they can share with five family members.
- Pros: Flexible password sharing, admin dashboard for organization-wide health report, mass assignment, bonus Family plan
- Cons: SSO currently only available as beta preview
NordPass
NordPass is an easy-to-use service that includes the basic features you would expect from a password manager, including cross-platform support, auto-fill, and the storage of different types of credentials.
NordPass also has a breach monitoring feature that scans the web for security incidents that involve the credentials of your organization.
NordPass Business provides a security dashboard that enables you to get company-wide reports on password health and activity logs. Users can share passwords and credit card data among team members.
The technology also provides centralized administration tools, including the ability to set company-wide multi-factor authentication (MFA) and password policies, and granting or revoking employees’ access to password vaults.
NordPass Business costs $3.59 per user per month. An Enterprise plan (price not listed) supports SSO with Okta, Azure AD, and Microsoft AD as well as user provisioning via AD (Active Directory).
- Pros: Centralized administration, company-wide policies, centralized granting and revoking of employee access
- Cons: Basic Business plan does not support SSO
YOU MAY ALSO LIKE ‘Most web API flaws are missed by standard security tests’ – Corey J Ball on securing a neglected attack vector