Security

Do You Need ONLY a Password Manager? (Hint: Probably Not!)

Before purchasing a password management solution for your organization, it's crucial to ask a fundamental question: do you need ONLY a password manager? Surprisingly, the answer is likely to be no!

Gabriel Caron Landry

As a Sales Ops Manager, I am dedicated to delivering the highest quality experience possible for Devolutions clients. My drive and expertise allow me to contribute in meaningful ways that will help propel the company's global growth plans. I love technology, especially its capacity to increase the speed of doing business. In fact, my MBA thesis focused on technology, specifically how it can be used to finance born global businesses, and since then I’ve been really passionate about the born global model. I did some research in my area to see if there were any local born global businesses, and that’s how I discovered Devolutions! Besides technology, I also really love golf — favoring long-distance drives over putting any day. Luckily, I had the chance to combine work and pleasure by directing an indoor golf simulator facility, and also by creating a unique golf program for a local city.

View more posts

If your organization is in the market for a password management solution, then before you make a purchase you need to answer a crucial question. It is not about cost, compatibility, or compliance. It is more fundamental than that: do you need ONLY a password manager? Believe it or not, the answer is probably no!

Business Oriented? Yes.

Here is the root problem: “password manager” is essentially a marketing term that was coined several years ago, no doubt to capitalize on two things that organizations need and value: security (implied by the “password” part) and efficiency (implied by the “manager” part).

Granted, password managers are business-oriented. But contrary to popular belief, they are NOT inherently secure.

In essence, a password manager provides a centralized way to manage data. Another way to look at this, is to say that as soon as you manage and share data, then you are by definition using a password management system. Does this make something as insecure as a shared excel sheet a “password manager”? The answer is yes! In fact, most password managers on the market only let organizations share a single vault with all users (technical and non-technical), with no control over who has access to what.

Again, this is because password managers are designed to centralize and manage data. They are not built for security. They are built for business continuity. Here is an explanation on why this is the case...

Secure? No.

Password managers allow end users to share vaults containing different kinds of information like credentials, credit cards, remote connection information, website logins, documents, etc. If an end user leaves the company, then their former colleagues do not have to spend time trying to locate personal spreadsheets, notepads, and so on. Instead, they can quickly and easily find what they need in the shared vaults. This is convenient, but it is not secure. With any password manager, all an end user needs to do is copy/paste the credentials in another file and leave with it.

Password managers on the market today cannot fix this situation, yet they claim to be “secure.” The only way to make them secure would be to change all passwords each time someone leaves the company — which is a real pain. What about having passwords automatically reset after each use? This is almost impossible for third-party apps or website passwords. Practically, the only secure and practical option is to hide the password at usage through secure credential injection, which is something we explore later in this blog.

What does all of this mean for your organization? Here is the surprising, and perhaps shocking truth: if you buy only a password manager, then you will get business continuity — NOT security. It is what you do with passwords, and how you do it, that makes you secure.

“Reactive Features” in Password Managers

As you explore various password managers — and there are many to choose from — then you have (or will) come across products with functions such as:

  • Role-based access control (RBAC)
  • “Pawned” password checking
  • Minimal password policies
  • Browser add-on
  • Logging

Typically, these are described by vendors as “security features.” However, these do not actually make your organization more secure! Instead, we should call them “reactive features,” because they can make you aware of potential problems. These features are where security in your organization BEGINS, not where it ENDS.

The Role of Password Managers

Despite these serious drawbacks, password managers — which should truly be called “Business Continuity Tools” — have their place on the business landscape. Specifically, they are beneficial for non-technical business users who would otherwise struggle to remember a massive list of strong, unique passwords (research has found that the average business user now has a staggering 191 passwords!).

However, that is the extent of the use case for password managers. Technical users (e.g., SysAdmins, help desk staff, etc.) work in areas where the real risk exists, and where security needs are highest. For them, a password manager on its own is wholly insufficient. Fortunately, there is a practical and proven way to close the security gap.

Augmenting Password Managers with Privileged Session Management (PSM) or Privileged Access Management (PAM)

A password manager that also functions as a legitimate, robust security solution — and not just as a business continuity tool — will support features like:

  • Secure credential injection
  • Account discovery
  • Automated password rotation
  • Alerts and notifications
  • Checkout request approval process

Well, guess what? As soon as you start focusing on these essential security features, then you are no longer only in the market for just a password manager. You are also in the market for privileged session management (PSM) or privilege access management (PAM)!

An Easy Way to Determine Your Needs

How do you know if you need a password manager with PSM features, or a password manager strengthened with PAM features? Here is an easy checklist to make this determination:

You likely need a password manager + PSM if:

  • The solution will be used by technical users.
  • You want to automatically launch connections.
  • You don’t want end users to see passwords.

You likely need a password manager + PAM if you:

  • You want passwords to be changed/reset.
  • You want account discovery options.
  • You want a checkout request approval process.

And naturally, if you are checking items from both lists, then you need a password manager with both PSM and PAM features.

Final Thoughts

There is nothing inherently wrong with password managers. They have a role to play, and provide important benefits around efficiency and convenience. However, by themselves they are not legitimate security solutions that provide sophisticated IT security functions, even though for decades they have been advertised as such.

To get efficiency AND security — not the former instead of the latter — your organization needs a password manager strengthened with PSM and/or PAM. With this approach and infrastructure, your business users will remain productive and efficient, while your IT staff will have the control, visibility, and reporting they need to keep your organization safe and compliant.

Related Posts

Read more Security posts