Attackers continue to launch aggressive assaults on corporate networks, combining techniques to steal passwords and privileged access credentials. The variations and iterations come at a rate that makes it very hard for hard-pressed enterprises to handle. Password management can help.
Stolen credentials and password heists are at the heart of the majority of interactive intrusions and no one is immune.
Attackers, cybercriminal gangs and advanced persistent threat (APT) groups are stepping up their efforts to steal passwords and privileged access credentials by focusing on C-level executives first. Ivanti’s State of Security Preparedness 2023 Report found that C-level executives are at least four times more likely to be phishing victims than other employees.
Nearly one in three CEOs and members of senior management have fallen victim to whaling attacks, either by clicking on a link or sending money.
Intelligent Security Summit On-Demand
Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.
Attacking identity access management (IAM) systems and enterprise-grade password managers, including multiple attacks on LastPass that resulted in a breach of 25 million users’ identities, shows identities are attackers’ threat surface of choice. “Weak and shared passwords, misconfigurations and vulnerabilities are problems that have tormented the industry for years and persist to this day. What’s changed is the speed and sophistication at which today’s adversary can weaponize these weaknesses,” writes CrowdStrike cofounder and CEO George Kurtz.
Password management gains trust in mid-sized organizations
For organizations with $50 million or less in annual revenue, password management tends to be isolated depending on the size of the total security budget. Small and medium businesses (SMBs) often start with password management and multifactor authentication (MFA). Once intrusion and breach attempts increase, finding a managed detection and response (MDR) solution becomes more important.
Our conversations indicate smaller organizations’ most trusted password managers are 1Password Business, Ivanti Password Director, NordPass, Keeper Enterprise Password Management, Specops Software Password Management, Bitwarden and Authlogics Password Security Management. Two other password managers, ManageEngine ADSelfService Plus and ManageEngine Password Manager Pro, are also popular in smaller organizations and have been targeted by APT attackers. CISA issued the alert, APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus, in 2021, warning of vulnerabilities.
SMBs with annual revenues in the $50 million range face a unique series of security challenges that password management alone doesn’t solve. CrowdStrike recently published the results of a survey defining SMBs’ top cybersecurity challenges. The survey confirmed that cybercriminals increasingly target SMBs because they represent softer targets than large enterprises. IT and security leaders of mid-size businesses tell VentureBeat they are adopting MDR to gain the benefits of artificial intelligence (AI), machine learning (ML) and human expertise.
SMBs want to move beyond password management and have 24/7/365 cybersecurity monitoring, response and remediation, and access to expert analysts to quickly identify and stop a breach.
In large-scale enterprises with over $1 billion in revenue, password management is integral to CISO’s IAM and privileged access management (PAM) tech stacks and plans. The most trusted password management systems often provide API-level integration to IAM and PAM systems. CISOs want real-time telemetry data to identify a potential intrusion or breach risk.
Enterprises find trustworthy password management tools among the following password management vendors based on conversations with CISOs in the insurance, financial and IT services, manufacturing and professional services industries.
A familiar choice in IT services and financial services, 1Password Business gets high marks from CISOs who appreciate how it supports and synchronizes automatically across multiple devices, regardless of operating system. For virtual workforces that run on various Android, Windows, and Apple iOS devices, 1Password saves IT service desks hundreds of hours a year on configuration calls and online sessions, according to a recent interview VentureBeat had with a CISO in financial services.
Enterprises using 1Password Business say the MFA features are intuitive, which helps increase their use across their company’s employee base worldwide. Vault and URL encryptions are added factors that lead enterprises to trust 1Password Business over other password management systems. It is considered one of the most intuitively designed password managers that can scale in enterprises today.
Bitwarden has found extensive use for enterprise devops teams in the insurance, IT, financial services and professional services industries. Bitwarden’s Chrome plug-in includes an intuitively designed password generator and manager, which scales well in devops environments without impacting engineers’ productivity. CISOs say they chose Bitwarden to reduce time-to-market for launching a password management solution internally, while also having password creation options that met internal and regulatory compliance requirements. Bitwarden has earned a reputation in enterprises for how well it works across multiple devices and operating systems, reducing the workload on IT support desks and teams. Bitwarden’s free version for personal use is worth considering if you don’t already use a password manager.
