Enterprise password manager

#Chri5# said:
Resolved in less than 24 hours.

Do you guarantee that there are zero flaws in your product? I suspect not.
Click to expand...
Indeed. It's not whether flaws exist but how they're resolved. Reading beyond the sensationalist headlines Lastpass seem to have the right approach. Given that they're a pretty high profile target I'd say their record is fair.

It's no surprise that El Pew prefers a product from his unnamed employer but, as others have contested, to then dismiss the alternatives as "garbage" is hard to take at face value.
 
beh said:
Indeed. It's not whether flaws exist but how they're resolved. Reading beyond the sensationalist headlines Lastpass seem to have the right approach. Given that they're a pretty high profile target I'd say their record is fair.
Click to expand...

You don't even have to take my word for it. There are a lot of security pros who warn against using LastPass, and like I said auditors are starting to frown on its use.

If you think their record is 'fair' then I think you've got a screw loose.
 
To avoid this thread going around in circles, can you spell out the features that you consider a password manager needs to be 'enterprise ready' - the phrase gets used a lot in the industry and is often simply a way of dismissing a product without having to explain why. It's not a term with an industry standard definition, and one person may consider cloud sync to be perfectly acceptable in an enterprise product, whereas someone else might consider anything that isn't hosted on corporate infrastructure to be a toy that should be ignored.
 
El Pew said:
You don't even have to take my word for it. There are a lot of security pros who warn against using LastPass, and like I said auditors are starting to frown on its use.
Click to expand...
Sorry, it's already been established that your word is overtly partisan. Too many weasel words beyond this.
If you think their record is 'fair' then I think you've got a screw loose.
Click to expand...
Ho-hum.
Caged said:
one person may consider cloud sync to be perfectly acceptable in an enterprise product, whereas someone else might consider anything that isn't hosted on corporate infrastructure to be a toy that should be ignored.
Click to expand...
Indeed.

El Pew also seemingly dismissed "user convenience" earlier, which I'd say is actually fairly important. No use having something that's too fiddly for the average user that they revert back to using post-it notes.
 
Caged said:
To avoid this thread going around in circles, can you spell out the features that you consider a password manager needs to be 'enterprise ready'
Click to expand...

On a basic level? It means meeting whatever the enterprise's business requirements are. Most often I'm seeing that the drivers for password management systems are coming from either audit requirements, or from a concern over security - people are looking at TalkTalk, Target and the Bangladeshi Central Bank and seeing that admin credential theft is potentially a massive problem with catastrophic consequences.

On a features level, at a basic level you want secure password storage both at rest and in transit, integration with enterprise authenticators (AD at a minimum, preferably with MFA via one-time password tokens or smart cards on top) the ability to enforce automatic password rotation, decent access controls so you can implement least-privilege, session recording or at least auditing, and reporting. There are more advanced features that the better solutions have beyond these.

I suspect most folks on here don't actually work for an 'enterprise', they work for a small business, which is why they are so wedded to free or almost-free solutions.

beh said:
Sorry, it's already been established that your word is overtly partisan.
Click to expand...

Doesn't mean I'm wrong.

beh said:
El Pew also seemingly dismissed "user convenience" earlier, which I'd say is actually fairly important. No use having something that's too fiddly for the average user that they revert back to using post-it notes.
Click to expand...

That's not what I said, is it? It's entirely possible to have something that's convenient to use whilst also secure, but LastPass haven't managed that. My objection is that their user convenience features have exhibited severe security flaws.

I honestly don't know why you people are defending LastPass. It's a bad system with proven security flaws, and there are better alternatives out there. Maybe you're afraid to admit that you've made a bad choice?
 
'Average users' shouldn't really be using password managers, as all important services really want to be tied into an SSO provider - this makes it a ton easier to ensure that you've revoked all necessary access when someone leaves.

My exposure to password management in enterprise has been using it to secure access to things like the admin credentials to the SSO platform so you don't lock yourself out, root level accounts for network hardware if RADIUS stops working for whatever reason etc. So having to authenticate against a web page rather than having something that auto-fills via a browser extension isn't really a massive inconvenience because it doesn't really get used a ton. There does ultimately need to be a password-in-a-safe at some point in this chain otherwise you build a massive circular dependency.
 
We used network password manager in my previous enterprise environment.
It integrates with AD so you can manage which areas people have access to centrally.

I'm fine with a cloud based password manager for some of my personal requirements; however my "important" passwords are held locally.

I wouldn't use a cloud password manager in an enterprise environment at all. I'd want something on premises.
 
Caged said:
'Average users' shouldn't really be using password managers, as all important services really want to be tied into an SSO provider - this makes it a ton easier to ensure that you've revoked all necessary access when someone leaves.
Click to expand...

Yeah, standard users should either have a single password for everything tied in to AD, or they should have a desktop SSO solution to manage the passwords and tie everything in to a secure authenticator like a smart card or fingerprint reader. Imprivata Onesign is a good product for managing user passwords, or Oracle ESSO (but that's being discontinued I believe).

Deathjester said:
I wouldn't use a cloud password manager in an enterprise environment at all. I'd want something on premises.
Click to expand...

It depends whether you mean a cloud platform, like your own password solution on AWS or Azure, or a SaaS solution like LastPass. If you can secure AWS properly it's no worse than on-prem.
 
Last edited:
Just keep em in a notepad document, keep it on your desktop so its easy to navigate to!!! Call it MasterPasswordList.txt or something obvious as well just in case you forget it!!

Seriously though, KeepPass.
 
El Pew said:
It depends whether you mean a cloud platform, like your own password solution on AWS or Azure, or a SaaS solution like LastPass. If you can secure AWS properly it's no worse than on-prem.
Click to expand...

I was referring to a "Software as a Service" solution, rather than something hosted in Azure or similar.
 
pwsymonds said:
Just keep em in a notepad document, keep it on your desktop so its easy to navigate to!!! Call it MasterPasswordList.txt or something obvious as well just in case you forget it!!

Seriously though, KeepPass.
Click to expand...

Have hard copies in four places, forget to update all four when changing passwords.
 
You must log in or register to reply here.
Back
Top Bottom