What is Enterprise Password Management?

Enterprise password managers play a crucial role in improving cybersecurity posture, reducing the risk of data breaches, and ensuring efficient and secure access management within organisations. In this whitepaper, we will discuss what an enterprise password manager is, how they work, and what makes them unique.

In its most basic form, an Enterprise Password Manager is software that enables users to store and retrieve usernames, passwords, and other information securely. Core functionality is similar to that found in consumer password management products however an Enterprise Password Manager will typically include additional, more complex, enterprise functionality that provides centralised administration and governance. In addition, it is likely to be able to integrate with the organisation’s corporate directory and provide advanced functionality such as password policy enforcement that can update users’ passwords on external applications. Enterprise Password Managers also typically include additional functionality such as the ability to securely share passwords between users and/or groups with full audit trails of who accessed what and when they did so providing non-repudiation of access

History of EPM

So, how have enterprise password managers evolved to become the products that exist today?

Originally, passwords were managed by memorising them or simply writing them down, so it is reasonable to assume that the first computerised method of managing passwords was an electronic extension of this using a text file or spreadsheet of some sort.

However, first-generation, purpose-built, mainstream password managers for consumers initially appeared around the year 2000. These were in the form of Internet Explorer’s ability to remember usernames and passwords previously used to access some websites, and others in the form of Windows desktop applications.

Both the browser and desktop application approaches enabled local storage of credentials offering an abundance of user convenience but only the Windows desktop applications placed specific focus on using encryption to protect the stored credentials at rest. To do this, some products utilised symmetric encryption using the publicly documented Blowfish algorithm which provided a reasonably good level of encryption to protect stored data with the encryption and decryption process triggered by a user’s single, “master password”.

These typically fulfilled single user use-cases and were largely geared at the consumer market with the Windows desktop products catering to the needs of more technically literate users.

The second half of the 2000s saw the release of second-generation products that were purpose-built to cater to some of the more complex enterprise use-cases. These were typically heavy-duty, deeply embedded products providing enterprises with rich privileged account management functionality but often required extensive development work and API integration to configure and deploy. Usability was not at the top of the priority list with these products but they were often deployed in critical finance and technology functions within enterprises in order to protect, manage, and audit access to critical applications and services.

From around the 2010s, third-generation products emerged that essentially extended the usability and security offered by consumer password managers to include some of the enterprise functionality associated with the privileged account management products. Examples of this functionality would be the ability to synchronise users with the corporate directory, and the ability to share specific passwords with users and groups of users. The most secure products offered this functionality whilst retaining the encryption approach used by the consumer password managers i.e. the user’s account on the enterprise password manager was also encrypted by a “master password”.

The Latest Generation of Enterprise Password Managers

In the 2020s, enterprise password managers have evolved significantly to address the growing complexity of cybersecurity threats and the increasing demand for seamless and secure access management solutions. Modern enterprise password managers offer a range of essential features to meet the evolving needs of organisations. Below are the 10 essential features you should look for in modern enterprise password managers.

1. Zero Sign-in to the Enterprise Password Manager to Reduce User Friction

One purpose of a password manager is to make things easier for employees, not to give them yet another password to remember. An enterprise password manager that integrates with your corporate directory means no sign-in is required to the password manager itself. This creates a frictionless user experience and guarantees user adoption since the user does not have to take any action to engage with the enterprise password manager.

2. Zero User Interface Option to Guarantee Adoption

For widespread enterprise use, choose an enterprise password manager that can be configured to run silently in the background providing users with access to the passwords they need at the time when they need them. An enterprise password manager that can present the relevant passwords to the application or service at the point the user is attempting to access it means no training is required, which in turn means significantly higher adoption and greater security benefits.

3. Password Policy Enforcement on External Apps to Mitigate Brute Force and Password Re-use Risks

Enterprise password managers now extend their policy enforcement capabilities beyond internal applications to include external, cloud-based services and third-party applications. This ensures consistent enforcement of password policies across all platforms, mitigating the risk of security breaches.

