About Password Managers

More than 80% of breaches occur due to credential theft. All organizations have compliance requirements to have org-owned password management systems and MFA enforcement on accounts used by employees and contractors.

Some other needs which must be met are:

• Compliance attestation documentation
• Proper use of the best MFA method on a per resource basis
• Aligning business continuity objectives with cybersecurity objectives
• Developing procedures for staff on how to use the company password manager system properly
• Aligning procedures with information security policy
• Developing/enhancing information security policy
• End user awareness training around credentials, MFA, password management
• and more

I wrote a 16-page educational guide for clients to help them understand the complexities and challenges of password manager solutions and why this is not an easy button project. This podcast is a supplement to that whitepaper.

See the following supporting podcasts for additional information.

https://qpcsecurity.podbean.com/e/requirements-for-premise-hosted-assets-cybersecurity-bcdr-and-more/

https://qpcsecurity.podbean.com/e/how-to-achieve-compliance-for-privileged-account-management/

https://qpcsecurity.podbean.com/e/avoid-cybersecurity-insurance-fraud/

• QPC provides managed clients staff onboarding and training documentation. As we update the documentation with new procedures or enhancements, we publish the new versions of the documents to the client’s IT Training SharePoint library. We also make them available through the QPC Security portal which all M365 users have access to.
• QPC creates and maintains workflows for cybersecurity insurance and compliance attestation for managed clients. Compliance attestation and the maintenance of the reports and workflows to produce the compliance attestation are mandatory for cybersecurity insurance and some Federal or State regulatory compliance. As supply chain and vendor risk management becomes more prevalent, organizations will need to provide proof of these items to customers or prospective customers as part of contractual due diligence. Organizations can scramble to compile these items on their own. Managed clients benefit from QPC’s compliance preparedness.
• Access to QPC’s password manager import/export/business continuity procedures. Our expertise in password manager conversions reduce friction to staff adoption of the system.
• Support customized to client’s unique needs
• Strategic guidance on how to best use the tool to meet the staff’s needs while being in compliance and alignment HR, information security, and company use of technology policies
• Advanced security implementation services
• Reduced implementation time compared to implementation by client’s in-house IT
• Compliance attestation for cybersecurity insurance
• HR policies which support use of the solution; employee use policies
• QPC provided password security policy
• Training for end users on how to setup what kind of MFA
• QPC has systems for shared MFA even when OTP is not an option for a resource client staff are accessing.
• Managed clients benefit from QPC’s existing R&D investment as well as ongoing enhancements of managed functionality.
• No data loss or business continuity risk in doing so. At any point a client who wishes to separate from QPC can do so. This is covered in the separation area of this document.
• QPC has a strong relationship with the software vendor where the feature requests we submit are typically integrated in the product in three months. We submit feature requests for functionality for managed clients.
• QPC includes additional compliance modules in the subscription which are not part of the standard direct subscription. Keep this in mind when doing price comparisons.
• QPC can co-term licensing for user additions
• Direct software vendor support is not designed to be anything other than break/fix
• Quicker response time than direct software vendor support
• QPC is able to provide enterprise level support for the product whereas a direct customer would need to have a $25,000 per year support contract in order to receive a similar level of support direct from the software vendor.
• QPC can be the compliance delegated admin for clients where desired. If not desired, then the client must assign and fully train the compliance manager delegated admin. Responsibilities and recurring tasks must be assigned to that person.
• QPC works with managed clients to define staff user roles and assign security policies to them. Some employees should not be accessing the password vaults unless they are on company‑owned and secured systems. We define allowed platforms, security baselines, restrict data exfiltration and more.
• QPC can implement additional technical controls to prevent employees from storing passwords where they should not be stored, such as browsers. We strongly recommend technical controls and ongoing cybersecurity awareness training backed by employee policies the reduce the opportunity for storing passwords related to company assets in an unapproved manner.
• QPC can provide a separate end user support system for clients where they are able to contact the password manager support via email, chat, and phone. This service is not available for direct purchasers. Direct support includes only Level 1 help desk for basic user configuration or end‑user issues at the quantity of 25 per year. Free online documentation and videos is included of course.
• Onboarding, new employee training, and configuration management support is not available for direct accounts.

Not only should all organization or company-related credentials be stored in a company-approved password management system, but at least two individuals in every department should have modify access to any shared credentials. Password management systems which meet the security requirements and are cloud-based tend to have zero trust storage methods.

Zero trust storage is a very important concept. It means is that if a second person was not granted access to that data, it may become irretrievable. It also means that unauthorized parties cannot see your passwords or the content you store with them. That includes your service provider and the password management system hosting provider.

Business continuity also comes from techniques. For example, individuals who share a job function should always have their own unique logins and MFA into a system where possible. That is the dual-‑admin approach. A great example of that is Constant Contact, bank websites, your company UPS account, marketing automation platforms, etc. Multiple people may be sharing a job function, but each person should have their own login IDs where possible.

In the cases where a website or resource does not allow for individual credentials for multiple individuals, the use of a password manager application with shared MFA allows the shared business function staff to have secure access to the same credential with MFA enforcement on the resource. This is a critical feature for security and risk mitigation.

In the case the client wishes to separate from QPC, they are able to convert to a direct paid account or able to migrate their licensing to another IT service provider. No data loss will occur as long as proper offboarding procedures are followed. The procedure is quite simple. First one must pay for separate licensing. Second, the master administrator account which is like a glass-break recovery account must be transferred to the new designated personnel. This is very easy to do since QPC’s standard business continuity protocol for configuration of a managed tenant involves the inclusion of this glass-break or master recovery account.