Enterprise-class password managers have become one of the easiest and most cost-effective ways to help employees lock down their online accounts. Most of the options were originally designed for individual users. Your organizational needs will differ wildly from security-conscious personal users, but the good news is that the key password management players all have made their solutions suitable for the business world.
As with any business software decision, the password manager discussion starts with requirements, specifically regarding features. Determining which features are critical to your business isn’t necessarily difficult. It starts with knowing what features are available in the business password manager space so you have something to compare against. Not all business password managers have feature parity with each other; in some cases it’s not even close. Each offers features that should bring value to your business and enhance the security posture of your users.
Enterprise password manager features to look for
For starters, businesses will need administrative capabilities to manage multiple users and applications. Some vendors covered here include capabilities to automatically provision and de-provision user access to applications based on their group membership. Tools to manage password policies are a must-have and should include the ability to manage complexity rules and change requirements.
Password managers for business should fill some of the same needs as those designed for individual use, including multi-factor authentication (MFA) or even passwordless authentication. MFA is a key feature for both personal and business accounts because it forms the basis of securing all your various accounts. (Think of it like a lock box for physical keys.)
Other authentication capabilities you should look for in a business password manager are squarely business features. Things like the ability to synchronize with LDAP or Active Directory or the option to leverage authentication from cloud services like Office 365 or Google Workspace are features that could streamline deployment of the password manager to your users.
Some business password managers have more advanced authentication capabilities. We’re talking about the ability to handle authentication using the Security Assertion Markup Language (SAML) standard, a step above simply filling login form fields, and dynamic authentication policies that can make sure your users are using a registered device or are attempting to log in from an accepted geographic location. Some vendors even support capabilities like password management for VPN software, on-premises apps, or RADIUS servers.
Things like audit logging, reports, and alerts aren’t exactly the sexiest features of any software tool. They are key capabilities for a password manager focused on business users whether you’re monitoring app usage, auditing administrative actions, or simply looking to get a read on what passwords are weak, have been re-used, or are due to be changed.
Nonrepudiation is a key term here: It’s the ability to prove that a particular user performed an action. Password managers are sometimes used to provide access to an application to multiple users with the same set of credentials, which prevents auditing within that application to be able to identify which user performed an action, making it vital that the password manager be able to track and report on which users accessed an application at a particular date and time. Alerts can help keep you in the know about known compromised accounts, when user accounts are locked, or potentially when anomalous behavior is detected.
One more feature which may be a little bit on the niche side involves tooling to support accessing passwords programmatically with scripts. Secrets management is a real concern in the DevOps world, as hard-coded credentials are almost as bad as those stored in plain text. Command-line tools or the ability to access password vaults using an application programming interface (API) are common methods password management tools can offer to securely retrieve passwords from your vault, but secrets management could also involve native support for common tools like Kubernetes or Ansible.
The top enterprise password managers
Which vendors offer password management for businesses and bring enough features to the table to warrant consideration? Here are the ones worth looking at.
1Password is one of the more established names in the password manager arena, and in addition to their personal password management services they also offer solutions for teams, business, and enterprise. The teams tier offers admin controls for sharing and permissions, two-factor authentication (including support for Duo integration), and five guest accounts to extend secure sharing reach for $19.95 monthly. Customers of the business tier are looking at a $7.99 monthly cost per user, but gain policy-based administrative security controls, logging and reports, and provisioning through Active Directory, Okta, or OneLogin. Starting at $29 monthly 1Password also offers a Secrets Automation add-on for secrets management that supports a variety of tools including Andible, Kubernetes, HashiCorp Terraform and Vault, and code libraries for Go, NodeJS, and Python.
Dashlane is another popular password manager choice for personal use that successfully bridges the gap to the business world. Like 1Password, Dashlane offers both a teams and business tier, for $5 or $8 monthly per user, respectively. Aside from a suite of administrative management tools and reporting capabilities, Dashlane also supports both provisioning and de-provisioning of apps (including remote removal of company credentials). Dashlane also offers SAML-based single sign-on (SSO) for users of their business tier, directory integration, and policy-based management.
Keeper Business and Keeper Enterprise
Keeper Security boasts the most popular mobile apps of any password manager, and its individual accounts and apps compare well with the competition in that space. Like much of the competition who offer password management solutions for business, Keeper offers both a business and enterprise tier starting at $45 annually per user. The business tier offers policy-based management, reporting, and two-factor authentication, while enterprise customers gain SAML support, more robust two-factor (DUO integration and RSA tokens), command-line provisioning tools, and API support for things like password rotation and basic interaction with your vault. An add-on is available for more advanced reporting and alerting for $10 per user each year.
LastPass is something of the big name in the group. Its business solution offers an intuitive admin interface with security policies, MFA settings, and reporting. Federation from Active Directory Federation Services (ADFS) or Okta couples nicely with built-in provisioning and de-provisioning to streamline your administrative workflow. LastPass for business is available for $6 monthly per user, but limits you to three SSO apps, which is a pretty serious handicap. The Advanced SSO add-on gives you unlimited apps for an additional $2 per month for each user, and the Advanced MFA lends some serious power and flexibility to the authentication process for $3 monthly. Business customers can bundle with both add-ons for $9 monthly per user all told.
NordPass is made by the same folks as NordVPN, which just means they have experience and something of an established reputation when it comes to privacy and security. Not gonna lie though, NordPass business could use some maturing, particularly on things like directory integration, MFA options, and reporting. Not that NordPass doesn’t offer options for each of these categories; it’s just that they don’t offer a lot of flexibility or depth compared to the competition. Business accounts start at $3.59 per user monthly, with enterprise tiers requiring a call to the sales team.
Password Boss may not be as well known as other vendors on this list, but it offers a business solution that’s worth at least a cursory look. Connectors for both Active Directory and Azure AD are available to help onboard your users, and MFA support is available using Google Authenticator or another time-based one-time password (TOTP) authenticator. While certainly not as sophisticated or mature as some of the other solutions on this list, if you’re looking for a simple, straightforward password manager Password Boss may fit your business needs nicely.
Securden is another name you may not have heard of, but it has a few different solutions for business account security, including their password manager for enterprises. Securden’s password manager has a long list of features including a robust array of admin tools like the typical group-based management and reporting, but it extends beyond that. Securden offers request-based permission workflows, where a user must request access to a resource and have it approved prior to authenticating to the resource. This not only ensures users are authorized but provides an additional audit point. Securden also offers automatic password rotation, API access, management of Windows service accounts, and even SSH key and secrets management. If that wasn’t enough Securden will integrate with your corporate Active Directory or SAML-based SSO solution, as well as your existing security information and event management (SIEM) and helpdesk ticketing systems.
Copyright © 2021 IDG Communications, Inc.