Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Password managers: A rough guide to enterprise secret platforms

Modern enterprises run dozens (and sometimes hundreds) of servers, services, applications, APIs, containers, and other technologies.

To secure these resources, enterprises need tools to manage secrets, including passwords, encryption keys, SSH (secure shell) keys, API tokens, certificates, and more.

The problem is that these resources are often spread across many platforms, including on-premise (on-prem) servers, cloud-based services, serverless applications, and container orchestration tools, making it very difficult to manage secrets in an efficient way.

Not infrequently, this leads to employees using ad hoc and insecure methods to manage authorization, such as storing secrets in plaintext files, hardcoding tokens in source code files uploaded to GitHub repositories, and storing encryption keys in unprotected S3 buckets.

This results in ‘secrets sprawl’ – logins and other credentials stored in many places – a practice that is often a contributory factor in data breaches.

One way to avoid secrets sprawl is to use a ‘secrets manager’, a tool that securely stores and manages secrets throughout their lifecycle. Secret managers can store all sorts of secrets (passwords, API tokens, certificates, etc.) and control how humans, devices, and services access them.

There are a few key features to look for in secrets managers:

  • Support for various IT configurations: A good secrets manager should equally support cloud, multi-cloud, on-prem, and hybrid IT systems.
  • Support for range of authentication protocols: Aside from passwords, the solution must support certificates, encryption keys, API tokens, and other kinds of authentication systems that constitute the security backbone of your IT system.
  • Support for various authentication organizations: The technology should enable you to adjust your secrets access policy based on your organizational structure using roles, groups, etc.
  • Support for different types of users: Many IT systems must regulate not only human access but also how machines and services access digital resources.
  • Integration: Any product or service must provide various tools such as plugins, APIs, and CLIs to automate the storage and retrieval of secrets.
  • Centralized management: A secrets management installation should provide real-time visibility and control on how users, services, and devices access secrets across the enterprise.

Here is a quick evaluation of a few popular secrets management products.

HashiCorp Vault

HashiCorp Vault is a popular enterprise solution for managing and securing passwords, tokens, encryption keys, certificates, API keys, and various other secrets.

Vault integrates with your main identity provider, such as Active Directory, LDAP, or your chosen cloud platform. The technology can manage secrets for more than 100 different systems, including public and private clouds, databases, messaging queues, and SSH endpoints.

Among the strengths of Hashicorp Vault is support for dynamically generated secrets. The product also provides granular control over access to different resources and a facility for administrators to revoke permissions as soon as something goes wrong.

Vault has a strong API that is easily integrated into applications to retrieve secrets, which discourages developers from relying on hardcoded passwords and tokens.

However, the benefits of Hashicorp Vault do not come without tradeoffs. The user interface is far from intuitive and has a steep learning curve. Most functionality is controlled through a CLI interface, which is good for automation but awkward for manual use.

HashiCorp Vault is open source, giving you the option to host it yourself. Alternatively, you can use a cloud-hosted instance of the secrets manager at $0.03/hour.

  • Pros: Large support for different cloud and on-prem technology stacks, dynamic secret generation, strong API support, open source
  • Cons: Steep learning curve, poor UI

TBCSecrets managers securely store and manage secrets throughout their lifecycle

CyberArk Conjur

CyberArk Conjur is a secrets management solution for centralized identity and access management across an enterprise.

Conjur supports various secret types, including passwords, service account tokens, and API tokens. It also supports integration with popular cloud infrastructures including GCP (Google Cloud Platform), AWS, and Azure, as well as a range of database types, CI/CD platforms, and container orchestration tools.

Advertisement. Scroll to continue reading.

Like HashiCorp, Conjur supports integration with existing authentication solutions, including OAuth, LDAP, and other identity providers.

Conjur has a centralized management system where administrators can define their resources and the users, roles, devices, scripts, services, and other entities that want to access secrets. They can also define the enterprise’s secrets along with rules such as password rotation and auditing.

Application managers and developers use plugins and APIs to integrate Conjur into their CI/CD, cloud applications, or other resources that want to grant access the secrets store.

