The 10 Essential Features for an Enterprise Password Manager

As the workforce adopts more and more cloud applications, they also need to manage more and more corporate passwords and One Time Passwords (OTPs). Managing so many sets of credentials can often lead to poor security practices being adopted by users such as:-

• Using weak passwords
• Re-using the same passwords across multiple accounts and services
• Using memorable corporate passwords i.e. CompanyName01
• Passwords being stored in unsecure locations e.g. text documents or spreadsheets on servers or in the cloud.

An enterprise password manager enables organisations to achieve compliance and eliminate risk by enforcing password security policies and automating generation of One Time Passwords (OTPs) whilst providing the workforce with frictionless and secure access to applications.

However, there are a wide range of products on the market and the features they offer can have a significant impact on user adoption and therefore your return on investment from the product. The wrong product can leave security ‘blind spots’ or fundamentally fail to deliver on some of the key requirements for your enterprise. So, here is our round up of the ten critical features when deciding which enterprise password manager is right for your organisation together with the impact of not having these features in your chosen solution.

1. Zero Sign-in to the Enterprise Password Manager to Reduce User Friction

One purpose of a password manager is to make things easier for employees, not to give them yet another password to remember. An enterprise password manager that integrates with your corporate directory means no sign-in is required to the password manager itself. This creates a frictionless user experience and guarantees user adoption since the user does not have to take any action to engage with the enterprise password manager.

Impact of Not Having This Feature

If the password manager requires the user to manually log in or authenticate with it, this creates a barrier to usage and adoption. This reduces the effectiveness of the solution and leaves the organization exposed to cyber security risks as the user adoption cannot be guaranteed.

2. Zero User Interface Option to Guarantee Adoption

For widespread enterprise use, choose an enterprise password manager that can be configured to run silently in the background providing users with access to the passwords they need at the time when they need them. An enterprise password manager that can present the relevant passwords to the user at the point they are attempting to access an application means no training is required, which in turn means significantly higher adoption and greater security benefits.

Impact of Not Having This Feature

If the password manager requires the user to interact with it via a user interface, this typically involves training. If users need to be trained on a system this creates a further barrier to usage and adoption and many will revert to their previous way of working i.e. relying on passwords being stored in documents or making passwords simple and easy to remember. All of this undermines the intended security benefits of a password solution.

3. Password Policy Enforcement to Mitigate Brute Force and Password Re-use Risks

Use a password manager that can generate strong, random passwords that comply with your policies and automate user password updates on external (third-party) applications without need for an API. It’s also important that the solution can automate synchronisation of newly updated passwords to ensure that, where passwords are shared, all permitted users and groups have immediate access to the updated credentials.

This provides a significant level of protection against external applications being compromised as a result of brute force attacks on weak passwords and memorable passwords that may have been chosen by end users. It also protects against the risks of passwords being re-used across multiple applications by creating unique, random, high-entropy passwords.

Impact of Not Having This Feature

Without this feature, the enterprise will be exposed to the risks of the workforce setting, simple, easy-to remember passwords that could be easy to guess, brute force, or discover if they are used on another application, all of which leaves the organisation at increased risk of a data breach.

4. Zero Knowledge Encryption for Greatest Security

Zero Knowledge Encryption means that no one outside your enterprise can access your stored passwords – not even the vendor of the enterprise password manager. When using cloud-based enterprise password managers, this is achieved by ensuring the encryption keys that protect customers’ data remain inside the secure perimeter of the customer’s enterprise network. This is crucial in giving your organisation complete control and eliminating a potential security risk – ask the vendor of the Enterprise Password Manager where the encryption takes places and if they have any access to the keys that protect your data.

Impact of Not Having This Feature

Without this feature, the passwords your workforce store can potentially be accessed by the vendor of your enterprise password manager. This also creates a single point of failure since if the vendor is compromised your passwords can be accessed. These factors open up significant security risks for your organisation so, for the greatest level of security, ensure that the vendor has no access to the encryption keys that protect your data.

5. Provides Single Sign-On & OTP automation with Passwords Hidden to Eliminate Phishing Risks

Allowing easy, one-click access to apps by automatically filling login forms completes the journey towards an unobtrusive user experience, making the need for copying and pasting of credentials from the password manager largely unnecessary; mitigating user friction and increasing productivity.
However, for the greatest effectiveness, you can eliminate password phishing risks by using an enterprise password manager that supports Single Sign-On for applications and services where the passwords are hidden from the users. This allows the workforce to access applications without knowing the passwords being used, meaning they are unable to disclose any credentials in response to phishing attacks. 

