What's on this page
As the workforce adopts more and more cloud applications, they also need to keep track of more and more passwords. Managing so many sets of credentials can often lead to poor security practices, such as weak or reused passwords, or passwords being stored without any security controls. These challenges are compounded within accountancy firms, where there is often a need to share passwords for some systems with multiple individuals or teams. Examples of such systems might be User IDs and passwords for HMRC (i.e. Government Gateway and Agent Services Accounts), or the login details for a multitude of different accountancy, banking, and payroll applications used by the firm’s clients.
Typically, these login details are stored in unsecured locations, such as within documents or spreadsheets, then saved on the company servers so that multiple members of the workforce can access them if required. Not only does this create a substantive security risk for the firm, but potentially it creates a compliance headache since there is no audit trail of which member of the workforce was accessing or using these system login details or when they did so. Furthermore, if someone changes the password for an account that is shared between individuals or teams and users attempt to log in with the old password, this can lead to all users of that account being locked out. With services such as Government Gateway, this can render services being inaccessible to everyone for an extended period whilst the password reset process is followed and new login details are subsequently communicated across the team.
An enterprise password manager enables accountancy firms to achieve compliance and eliminate risk by enforcing password security policies whilst providing the workforce with simple and secure access to applications.
However, there are a wide range of products on the market and some of the features they offer can have a significant impact on user adoption and therefore your return on investment from the product. The wrong product can leave security ‘blind spots’ or fundamentally fail to deliver on some of the key requirements for accountancy firms. So, here is our round up of the ten critical features when deciding which enterprise password manager is right for your firm together with the impact of not having these features in your chosen solution.
1. One-click Access to Critical Accountancy Applications e.g. Government Gateway
Some websites and applications don’t permit one-click launch direct to their login page. For example, HMRC’s Government Gateway only permits access to the sign in page after it has been launched from another page on the Government Gateway website. The web address of the sign in page for Government Gateway is:
https://www.access.service.gov.uk/login/signin/creds
However, if you try to access this link directly, the Government Gateway website will show an error. This creates a problem for most password managers as this web address will typically be stored by the password manager and launched when the user attempts to access Government Gateway. Users will then be faced with an error message which they have to work around.
Make sure your enterprise password manager does support direct access, and single sign-on, to key applications like Government Gateway with one click.
Impact of Not Having This Feature
Failing to provide effective, one-click integration with critical accountancy applications and services, such as Government Gateway, will create friction for accountants and waste unnecessary time. Most password managers will automatically learn a Government Gateway URL that returns an error when users attempt to launch it from the password manager. This lack of reliability can erode user confidence potentially leading to the workforce circumventing the system altogether which undermines most of the security benefits.
2. Zero Sign-in to the Enterprise Password Manager to Reduce User Friction
One purpose of a password manager is to make things easier for the workforce, not to give them yet another password to remember. An enterprise password manager that integrates with your corporate directory means no sign-in is required to the password manager itself. This creates a frictionless user experience and guarantees user adoption since the user does not have to take any action to engage with the enterprise password manager.
Impact of Not Having This Feature
If the password manager requires the user to manually log in or authenticate with it, this creates a barrier to usage and adoption. This reduces the effectiveness of the solution and leaves the organization exposed to cyber security risks as the user adoption cannot be guaranteed.
3. Zero User Interface Option to Guarantee Adoption
For widespread enterprise use, choose an enterprise password manager that can be configured to run silently in the background providing users with access to the passwords they need at the time when they need them. An enterprise password manager that can present the relevant passwords to the user at the point they are attempting to access an application means no training is required, which in turn means significantly higher adoption and greater security benefits.
Impact of Not Having This Feature
If the password manager requires the user to interact with it via a user interface, this typically involves training. If users need to be trained on a system this creates a further barrier to usage and adoption and many will revert to their previous way of working i.e. relying on passwords being stored in documents or making passwords simple and easy to remember. All of this undermines the intended security benefits of a password solution.
4. Sharing of Credentials with Granular Permissions
When access to accounts and services need to be shared between users and teams, it is important to ensure that appropriate security and governance is maintained. Your enterprise password manager should enable the secure sharing of credentials with specific permissions associated (i.e. read, write, update, view, allow onward sharing etc.) meaning effective governance and control is maintained without compromising on efficiency or user experience. This type of feature is critical for accountancy firms where multiple users require access to the same set of credentials (i.e. for Government Gateway).
Impact of Not Having This Feature
If your password manager does not permit users to share credentials using granular permissions there is a risk that passwords could be shared, forwarded, or copied to recipients using unsecure methods. There is further risk that passwords could therefore be shared without any governance or audit trail.
5. Multiple Credentials per App
Frequently, employees may need to access multiple accounts for the same application. Examples of this might be where accountants require access to multiple, client Government Gateway accounts, HMRC Agent Services Accounts for different offices, client bank accounts, or accounting systems. A password manager that facilitates easy switching between multiple identities being used for a single-application is essential to cater for these more complex use-cases within accountancy firms.