Conjur is open source and you can self-host the application. Like HashiCorp, one of the downsides of Conjur is the difficulty of both initial set-up and ongoing management.

  • Pros: Versatile support for various applications, cloud providers, container orchestration tools, etc; plugins and APIs for different types of integrations.
  • Cons: Complex setup and administration

Enterprise password managers

While secrets managers are useful tools, they might be overkill for smaller organizations or other entities that operate without a complex digital footprint. Given the high technical barrier of entry for secrets managers, companies without a dedicated IT team might not be equipped to use them.

For these businesses, a password manager might be a better option. Password managers only serve to securely store, access, and share passwords. They lack the integration, programming, and automation features of secrets managers, but can be great tools for securing credentials across an organization.

The Daily Swig reviewed personal and family-focused password managers in a previous article. In addition to the features of a personal password manager, a business password manager should provide the following:

  • Centralized management: The administrator should be able to obtain reports on employee password health, usage, sharing, etc.
  • Integration with identity providers: Businesses should be able to use their current identity provider (AD, Azure, Okta, etc) to log into their password manager.

Here are two popular business-focused password managers that are worth considering.

1Password

1Password is a popular password manager supported across all major platforms, including macOS, Windows, Linux, Android, and iOS. 1Password also has a Chrome extension for auto-filling login information on websites and storing new credentials in their vault.

1Password users can create multiple vaults to store passwords, credit card information, API tokens, crypto wallet recovery seeds, and other sensitive documents or data. 1Password also allows you share to secrets with other users and can limit password-sharing through expiry dates, limited views, and specific email addresses that can access a shared link.

A Watchtower feature monitors for reused passwords, vulnerable passwords, and potentially compromised accounts.

The business edition provides administrators with a zoomed-out view of password security across an organization. It also provides granular-access features, enabling administrators to configure permissions, groups, roles, and vault access at scale.

Previously, 1Password did not support single sign-on (SSO). But it has recently added beta support for SSO login through Okta, with Azure and Duo to be added soon. The vendor is also adding integration with Azure AD, Google Workspace, Okta, OneLogin, and Slack.

1Password Business costs $7.99 per user per month. As a bonus, each 1Password Business user gets a free Families account, which they can share with five family members.

  • Pros: Flexible password sharing, admin dashboard for organization-wide health report, mass assignment, bonus Family plan
  • Cons: SSO currently only available as beta preview

NordPass

NordPass is an easy-to-use service that includes the basic features you would expect from a password manager, including cross-platform support, auto-fill, and the storage of different types of credentials.

NordPass also has a breach monitoring feature that scans the web for security incidents that involve the credentials of your organization.

NordPass Business provides a security dashboard that enables you to get company-wide reports on password health and activity logs. Users can share passwords and credit card data among team members.

The technology also provides centralized administration tools, including the ability to set company-wide multi-factor authentication (MFA) and password policies, and granting or revoking employees’ access to password vaults.

Advertisement. Scroll to continue reading.

NordPass Business costs $3.59 per user per month. An Enterprise plan (price not listed) supports SSO with Okta, Azure AD, and Microsoft AD as well as user provisioning via AD (Active Directory).

  • Pros: Centralized administration, company-wide policies, centralized granting and revoking of employee access
  • Cons: Basic Business plan does not support SSO

Copyright 2021 Associated Press. All rights reserved.

Source: https://portswigger.net/daily-swig/password-managers-a-rough-guide-to-enterprise-secret-platforms

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

In 2023, it has never been more critical for CISOs to secure API ecosystems. There are many advantages to APIs. The main benefit is...

Cyber Security

INTERVIEW Securing web APIs requires a different approach to classic web application security, as standard tests routinely miss the most common vulnerabilities. This is the view...

Cyber Security

While we continue to wait for the long-awaited password-less future to arrive, individuals and enterprises are still stuck with the problem of how to...

Cyber Security

UPDATED Password vault vendor Bitwarden has responded to renewed criticism of the encryption scheme it uses to protect users’ secret encryption keys by enhancing the mechanism’s default...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO