Privileged accounts and credentials fast-track access and control over critical assets, making them the most important accounts and credentials to secure, such as via a Privileged Password Management solution. However, across the modern enterprise, the line between privileged / unprivileged is increasingly blurred.
Business users routinely use applications that provide access to sensitive data. Traditional consumer-grade password managers fall short in providing the necessary safeguards, auditability, and reporting capabilities to meet enterprise-level security and compliance. Furthermore, organizations frequently find themselves managing multiple password management solutions, which can reduce visibility and create complexity in password policy and compliance.
If a business account is hijacked, it could give an attacker the initial foothold they need. Or it could allow them to execute lateral movement to advance their attack.
When you consider that these business account passwords are often shared and re-used across different applications—and even personal accounts—you begin to see how the attack surface expands. You see how a threat actor can chain together an attack pathway with one set of compromised credentials that gives access to many accounts.
With the addition of a new Workforce Passwords capability, BeyondTrust Password Safe, a leading Privileged Password Management product, now empowers organizations to effectively address these issues—with one holistic solution.
Why We Need to Secure Employee Business Application Credentials
As organizations continue to expand their digital footprint, the number of passwords that business users require to perform their daily tasks has grown significantly. These passwords encompass a wide range of applications, including sensitive business systems.
IT often lacks visibility into these business accounts provisioned outside of the single sign-on or SSO purview. IT may not see if business users may be using weak storage methods, or if the passwords are being shared within or beyond the team, or whether they are being shared in an unsecure manner.
Clearly, inadequate business application password management can have serious consequences. Hijacked accounts, unauthorized access, mistakenly exposed passwords, each can lead to security breaches, lateral movement, and data exfiltration. These are just a few of the potential risks. Furthermore, a lack of proper auditing and reporting on password usage can hinder an organization's ability to identify and respond to security incidents.
The identity security challenges are compounded when employees depart the organization, potentially leaving behind a tangled web of shared passwords and orphaned accounts. For example, if an employee’s accounts are not fully deprovisioned upon departure from the organization, and one or more employee business account passwords were shared with the ex-employee, this orphaned account presents an optimal attack vector into a system, complete with pre-authorized access.
Organizations are increasingly aware that traditional approaches to business user password management, such as consumer solutions, are inadequate for their security and compliance. Additionally, managing many different password management solutions in-house quickly becomes onerous for IT, and can lead to a host of policy and security complications.
Today, organizations need to manage business user passwords with the same enterprise-scale security, visibility, and availability they have come to expect with Privileged Credential Management solutions.
Challenges with SSO Adoption
Within today’s organizations, many business users access multiple applications each day for their work. Some of these applications may stand outside of the corporate Single Sign-On (SSO). This may be due to several reasons:
- SSO is cost-prohibitive – Unfortunately, many software providers charge extra to access their application within an SSO framework. This monetization for access is known globally as the “SSO tax,” and it can affect the decision an IT group makes when considering which applications are inducted into the existing SSO framework. It’s possible for a business app to be “approved” for use, and yet to remain in a non-SSO state for long periods of time.
- Organic growth of non-SSO applications – IT is frequently asked to allow access to those applications approved by departmental managers. Unfortunately, some business applications do not have an SSO capability available to them. IT maintains a list of these applications and sometimes performs security checks to ensure corporate data is not at risk. This presents a challenge for IT to consistently meet audit and compliance mandates.
- The app is a candidate for SSO – Sometimes IT wants to monitor the volume and frequency of the use of a business application as part of a larger planning effort. If the app becomes popular and highly used, then it could be a candidate to add to the existing SSO framework.
Obviously, some method of access control over business applications passwords is desired. Some organizations simply rely on the discipline of their employees to create strong and unique passwords, to secure credentials within encrypted documents, and to limit sharing. Other organizations feel it’s too large of a problem to handle, and they do nothing.
Many organizations turn to consumer-grade password managers to solve part of the password storage problem. While such consumer-grade password managers can fulfill a narrow requirement around storage, they do not address enterprise requirements for security, auditability and scalability.
Consumer-Grade Password Managers… and their Considerable Shortcomings for the Enterprise
While consumer-grade tools provide a degree of convenience for organizations to address the proliferation of user passwords, they tend to fall short in several critical areas for today’s enterprises:
- Lack of enterprise-grade security - These products do not offer the same level of security as enterprise-grade solutions. For example, consumer-grade password managers are susceptible to hacker attacks, such as man-in-the-middle, stealing session tokens, or installing keylogging malware. Vulnerabilities in these tools can expose sensitive credentials to attackers. As such, consumer-grade password managers are big attack targets.
- Absence of auditability and reporting - With consumer-grade password managers, organizations have limited visibility into who accessed what passwords and when.
- Challenges with password sharing - Sharing passwords among team members is a common practice, but consumer-grade password managers often lack features for secure sharing, management, and reporting of shared passwords.
- Risk of “Shadow IT” - Employees may resort to shadow IT, using applications and tools outside of the purview of IT, further complicating security and compliance efforts because without enterprise-wide visibility IT can’t enforce password policies, or bar the use of personal emails in login credentials. The issue is worsened if confidential or proprietary information is stored in any application outside of IT’s management and an employee’s personal email is compromised.