An effective password manager should also be able to be configured to generate the One Time Passwords (OTPs) for applications being accessed and automate the entry of these as part of the login process removing friction for users.
This feature also reduces the risk of login details being compromised by leavers after they exit the enterprise since they are not aware of the passwords being used.

Impact of Not Having This Feature
If users can see the passwords for applications and services this creates vulnerability to phishing attacks as users could potentially disclose passwords to malicious, spoofed websites. Furthermore, when leavers exit the enterprise, they will potentially retain the passwords to corporate applications and data, long after they have left the organisation opening a further data breach vector. Phishing risks can be eliminated if your solution hides the passwords from the workforce that use them. 

6. Multiple Credentials per App

Frequently, employees may need to access multiple accounts for the same application. Examples of this could be marketing teams accessing multiple social media accounts or IT teams accessing services using accounts with different permission levels. A password manager that facilitates easy switching between multiple identities being used for a single-application is essential to cater for these more complex use-cases within enterprises.

Impact of Not Having This Feature
If your password manager does not support the ability for users to easily switch between multiple accounts on applications and services, this will create significant user friction and potentially lead them circumventing the use of the password manager in favour of less secure, more user-friendly ways of addressing this issue leading to additional cyber security risks.

7. Sharing of Credentials with Granular Permissions

When access to accounts and services need to be shared between users and teams, it is important to ensure that appropriate security and governance is maintained. Your enterprise password manager should enable the secure sharing of credentials with specific permissions associated (i.e. read, write, update, view, allow onward sharing etc.) meaning effective governance and control is maintained without compromising on efficiency or user experience. This type of feature is critical for teams where multiple users require access to the same set of credentials.

Impact of Not Having This Feature
If your password manager does not permit users to share credentials using granular permissions there is a risk that passwords could be shared, forwarded or copied to recipients using unsecure methods. There is further risk that passwords could therefore be shared without any governance or audit trail.

8. Full Audit Trail and Integration with Security Information and Event Management (SIEM) Solutions

Any effective Enterprise Password Manager should be able to provide a full audit trail of who accessed what system and when to help support compliance and any retrospective investigation following a security incident. The Enterprise Password Manager should provide canned and customised reporting options that can be interrogated locally, exported, or linked directly to the enterprise SIEM solution for analysis and aggregation with other events.

Impact of Not Having This Feature

Without this feature your firm could be faced with compliance issues as a result of being unable to provide a clear audit trail of who accessed which system (i.e. if multiple users share access to accounts) at any time.

9. Optional Ability to Discover Applications and Learn Credentials

Enterprise password managers that can discover the apps being used by employees and learn the credentials for these, if required, expedites time-to-value by reducing setup effort whilst detecting Shadow-IT. These apps can then be easily added to the enterprise password manager with the click of a button ensuring there are minimal barriers to usage less residual, security ‘blind spots’ for the enterprise.

Impact of Not Having This Feature

Without this feature your enterprise is likely to be exposed to additional cyber security risks as a result of the workforce using non-core, external web applications to store corporate data that the IT team are unaware of. With this feature, these shadow-IT risks can be managed by your enterprise password manager.

10. Policy-based, Application-specific Step-up and Multi-Factor Authentication

Credentials for some critical applications and systems will potentially have a higher risk profile that necessitates additional security before there are made available to users. Your enterprise password manager should provide the capability to apply application-specific policies for step-up and Multi-Factor Authentication. Step-up will require the user to re-authenticate with the corporate directory before making the credentials available to the user, whereas Multi-Factor will require the MFA challenge to be satisfied before making the credentials available.

Impact of Not Having This Feature

Without this feature your enterprise will be unable to apply a level of enhanced (step-up or MFA) authentication for using accessing specific applications that contain more critical data, creating potential compliance risks.

An enterprise password manager needs several critical features to deliver value and guarantee return on investment. Being secure goes without saying but it is also critical that the user experience is unobtrusive and frictionless so there are minimal barriers to workforce adoption of the product. This will maximise your return on investment. Hopefully these ten, critical features will provide a great starting point for your evaluation of enterprise password managers but do look out for value added benefits such as the ability to eliminate phishing risks and the ability to integrate desktop applications.

If you’d like to understand how My1Login can help please don’t hesitate to get in touch.