Serg Nvns - Fotolia
In the era of cloud computing, mobile technology and more aggressive cyberattacks that seek to steal corporate data, implementing effective password management tools has garnered greater attention as channel partners help design a corporate security blanket that protects their customers from costly data breaches.
The practice of allowing employees to gain access to a company's data assets by entering passwords they've developed has never been a full-proof system that completely protects data from malicious attacks. Employees often forget or accidentally mislay passwords, which can interrupt their workflow or more seriously expose a company to cyberattacks.
In this environment IT services providers are crafting their own approaches to providing offerings in this segment of the identity and access management (IAM) market.
Password trouble spots: Cloud, Mobile
A Cloud Security Alliance study published in February, The Treacherous 12: CSA's Cloud Computing Top Threats in 2016, noted that cloud vulnerabilities can occur when there is "a lack of scalable identity access management systems, failure to use multifactor authentication, weak password use, and a lack of ongoing automated rotation of cryptographic keys, passwords and certificates."
Reflecting on how cloud computing has impacted password management, Nathan Wiehe, vice president of Integration Services at EST Group LLC, an IT solution provider headquartered in Arlington, Texas, said with the advent of hosted cloud solutions came hybrid and private clouds as well as software as a service, platform as a service and infrastructure as a service. Wiehe said password management challenges present themselves with every new cloud offering released. He added that logical security companies have been trying to tackle the problems that inherently come with silos of users and passwords stored in the cloud.
"Each new cloud solution that an organization adopts creates a new silo of identities and passwords that are not inherently connected to the organization," Wiehe said.
He said security vendors have helped to alleviate some of the dependency on passwords through the use of federation technologies and the implementation of access management technologies.
"Sophisticated organizations want to leverage their current password management solutions and integrate them with their hybrid and private clouds or find a way to leverage password synchronization solutions, aka identity management, to bridge on-premises password management solutions that push password changes up to the cloud," Wiehe said.
Another area presenting challenges is mobile device technology. While traditional password systems allow employees to perform a one-click login to everything at the desktop, these systems don't extend to mobile devices, according to Colin Knox, CEO at Passportal, a company that provides cloud-based password and identity management offerings exclusively designed for, and used by, managed service providers.
Employees often need to perform a quick action from their phone -- whether that's approving a timesheet or sending a file. But if they can't remember the password to log in to the systems from their mobile phones, they see their mobile device as a useless tool instead of a complimentary gadget that helps them perform their tasks, Knox explained.
"If you can't provide password solutions at the mobile level people will see the solution as an encumbrance to their ability to work," he said.
Wiehe said while mobile password use is being driven from a corporate security perspective, many employees haven't begun to use these offerings at a high level.
"The biggest issue that we have seen is that it can be hard to get employees to download and use native apps that are exclusively for corporate use, especially when most phones are owned by the individual not the organization they work for," Wiehe said. "This is especially true when the mobile app is not used often, like in the case of a forgotten password reset solution."
Cost concerns drive password management tools
For these and other reasons, customers are paying closer attention to password management offerings and IT services providers can benefit from this trend.
"Demand for password management solutions is quite high," Wiehe said. "One primary reason is that IT password resets are expensive and they're causing help desks to get overloaded. Therefore, IT departments must find effective ways to secure the enterprise and make it more self-sufficient. Companies look to solution providers as their problem solvers."
In his analysis, Jackson Shaw, senior director of product management for Dell Software Group, said costs are an important driver for the implementation of password management and better password policies.
"Whenever a customer processes a password reset it's going to take somebody's time. If they are a bigger company and they have an actual outsourced help desk it can cost anywhere from $25 to $50 to have a password reset done," Shaw said.
With costs in mind, Wiehe said the EST Group's approach to password management projects includes asking companies how much of the IT department's time is spent on password reset and what that costs the organization.
"That leads to a return on investment calculation on what the company will save, which is usually substantial," Wiehe said.
Aside from costs, a discussion around password management tools opens up a larger conversation between IT services providers and their customers about security.
"For a channel partner it's a great opportunity to talk to the customer about security, password policies, password strength and protecting passwords," Shaw said.
Wiehe noted that while providing an effective implementation of a password management system is critical, a thorough analysis of the environment and the specific business problems is also important.
"Each password management solution must match individual business case scenarios to be truly effective and improve the user experience," Wiehe said.
He also noted that with large enterprises serving employees scattered across the world, scale of deployment can be a challenge for a centralized password management system. Highly regulated vertical sectors also have their problems.
"For some industries such as financial services, companies must decide whether to expose these solutions outside the firewall so employees can change passwords at home or at a coffee shop," Wiehe said. "For healthcare, the main challenge is driving self-service for routine-oriented medical professionals who are accustomed to calling the help desk."
SMBs seek password management
Small to medium-sized businesses (SMBs) are also seeking password management tools, according to Ron Culler, CTO at Secure Designs Inc., a managed security provider in Greensboro, N.C. The company primarily sells to SMBs.
"The demand is increasing in the SMB market as companies are becoming more conscious of the need for increased security in their environments," Culler said. "For channel partners selling into the SMB market, password management is being brought in as part of a larger set of solutions that are standardizing and securing their clients' environments."
Ron CullerCTO, Secure Designs Inc.
IT services providers implementing password management tools, especially in the SMB environment, should consider several key areas, Culler said. These include ease of use, granular controls and reporting which are important not only in delivering robust security, but also enabling the MSP to deliver a more comprehensive set of services.
One company that has resisted growing its password management offerings is Canonical Ltd, an open source company and MSP that helps customers with migrations, management and support for their Ubuntu deployments.
Instead of offering password management tools, Canonical utilizes GNU Privacy Guard to securely provide a client with their administrative credentials.
Canonical's MSP customers are sent an administrative user ID and password to access a part of the OpenStack system which allows clients to create users and virtual machines to manage their applications in the cloud. The practice of providing customers with administrative access to the cloud prevents Canonical from having anything to do with the client's secrets, said Joey Stanford Canonical's IT risk and compliance program manager. The technology also provides clients with the ability to manage user ID and passwords in the way they see fit.
However, channel partners that aren't involved in offering password management tools are also missing a chance to expand their business into the lucrative security realm.
"Channel partners have the ability to sell password management and the services of security around that plus the chance to talk about strong two-factor authentication and how to increase the security posture of the organization as well as reduce the attack surface," Shaw said.
Wiehe said his company not only sells password management as a standalone solution, but also as part of larger IAM projects.
"For example, we often provide the Dell Password Manager solution as a standalone product, but it also integrates into a customer's larger security solution, which is important to our clients and makes us more of a strategic partner," Wiehe said.
In addition to Dell Password Manager, EST Group also sells NetIQ Self Service Password Reset, Microsoft FIM Portal and Identity Automation's RapidPortal.
As IT companies forge ahead with plans to enhance their value to customers, Passportal's Knox said IT service providers should always remember that strong passwords can help protect millions, even billions of dollars' worth of company assets, which include protecting everything from intellectual property secrets to business plans and IT investments.
"Companies have spent billions of dollars on security technology, everything from firewall systems to antivirus software, back-up and recovery technology and email encryption, but those technologies can be completely rendered useless if the password to those services, appliances and packages are compromised," Knox said.
Wiehe agreed, "Password management is as popular today as it was 15 years ago, and the need continues to grow with cyberattacks on the rise."
Read about Dell's password management approach to channel partners
See how password management ranks among access management challenges