4. Zero Knowledge Encryption for Greatest Security

Zero Knowledge Encryption means that no one outside your enterprise can access your stored passwords – not even the vendor of the enterprise password manager. When using cloud-based enterprise password managers, this is achieved by ensuring the encryption keys that protect customers’ data remain inside the secure perimeter of the customer’s enterprise network. This is crucial in giving your organisation complete control and eliminating a potential security risk – ask the vendor of the Enterprise Password Manager where the encryption takes places and if they have any access to the keys that protect your data.

5. Eliminates Phishing Risks by Providing Single Sign-On with Passwords Hidden

Allowing easy, one-click access to apps by automatically filling login forms completes the journey towards an unobtrusive user experience, making the need for copying and pasting of credentials from the password manager largely unnecessary; mitigating user friction and increasing productivity. However, for the greatest effectiveness, you can eliminate password phishing risks by using an enterprise password manager that supports Single Sign-On for applications and services where the passwords are hidden from the users. This allows the workforce to access applications without knowing the passwords being used, meaning they are unable to disclose any credentials in response to phishing attacks.

This feature also reduces the risk of login details being compromised by leavers after they exit the enterprise since they are not aware of the passwords being used.

6. Multiple Credentials per App

Frequently, employees may need to access multiple accounts for the same application. Examples of this could be marketing teams accessing multiple social media accounts or IT teams accessing services using accounts with different permission levels. A password manager that facilitates easy switching between multiple identities being used for a single-application is essential to cater for these more complex use-cases within enterprises.

7. Sharing of Credentials with Fine-Grained Permissions

When access to accounts and services need to be shared between users and teams, it is important to ensure that appropriate security and governance is maintained. Your enterprise password manager should enable the secure sharing of credentials with specific permissions associated (i.e. read, write, update, view, allow onward sharing etc.) meaning effective governance and control is maintained without compromising on efficiency or user experience. This type of feature is critical for teams where multiple users require access to the same set of credentials.

8. Full Audit Trail and Integration with Security Information and Event Management (SIEM) Solutions

Any effective Enterprise Password Manager should be able to provide a full audit trail of who accessed what system and when to help support compliance and any retrospective investigation following a security incident. The Enterprise Password Manager should provide canned and customised reporting options that can be interrogated locally, exported, or linked directly to the enterprise SIEM solution for analysis and aggregation with other events.

9. Optional Ability to Discover Applications and Learn Credentials

Enterprise password managers that can discover the applications being used by employees and learn the credentials for these, if required, expedites time-to-value by reducing setup effort whilst detecting Shadow-IT. These apps can then be easily added to the enterprise password manager with the click of a button ensuring there are less residual, security ‘blind spots’ for the enterprise.

10. Policy-based, Application-specific Step-up and Multi-Factor Authentication

Credentials for some critical applications and systems will potentially have a higher risk profile that necessitates additional security before there are made available to users. Your enterprise password manager should provide the capability to apply application-specific policies for step-up and Multi-Factor Authentication. Step-up will require the user to re-authenticate with the corporate directory before making the credentials available to the user, whereas Multi-Factor will require the MFA challenge to be satisfied before making the credentials available.

An enterprise password manager needs several critical features to deliver value and guarantee return on investment. Being secure goes without saying but it is also critical the user experience is unobtrusive and frictionless so there are minimal barriers to workforce adoption of the product. This will maximise return on investment for the enterprise. These ten, critical features above will provide a great starting point for your evaluation of enterprise password managers but do look out for value added benefits such as the ability to eliminate phishing risks and the ability to integrate desktop applications.

How Does an Enterprise Password Manager Work?

My1Login, like many enterprise password managers, operates on several key principles to provide secure and efficient password management for organisations.

Enterprise password managers serve as a centralised repository for storing all passwords and login credentials used within an organisation. These credentials are securely encrypted and stored in a centralised database, accessible only to authorised users with appropriate permissions.

Once the user has authenticated with the corporate directory, the enterprise password manager then integrates with various applications and systems used in the organisation, allowing users to access these without any further authentication if required. Alternatively, the enterprise password manager can be configured to invoke application-specific step-up and multi-factor authentication challenges that need to be satisfied by users before releasing credentials or application access to the user. This enhances user convenience and productivity while maintaining security through centralised authentication and audit trails of access to credentials.

