So recently there has been a thread of discussion on the MSPMentor group on LinkedIn about password management. It was started by Colin Knox from XCEL Professional Services, an AuthAnvil Two Factor Auth customer of ours who recently became an AuthAnvil Protected Solution client by adding our two-factor authentication technology into an online password management system he built for his peers. So in essence, you might even consider him a friendly competitor. He targets the small MSPs who are just starting out and are trying to get away from keeping passwords stored in clear text in spreadsheets and text files and instead store them encrypted in a central database online. Our AuthAnvil Password Server on the other hand focuses on maturing IT Service Providers and IT departments who have needs to not only store passwords safely, but also have control of them on–premise and in the cloud, while also expecting higher level functions like automated password synchronization, remote access control and deeper audit tracking. In essence, potentially automating password management across hundreds or thousands of different sites with dozens of technicians.
But this post isn’t about our differences. It is about the thread of conversation about the safety of passwords and the entire process of managing them. You see, absolute security is a myth. With enough money and motive, ANYTHING can be breached. The purpose of any technical safeguard used in the realm of security is to reduce risk to an acceptable level. What is considered acceptable will differ between every company, because risk mitigation decisions shift as different stakeholders get involved. A retail outlet collecting credit cards on their POS terminal will have a different set of risks and responsibilities than the local credit union down the street, or the doctor’s office around the corner. Thing is, if you as an IT professional are remotely connecting into any (or all) of these customer’s networks, you have a responsibility to safeguard those credentials. Who knows what vile and villainy may be trying to scrape that information from untrusted terminals you use every day.
What I found interesting in the conversation was Manuel Palachuk’s thoughts on the attack surface of a password manager being hosted online. He feels that it is a prime target for the thugs and goons of the Internet who might have interest in breaching such a system. It’s a reasonable trail of thinking. I mean, if an online password manager was breached, the risk to not only that one MSP but all MSPs in the system could come into play. As well as the company’s reputation. You know, like the breach last year to the online password manager LastPass. A weak master password could wreak havoc on the system. It’s one of the reasons Colin added AuthAnvil Two Factor Auth to his solution. It forces users to use a far stronger credential to get into the system through the higher level use of identity assurance protection. And it’s why AuthAnvil Password Server not only supports AuthAnvil Two Factor Auth too, but also supports AuthAnvil Single Sign On, so you have far better controls and auditing without having to know a password in the first place. A two-factor authentication credential makes it virtually impossible to duplicate or forge, giving you a higher level of trust in access to the system in the first place. Do it through a centralized single sign-on portal and you can better control and report on who is doing what, when and from where.
The banter back and forth in the thread lead to the revelation that many MSPs store their customer passwords in note fields inside their PSA… in clear text. When you think of how much information is stored in solutions from ConnectWise, Autotask and Salesforce, you have to start to wonder and challenge the idea of storing passwords there. All of those products support AuthAnvil Two Factor Auth. So you can provide a higher level of enforcement of access control to the systems. But once a trusted user is in the system, how do you know if they looked at all those passwords? How do you audit when they accessed it, and just who it was that looked at it? That is why we record every interaction in the AuthAnvil Password Server and provide detailed audit reporting to extract that information quickly. And why we heavily use the security architecture and framework in SQL Server to better safeguard access both inside and outside the application instead of using standard open source databases that don’t.
Storing passwords plainly like that is a bad idea. It is actually one of the reasons Scorpion Software created a full set of APIs to expose such information in a more trusted manner. You can programmatically reveal such passwords when it’s appropriate while still maintaining mutual trust between all parties. Because the AuthAnvil Password Server acts as its own Certificate Authority, it issues trusted certificates to third party applications so they can properly make requests of this information in a secure manner with message integrity trust.
In other words all communications and access controls are digitally signed and encrypted between both ends. Not just the communication channel like SSL but the payload itself, preventing tampering, man-in-the-middle attacks and information disclosure. And when used with AuthAnvil Single Sign On, you can leverage the Security Assertion Markup Language (SAML) to do all this transparently and with proper security controls. We have offered that entire framework to both ConnectWise and Autotask for free so that if they want, they can securely expose these passwords in whatever way they see reasonable (and responsible) in their own products. Actually, we also made that available to RMM vendors like Kaseya, Labtech, Level Platforms, N-Able and GFI. And some of them are working on that now. Oh… and we made it available to you. The entire API is free for use to all customers and is available in the AuthAnvil Developer Center.