Impact of Not Having This Feature
If your password manager does not support the ability for users to easily switch between multiple accounts on applications and services, this will create significant user friction and potentially lead them to circumvent the use of the password manager in favour of less secure, more user-friendly ways of addressing this issue leading to additional cyber security risks.
6. Provides Single Sign-On with Passwords Hidden to Eliminate Phishing Risks
Allowing easy, one-click access to apps by automatically filling login forms completes the journey towards an unobtrusive user experience, making the need for copying and pasting of credentials from the password manager largely unnecessary; mitigating user friction and increasing productivity.
However, for the greatest effectiveness, you can eliminate password phishing risks by using an enterprise password manager that supports Single Sign-On for applications and services where the passwords are hidden from the users. This allows the workforce to access applications without knowing the passwords being used, meaning they are unable to disclose any credentials in response to phishing attacks.
This feature also reduces the risk of login details being compromised by leavers after they exit the firm since they are not aware of the passwords being used. This is critical within accountancy firms where high numbers of individuals are sharing access to the same User IDs and passwords for applications and services e.g. Government Gateway.
Impact of Not Having This Feature
If users can see the passwords for applications and services this creates vulnerability to phishing attacks as users could potentially disclose passwords to malicious, spoofed websites. Furthermore, when leavers exit the firm, they will potentially retain the passwords to corporate services i.e. Government Gateway accounts, long after they have left the firm opening a further data breach vector. Phishing risks can be eliminated if your solution hides the passwords from the workforce that use them.
7. Password Policy Enforcement to Mitigate Brute Force and Password Re-use Risks
Use a password manager that can enforce password policies on external applications and websites without the need for an API. Your password manager should be able to generate strong, random passwords and automatically update these for users on their external applications. It’s also important that the solution can provide real-time synchronisation of these newly updated passwords to ensure that, where passwords are shared with other users and groups, all permitted users have immediate access to the updated credentials.
This provides a significant level of protection against external services being compromised as a result of brute force attacks on weak passwords and memorable passwords that may have been chosen by end users. It also protects against the risks of passwords being re-used across multiple applications by creating unique, random, high-entropy passwords.
Impact of Not Having This Feature
Without this feature, the firm will be exposed to the risks of the workforce setting, simple, easy-to-remember passwords that could be easy to guess, brute force, or discover if they are used on another application, all of which leaves the firm at increased risk of a data breach.
8. Zero Knowledge Encryption for Greatest Security
Zero Knowledge Encryption means that no one outside your enterprise can access your stored passwords – not even the vendor of the enterprise password manager. When using cloud-based enterprise password managers, this is achieved by ensuring the encryption keys that protect customers’ data remain inside the secure perimeter of the customer’s enterprise network. This is crucial in giving your organisation complete control and eliminating a potential security risk – ask the vendor of the Enterprise Password Manager where the encryption takes place and if they have any access to the keys that protect your data.
Impact of Not Having This Feature
Without this feature, the passwords your workforce store can potentially be accessed by the vendor of your enterprise password manager. This also creates a single point of failure since if the vendor is compromised your passwords can be accessed. These factors open up significant security risks for your firm so, for the greatest level of security, ensure that the vendor has no access to the encryption keys that protect your data.
9. Full Audit Trail and Integration with Security Information and Event Management (SIEM) Solutions
Any effective Enterprise Password Manager should be able to provide a full audit trail of who accessed which system and when, to help support compliance and any retrospective investigation following a security incident. The Enterprise Password Manager should provide canned and customised reporting options that can be interrogated locally, exported, or linked directly to the enterprise SIEM solution for analysis and aggregation with other events.
Impact of Not Having This Feature
Without this feature your firm could be faced with compliance issues as a result of being unable to provide a clear audit trail of who accessed which system (i.e. if multiple users share access to accounts) at any time.
10. Optional Ability to Discover Applications and Learn Credentials
Enterprise password managers that can discover the apps being used by employees and learn the credentials for these, if required, expedites time-to-value by reducing setup effort whilst detecting Shadow-IT. These apps can then be easily added to the enterprise password manager, with the click of a button, ensuring there are minimal barriers to usage less residual, security ‘blind spots’ for the enterprise.
Impact of Not Having This Feature
Without this feature your firm is likely to be exposed to additional cyber security risks as a result of the workforce using non-core, external web applications to store corporate data that the IT team are unaware of. With this feature, these shadow-IT risks can be managed by your enterprise password manager.
Conclusion
An enterprise password manager needs several critical features to deliver value and guarantee return on investment. Being secure goes without saying but it is also critical that the user experience is unobtrusive and frictionless so there are minimal barriers to workforce adoption of the product. This will maximise your return on investment. Hopefully these ten, critical features will provide a great starting point for your evaluation of enterprise password managers but do look out for value added benefits such as the ability to eliminate phishing risks and the ability to integrate desktop applications.