Strong authentication mechanisms can also be used to verify the identity of users accessing the enterprise password manager itself. This may include additional multi-factor authentication (MFA), biometric authentication, or other advanced authentication methods to ensure secure access. However, market leading products integrate with the corporate directory in such a way that users don’t have to re-authenticate with the enterprise password manager if they have already authenticated with the directory.

With many products, the user can generate strong, unique passwords for each account and manage them securely via the enterprise password manager. Complex passwords can be automatically generated, stored securely, and updated regularly as per the organisation's password policies. Again, the leading products can take this several steps further by enabling administrators to set central, application-specific password policies. The enterprise password manager can then enforce these policies by automatically generating and updating user’s passwords on external applications. This ensures user passwords are long, random, and complex mitigating brute force risks. Furthermore, these newly updated passwords can be hidden from the users to eliminate the risk of them being phished.

Administrators are then able to define user roles and permissions, controlling access to sensitive passwords and resources based on user roles, groups, or other criteria such as time of day or day of week. This ensures that only authorised individuals or groups can access specific information.

Most enterprise password management solutions include auditing and reporting capabilities allowing administrators to track user activity, monitor access to sensitive resources, and generate compliance reports. This helps organisations demonstrate adherence to security standards and regulatory requirements.

My1Login’s enterprise password management solution extends its password management capabilities to include external cloud-based services and third-party applications. It enforces password policies and provides secure access to these external applications, enhancing overall security posture and hiding passwords from users to prevent phishing attacks reducing the risk of security breaches.

Overall, enterprise password management works by centralising password management, integrating with various applications, enforcing security policies, and providing secure access to resources, all while enabling user convenience and compliance with security standards.

Encryption

Some encryption models are not as secure as others and various factors affect their robustness and effectiveness in protecting data. They may use weak or outdated encryption algorithms that are vulnerable to cryptographic attacks, or utilise poor key management practices that undermine the security of encryption.

If an encryption model relies on pseudorandom number generators (PRNGs) with insufficient entropy or randomness, they may produce predictable encryption keys or ciphertexts. Attackers can exploit predictable patterns in encrypted data to mount attacks such as statistical analysis or ciphertext manipulation.

Traditional encryption models based on classical cryptographic principles may be vulnerable to attacks from quantum computers, which have the potential to break widely-used encryption algorithms such as RSA and ECC (Elliptic Curve Cryptography).

In some cases, encryption models may contain intentional backdoors or weaknesses introduced by design, either for law enforcement purposes (e.g. government-mandated backdoors) or due to unintentional design flaws. These backdoors or weaknesses can be exploited by malicious actors to bypass encryption protections and access encrypted data.

Encryption techniques used within enterprise password managers employ stronger encryption algorithms compared to typical consumer products. While consumer products might use standard encryption algorithms like AES (Advanced Encryption Standard), enterprise password managers utilise more robust encryption techniques such as AES with larger key sizes or additional encryption layers to provide enhanced security. They often also offer customisation options such as the ability to define encryption key management policies, integrate with enterprise key management systems, or enforce encryption standards mandated by industry regulations.

Security

Multi-factor authentication (MFA) significantly enhances the security of enterprise password managers compared to similar consumer products. MFA adds an additional layer of security beyond just a password. By requiring users to provide two or more forms of verification, such as a password combined with a one-time code sent to their mobile device or a biometric scan, MFA significantly reduces the likelihood of unauthorised access.

Consumer products often rely solely on passwords for authentication, making them vulnerable to various password-based attacks, such as brute-force attacks, credential stuffing, and password phishing. MFA mitigates these risks by adding an additional authentication factor that is not easily compromised, reducing the likelihood of successful attacks.

IP filtering also enhances the security features of enterprise password managers compared to consumer products. With IP filtering, enterprise password managers can restrict access to specific IP addresses or ranges, allowing only users from authorised locations to access sensitive resources. This prevents unauthorised access attempts from unknown or suspicious locations, reducing the risk of unauthorised account access and data breaches.