We use this API ourselves to make the AuthAnvil Password Server even better than most password managers. Not only can we store passwords, we can securely synchronize them by deploying agents through RMM tools that are registered and issued client certificates just like a third party app. This way the AuthAnvil Password Server can establish and maintain trust across all the different networks you manage and automatically rotate the passwords when they expire due to age, or forced expiration such as when an employee leaves or is let go from the organization. This stops you from having to frantically run around changing passwords to reduce your exposure level of access across all the systems you have to manage that this ex-employee knows the passwords to.
Gurmeet Judge from Computer Troubleshooters pointed out that he feels that MSPs shouldn’t even know client’s passwords. This is true. It is never a good idea for IT professionals to know a user’s password except in the direst of needs. However, that isn’t what password managers are used for in this context. They are about handling access to administrative passwords for the computers, networking devices and services that drive the entire IT infrastructure. Those critical domain and service accounts that keep everything going. The firewalls. Routers. Switches. VPN concentrators. Citrix servers. HyperV servers. The list goes on and on. In the AuthAnvil Password Server, this is all controlled with a set of password policies enforced through user permissions.
You can completely control who can create, read and write to passwords, as well as who can run audit reports on the passwords in a given Vault. And you can create workflow tracking in which if someone shouldn’t normally have access to a set of passwords, you CAN authorize it if they request it. So now a junior technician who shouldn’t normally know the admin credential on a critical server can request it and be granted access for a short period of time. And then the automated expiration capability can rotate it out without human intervention so they don’t know it for a long period of time… giving you the audit control and comfort that they can do the work they need to do, without exposing the customer to more risk over a long period of time.
In the end, most people on the thread concurred that they don’t want to see this sort of sensitive information stored in the cloud at a central repository service. It’s one of the core understandings and beliefs we have had told to us by many of the maturing MSPs we deal with every day. They want control. Which is why the AuthAnvil Password Server was designed as an on-premise solution that can be hosted by you in your own private cloud if you like, or managed in-house as required through a simple installer that can deploy to almost any Windows Server you use today. And if you have secure tunnels to your client networks from your NOC services in-house, you begin to be able to take advantage of other pieces of technology inside the AuthAnvil Password Server. Like being able to have one-click access to login to customer’s servers without needing to enter in the username, hostname OR even the password. Since there is a high degree of control and trust, the software can do it all for you. Now your technicians don’t even need to see or touch many of the passwords that they use every day that may be auto rotating every few days.
In the end, the interesting part of the conversation is the fact we are FINALLY having it. Password management in the MSP space is really bad. I wish I could share what we are seeing with the thousands of IT professionals we are working with today, and the companies they serve. We have seen people come to us who almost were bankrupted due to disgruntled employees doing horrendous things to the customer’s infrastructure after they have left the organization. We have found core critical firewalls with the same password to critical infrastructure that was set by staff that left years before that have never been changed. We have had customers come frustrated because the backup of sensitive servers keep breaking because the service accounts aren’t in sync with the domain passwords of the Backup Operator… virtually destroying entire backup processes. And we have seen IT companies refuse to change passwords because it is far too expensive to just do it… now that they manage so many different networks and thousands of endpoints and have no control or knowledge of who knows what. This is where the ROI on AuthAnvil Password Solutions becomes apparent... it usually pays for itself the first time you have to do this.
Colin is right. We need better password management. If you are just starting out as an MSP, you still need to do something more than storing it as a text file in an Exchange public folder (yes… people do this as insane as it sounds). Storing it in ConnectWise and Autotask isn’t the brightest idea, as you don’t have enough audit control to track and manage access. If you use something like Colin’s online system make sure you enable AuthAnvil Two Factor Auth to give you back SOME control. If you need more as your business matures, then turn to us and use AuthAnvil Two Factor Auth with the AuthAnvil Password Server. Or better yet, use our built in AuthAnvil Single Sign On support for many of the popular RMM tools and use AuthAnvil Two Factor Auth to log into the SSO portal, and then automatically be signed into the AuthAnvil Password Server, your Outlook Web Access email, your RMM platform and possibly your PSA (if you use a SAML aware one like Salesforce.com) without even having to know or use another password. All controlled and managed by you, on your servers on-premise, or in your private cloud.
Let’s continue the conversation. The MSPMentor group seems as reasonable a place as any. Or send a tweet out to me or our @AuthAnvil twitter feed. Or leave a comment here. Whatever you do, let’s hear your thoughts.