Considered one of the most extensible and customizable enterprise-strength password managers, CISOs and security leaders give Bravura Security Pass high marks for ease of customization. Bravura also makes its development language available, allowing customers to tailor Security Pass to their unique requirements. IT leaders appreciate how low password manager maintenance is once configured and how reliable password randomization is. All CISOs and IT leaders VentureBeat spoke with using Bravura Pass are also using MFA and found the process of integrating the two to be well-documented and supported by Bravura.
Avatier’s Identity Anywhere Password Management was designed to run in cloud-hosted and non-hosted environments, which enterprises see as an advantage for having the same security taxonomy across their tech stack. Avatier gets high marks from IT and security leaders for its integration options and selections for how best to authenticate users, given an enterprise’s existing security stack and workflows. What makes this one of the most trustworthy password managers is how well it can synchronize passwords after integrating across on-premises systems. A CISO told VentureBeat that Identity Anywhere also reduces IT help desk tickets by providing excellent password reset and authentication support.
Keeper’s Enterprise Password Management is one of the most trusted enterprise password managers because it’s proven itself over time in complex configurations that test the scale and speed of the system. For example, a CISO from a leading insurance provider told VentureBeat that integrating with their SSO to protect cloud-based personal productivity apps using Keeper helped protect over 5,000 Office365 users immediately.
Keeper also gets high marks for its support for alerts, session monitoring and reporting. IT leaders appreciate how the roadmap provides more IAM and PAM features. IT leaders say the Security Audit feature that scores password strength helps train employees to create more effective passwords while also catching any weak ones at the infrastructure level.
Known for its streamlined cloud implementation system, according to customers interviewed by VentureBeat, SailPoint Password Management is considered one of the most trustworthy password managers by enterprise IT leaders who often integrate it with SSO and other identity-based authentication systems. SailPoint has a reputation for working reliably and having intuitive enough dashboards to configure without extensive training or hiring an expert. The system synchronizes passwords reliably and helps reduce IT help desk calls with its reset password feature that does not require an admin’s involvement.
CISOs in IT services say Specops Software Password Management is one of their most trusted enterprise-grade password management systems because it reliably sets policies by user account type and group, ensuring compliance. Specops checks passwords against breached password databases, ensuring none are used enterprise-wide. That’s a significant relief to IT leaders and cybersecurity teams concerned with compromised passwords propagating across their networks. IT leaders also say the system’s ability to handle resets makes it one of the most reliable they’ve seen, along with how intuitive the application is designed.
CISOs need to plan for a passwordless future
Attacks aimed at gaining passwords look to trade on the implicit trust provided across enterprise networks. Once access is obtained, attackers can freely move through networks undetected. “Despite the advent of passwordless authentication, passwords persist in many use cases and remain a significant source of risk and user frustration,” writes Ant Allan, VP analyst, and James Hoover, principal analyst in the Gartner IAM Leaders’ Guide to User Authentication.
Cybersecurity leaders need to consider how they can eventually move away from being too dependent on passwords and adopt a more zero trust-based approach to securing identities across their organizations. Gartner predicts that by 2025, more than 50% of workforce and more than 20% of customer authentication transactions will be passwordless, up from less than 10% today.
What’s needed are passwordless authentication systems that are so intuitive, they don’t frustrate users, while also providing adaptive authentication on any device. Fast Identity Online 2 (FIDO2) is one of the leading standards in authentication. Expect to see more IAM and PAM vendors expand their support for FIDO2 in the coming year.
Leading vendors providing passwordless authentication solutions include Microsoft Authenticator, Okta,Duo Security, Auth0, Yubico and Ivanti’s Zero Sign-On (ZSO). Of these, Ivanti’s approach is noteworthy in combining passwordless authentication and zero trust. Ivanti’s ZSO is part of its unified endpoint management platform and uses biometrics, including Apple’s Face ID, as the secondary authentication factor for accessing personal and shared corporate accounts, data and systems.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.