Consumer products often lack IP filtering capabilities, leaving accounts vulnerable to remote attacks from anywhere in the world. In contrast, enterprise password managers with IP filtering can block access from IP addresses associated with known malicious actors or regions with high cybercrime rates, providing an additional layer of defence against remote attacks.

SSO integration

Single Sign-On (SSO) integration significantly enhances the security benefits of enterprise password managers compared to consumer products in several ways.

Firstly, SSO integration reduces the number of passwords users need to remember, which helps mitigate password fatigue. When users have fewer passwords to manage, they are less likely to resort to insecure practices such as using weak passwords or writing them down.

Secondly, SSO integrates with an organisation's identity provider, allowing users to authenticate once and gain access to multiple applications and systems seamlessly. This centralised authentication process ensures that users are authenticated against a trusted identity source, reducing the risk of unauthorised access.

Users no longer have to type, or even know, the passwords that are being used to authorise their access to various applications.

There are many other major advantages that SSO enables, including support for a wide range of strong authentication methods, including multi-factor authentication (MFA), biometric authentication, and hardware tokens, granular access control based on user roles, groups, or attributes, centralised management and auditing capabilities and session management features that allow administrators to enforce session timeouts, revoke sessions remotely, and monitor active sessions in real-time.

Leading Enterprise Password Managers can also automate the entry of One Time Passwords (OTPs) when applications prompt the user for these as part of an MFA challenge.

Implementing an Enterprise Password Manager

Implementing an enterprise password manager involves several key steps to ensure successful deployment and adoption across the organisation.

Start by assessing your organisation's password management needs, including the number of users, types of applications and systems used, security requirements, compliance considerations, and budget constraints. Based on this assessment, research and evaluate different enterprise password manager solutions to find one that best fits your organisation's requirements.

Develop a detailed implementation plan that outlines the steps, timeline, and resources required to deploy the chosen enterprise password manager solution. Your chosen provider should be able to help you with this plan, and, depending on the solution, automate much of the application audit and discovery for you. Identify key stakeholders, assign roles and responsibilities, and establish clear communication channels to ensure smooth execution of the implementation process.

Before deploying the enterprise password manager, ensure that your IT infrastructure meets the necessary requirements. This may involve updating software, patching vulnerabilities, and configuring network settings to support the password manager's integration with existing systems and applications, however, this is less of a dependency for cloud-based enterprise password managers.

Once deployed, define and configure security policies and settings within the enterprise password manager to align with your organisation's security requirements. This includes setting password complexity requirements, defining access control policies, enabling multi-factor authentication (MFA), and where supported, enforcing password policies on external applications.

Integrate the enterprise password manager with your organisation's existing corporate directory and applications to enable seamless access management and provide comprehensive training and support to users to ensure the successful adoption of the enterprise password manager.

You might want to roll out the enterprise password manager in phases or groups, starting with pilot testing, optimising configuration of the user experience, and gradually expanding to larger user groups or departments. This allows you to monitor the rollout process closely, gather feedback from users, and address any issues or challenges that arise during deployment.

The work doesn’t stop once you have deployed your enterprise password manager. You should be continuously monitoring the performance and security of the enterprise password manager and regularly review access logs, audit trails, and security reports to detect and respond to any security incidents or compliance violations. Keep the password manager up to date with software updates and patches to ensure optimal performance and security.

Periodically evaluate the effectiveness of the enterprise password manager implementation against your organisation's goals and objectives. Solicit feedback from users and stakeholders, identify areas for improvement, and implement changes as needed to enhance the overall effectiveness and efficiency of password management processes.

By following these steps, you can successfully implement an enterprise password manager and improve password security, access management, and overall cybersecurity posture within your organisation.

How My1Login Enables Organisations to Implement an Enterprise Password Manager

My1Login reduces the IT administration effort required to deploy an enterprise password manager by:

automating the process of application audit and discovery
enabling centralised policies to automatically learn and store user credentials for critical applications
being deployed “silently” in the background meaning no workforce training is required

The above benefits guarantee user adoption and accelerate time to value for the enterprise.

