We’d like to loop back with the attendees of our panel discussion on the LastPass incident.
Since that time, we’ve learned that Norton LifeLock has also had compromises. Along with CircleCI and Slack, it’s clear there is a trend of gaining source-level access to enterprise tools, which raises the risk of another “backdoored update” like SolarWinds, as we discussed in the panel.
We also promised we would be transparent about our selection process for a password manager, as the process may help the communities we serve. Rather than articulating why we rejected products, we’ll keep this positive and talk about how we selected. The process we used was as follows:
We set up a committee to make the decision.
We drafted a list of attributes or features that define the ideal product. Many of these attributes are drawn directly from the feature sets that are advertised by different product vendors, others are (e.g.) no reported major security incidents in the last 3 years, and more.
We came up with a list of 6 products, drawn from product reviews over a period of 3 years
Each committee member did a deep dive into the feature sets advertised by the vendors and mapped them to the attributes we’d selected.
We met as a committee and debated the results, and shortlisted 3 vendors
We obtained security documentation for the 3 vendors and evaluated that documentation in detail
We selected a product for enterprise use, and other to recommend to our employees for home use.
Along with standard features, the list of attributes we considered to be the desired differentiators are the following:
Stored Password Strength Check – offers a method for evaluating master password security without revealing the password.
Price – self explanatory
Product Launch Date – How long has the vendor been in business and when was the product launched
Zero-Knowledge – An overused term, but the vendor is not in possession of master keys
Central Administration – Reporting interface, revocation capability
Security Events in past 24mo – What’s in the media regarding security incidents?
Access Levels – Granular enough to meet our requirements?
Access Auditing – Usage and other reports
Programmatic Access – APIs available for automation?
Age of Secrets – Age tracking for potential rotation scheduling?
3rd Party Audits for Security – Has the product been exposed to a security assessment that is available for review and conducted by a third party?
Intuitive to use – A good recommendation is that the product works well for seniors
Uses TLS – Nothing moves without encryption
Integrates with authenticator apps – Microsoft, Google, Duo
Integrates with FIDO keys – Hardware tokens for device access
Breach Reporting – Sites for which users have passwords stored
Weak Password Detection and Reporting – Just in case users aren’t meeting the bar
Result: we have selectedKeeperand we are advocating home use ofBitWarden. We will be rolling out Keeper to our entire employee base and making its use mandatory through policy. The reason we chose a different product to recommend for home use is that we don’t want home and business credentials to be in the same product. If another product breach occurs and we need to go through this exercise again we do not want to impact our employees’ access to their banks and retail sites.