Workforce Passwords and Password Safe: A Secure Enterprise Solution
The sprawl of multiple password management solutions across an enterprise can be costly to procure and maintain and can limit the visibility IT needs to provide identity security and to stay compliant. Examples of commonly implemented solutions include but are not limited to:
- Privileged Password Management solutions for managing privileged accounts and credentials
- Session Management solutions for managing privileged sessions
- Secrets Management Tools for DevOps and CI/CD toolsets, and other machine accounts
- Business Application Password Solutions
- Key managers for SSH or other protocols or applications
- Native toolsets for managing credentials that are siloed within a particular application or environment
And some organizations may have multiple tool sets across each category—and all from different vendors! This introduces complexity and risk on many planes. BeyondTrust Password Safe elegantly addresses this problem, by providing a comprehensive solution to secure and manage privileged accounts and sessions. Additional capabilities in Password Safe also enable the secure management of secrets without disrupting the agility and scale needed by DevOps teams.
With the new Workforce Passwords capability, Password Safe also provides an enterprise-level solution to secure business user applications passwords. Gain control of your identity security by streamlining best-practice management and protection across privileged and non-privileged accounts—with a single solution.
With the Workforce Passwords add-on, Password Safe empowers your business users with an easy to use, yet secure, method to store and manage their business application passwords. This capability has been built to help you strengthen security, streamline password access, and leverage robust auditing and reporting capabilities.
Benefits of Workforce Passwords Include:
Ease of Use Through Secure Personal Folders
Each business user gains easy and quick access to their own, secure personal folders, providing isolated and secure storage for their passwords. This easy storage method eliminates the need for users to remember individual passwords for each application, or engage in unsecure password storage, enhancing productivity and reducing the risk of password misuse or compromise.
Simplified Access Through a Web Browser Extension
Business users can conveniently access their stored passwords and log into enterprise applications directly from web browsers, like Chrome and Edge, using a web browser extension. The stored passwords are auto filled in the application login process. This enables a fast and secure login process, while preserving a familiar and user-friendly experience.
Comprehensive Oversight through Auditing and Reporting Support
Workforce Passwords provides robust auditing and reporting capabilities, empowering organizations with the tools needed to maintain oversight and compliance of password usage. Comprehensive audit trails enable organizations to track who accessed which passwords, when, and for what purpose. This information is invaluable for identity security and compliance efforts, and for aiding in potential future forensic activity. Benefit from visibility and insights into password usage with the Entitlements Report to further identify potential security risks and to ensure compliance with industry regulations.
Improved Ability to Address Cyber Insurance Underwriting Requirements
Cyber insurers increasingly demand security controls and oversight in place beyond that of privileged accounts. Today, visibility of passwords and their use is central to cyber insurance risk underwriting. Workforce Passwords provides the visibility needed to meet these requirements. By implementing BeyondTrust Password Safe with Workforce Passwords, organizations can reduce the risk associated with password compromise—further making the enterprises more attractive candidates for cyber insurance coverage. This is in addition to the requirements Password Safe helps address around managing, securing, and auditing privileged accounts and credentials.
Easy Enforcement of Password Complexity
Enterprise password policies are established to ensure passwords meet specific security criteria, such as length, complexity, and regular updates, that appropriately minimize risk. These criteria make it harder for attackers to guess or crack passwords, while helping organizations meet or exceed their compliance mandates for password policy enforcement. Workforce Passwords leverages the power of Password Safe’s enterprise-class password policy support to ensure strong password security standards are applied across the organization.
Reduce the Attack Surface: Start by Securing Your Business Passwords
BeyondTrust Password Safe can now help organizations to secure business user application passwords with the addition of Workforce Passwords. This new capability helps organizations to reduce their attack surface, providing attackers with fewer attack vectors and opportunities for lateral movement. In addition to strengthening security, Password Safe and Workforce Passwords enhance user productivity, and simplifies compliance efforts.
By implementing comprehensive enterprise password management capabilities from BeyondTrust that help secure privileged and non-privileged accounts and credentials, organizations can look forward to a more secure and streamlined future, where the management of credentials is no longer a daunting task, but a strategic advantage.
For more information visit https://www.beyondtrust.com/solutions/workforce-passwords and https://www.beyondtrust.com/products/password-safe, or contact us directly.
BeyondTrust’s Newest Product Provides Comprehensive Visibility of Identity Security Risks in Your Organization
BeyondTrust Does it Again! A Leader in the 2023 Gartner® Magic Quadrant™ for Privileged Access Management
Assessing PAM Tools and Your Next Step in Privileged Access Management
Rich Keith, Sr. Product Marketing Manager
Rich Keith has over 20 years technical experience in cyber security, identity management, AI/ML and big data analytics, and enterprise software, including enterprise Java servers and transaction processing systems. Rich is a sought-after speaker at cybersecurity events worldwide. Prior to BeyondTrust, Rich held senior positions at SailPoint, Cofense (formerly PhishMe), and BEA Systems/Oracle. Rich holds a master's degree in computer science from California State University, Chico and he lives in Austin, TX.