In addition, My1Login’s enterprise password manager can provide integrated Single Sign-On (SSO) for web and Windows desktop executable applications. Centralised policies can also be configured within My1Login that automatically enforce password policies for user accounts on external applications.

Other key features of My1Login include:

Client-side (Zero Knowledge) encryption, meaning only customers can access their passwords
Ability to securely share access to specific identities and passwords with individuals, teams, and partners
Apply fine-grained permissions to passwords that are shared (e.g. read, write, update, onward share, delete, etc.)
Hide passwords from users to prevent them being phished
Automatic enforcement of password policies on external applications for all users
Ability to apply application-specific, step-up, and multi-factor authentication policies before releasing credentials to users
Enabling password sharing on an admin-to-user and user-to-user basis (where permitted)
Automating entry of One Time Passwords (OTPs) when applications prompt the user for these.

My1Login: Key Features and Benefits Explained

Reduce User Friction with Zero Sign-in to the Enterprise Password Manager

My1Login integrates with the corporate directory so users do not have to sign-in to the enterprise password manager and this guarantees full workforce adoption of the product.

Guaranteed Adoption with Zero User Interface Deployment

My1Login’s Enterprise Password Manager can be configured to run silently in the background providing users with access to the passwords they need at the time when they need them. Login credentials are presented to the user at the point they are attempting to access an application meaning no training is required, which in turn means adoption and use of My1Login can be guaranteed providing greater security benefits.

Integrated SSO Without Revealing Credentials to Eliminate Phishing

My1Login’s Enterprise Password Manager can provide Single Sign-On to automatically log users into applications that use credential-based authentication. This enables passwords to be hidden from users on the system, meaning users can be authenticated with applications and services without having visibility of the passwords. This mitigates the risk of leavers exiting the business and retaining access to login credentials and the risk of phishing since if the users do not know the passwords, they cannot be successfully phished.

Zero Knowledge Encryption for Maximum Security

My1Login utilises Zero Knowledge Encryption which means that no-one outside your enterprise can access your stored passwords – not even My1Login. This is critical in eliminating a potential security risk. My1Login encrypt your stored data client-side, within your corporate environment, using encryption keys that are only available inside the secure perimeter of your enterprise network.

Multiple Credentials per Application

Many use-cases necessitate users having to switch between multiple user accounts on a single application. My1Login’s Enterprise Password Manager facilitates easy switching between multiple accounts on applications either by presenting a searchable list of available identities on the web page of the application or by presenting these as available icons within the user’s My1Login account.

Ability to Discover Applications and Learn Credentials

My1Login’s Enterprise Password Manager can be configured to discover the apps being used by the workforce and learn the credentials for these, if required. This expedites My1Login’s time-to-value by reducing setup effort whilst detecting Shadow-IT risks across the workforce. These applications and identities can then be easily integrated with My1Login for SSO at the click of a button meaning less residual, security ‘blind spots’ for the enterprise.

Application-specific Step-up and Multi-Factor Authentication Policies

My1Login provides the capability to apply application-specific policies for step-up and Multi-Factor Authentication before releasing credentials for consumption by a user or application. Step-up will require the user to re-authenticate with the corporate directory before making the credentials available whereas Multi-Factor will require the MFA challenge to be satisfied before making the credentials available for use.

Full Audit Trail and Integration with Security Information and Event Management (SIEM) Solutions

My1Login’s Enterprise Password Manager can provide a full audit trail of who accessed what system and when they did so, to help support compliance and any retrospective investigation following a security incident. Canned and customised reports are available that can be interrogated locally, exported, or linked directly to the enterprise SIEM solution for analysis and aggregation with other events.

Temporal Access

Where credentials are shared with individuals or groups, My1Login’s Enterprise Password Manager can enable this on a time and date basis. Temporal access policies can be configured to only permit the release of credentials for specific applications between specified dates, on specific days, and within specified times.

What is Enterprise Password Management (EPM)?

← Back to Glossary

What's on this page