Gone are the days when all you needed was a strong password to guard your data. Now, we live in an era where you not only choose a strong password, but also get a strong and secure password manager. A password manager is a premier solution that helps consolidate all privileged accounts, controls access, and safeguards the accounts. Therefore, it’s important to get a robust password manager.
Over the years, Password Manager Pro, the privileged password management solution from ManageEngine, has emerged as the top choice for IT divisions of enterprises to consolidate and secure privileged identities. As sensitive data gets stored, users normally have many questions on how Password Manager Pro handles the data – at rest and during transit. Secure by design, here is an account of how Password Manager Pro protects data at various levels:
1. Vaulting Mechanism
Everything has its place in this world. And we believe the place for sensitive IT passwords is in Password Manager Pro’s centralized repository. Its vaulting mechanism is built with a dual-encryption design that encrypts your data first at the application level and again at the database level. AES-256, the strongest known encryption algorithm approved by the US Government, has been employed all along. Moreover, Password Manager Pro can also be set up to run in the FIPS 140-2-compliant mode (with SQL server back end) where all encryption is done through FIPS 140-2-certified systems and libraries. There is also an exclusive MSP edition of Password Manager Pro that sports a multi-tenant architecture for secure data segmentation between departments or in the case of MSPs, between their customers.
2. Identification and Authentication
It is important that the user’s identity is confirmed as authentic when they access an application that holds details of the organization’s sensitive IT resources and privileged passwords.
Application Level Authentication – Password Manager Pro’s authentication mechanism comes with various options to uniquely identify the users, such as a strong local authentication system with SHA1 algorithm, integration with external identity stores (AD, any LDAP-compliant directory service, or RADIUS) and leveraging their authentication, smart card authentication, and support for single sign-on with SAML 2.0.
Two Factor Authentication – To introduce an additional level of security, all the above options are complemented by various two-factor authentication provisions like PhoneFactor, RSA SecurID, and OTP, which require users to authenticate through two successive stages to access the web interface.
3. Data Integrity
Password Manager Pro comes equipped with various security options that ensure data integrity at all levels of operations.
Data Transmission – While data storage is carried out with dual AES-256 encryption as mentioned above, all data transmission is encrypted. Communication between the Password Manager Pro’s user interface and the server takes place through HTTPS whereas data transmission between the Password Manager Pro server and database occur over SSL. Moreover, the communication between Password Manager Pro and agents are always one way, which eliminates the need to punch firewall holes or create VPN paths.
Secure Remote Access – Windows RDP, SSH, and Telnet sessions can be launched securely from any HTML5-compatible browser, without the need for additional plug-in or agent software. In addition to superior reliability, the tunneled connectivity provides extreme security because passwords needed to establish remote sessions do not need to be available on the user’s browser.
Application-to-Application Password Management – In the case of application-to-application passwords, Password Manager Pro exposes a web API and the applications connect and interact through HTTPS. The application’s identity is verified by forcing it to issue a valid SSL certificate, matching the details that have already been recorded in PMP about the application.
Web GUI Input Validation – Usage of special characters and HTML code are filtered during GUI input validation, and the application is guarded against common attacks like SQL injections, cross-site scripting, buffer overflow, and other attacks.
4. Access Control Measures
Password Manager Pro allows you to sort your users into different roles and then put in place a robust role-based access control mechanism. As such, all data access is subjected to this granular mechanism. Password ownership and sharing practices are well defined, and users get access only to authorized passwords. For an extra layer of security, the authorized users can also be forced to go through a request-release mechanism before providing time-limited access to highly sensitive assets. In addition, as part of policy enforcement, you can automatically randomize the passwords of sensitive IT resources periodically through Password Manager Pro and assign unique passwords to assets according to the required complexity specified in the policy.
5. Audit, Accountability Control, and Real-time alerts
Strong detection capabilities in a password manager are becoming increasingly important. Besides a strong access control mechanism, organizations also need continuous monitoring capabilities. Especially, administrators must be able to check -who- has accessed -what- resources -when- and what exactly the users would do with privileged access. Password Manager Pro provides real-time alerts and notifications on various password events, including modification, deletion, changes in share permissions, and more. The Audit module also facilitates raising SNMP traps and/or Syslog messages to your management systems on the occurrence of various password actions and audit events.
Session Recording – Privileged sessions (Windows RDP, SSH, and Telnet) launched from Password Manager Pro can be recorded, archived, and played back to support forensic audits. There is also an option for session shadowing to monitor sessions in real time and snap connections in case of any suspicious activity.
6. Availability Mechanisms
Uninterrupted access to IT resources is essential for any business to maintain day-to-day operations.
Password Manager Pro provides high availability for continued data access, made possible through redundant server and database instances. The primary and secondary servers can be installed geographically apart, even across continents, as long as they have a direct TCP connection with latency good enough for database replication. Even data replication happens through a secure, encrypted channel.
Other than this, Password Manager Pro also comes equipped with options for both Offline and Mobile access to data. Passwords can be exported for offline access in the form of an AES-256 encrypted HTML file and this export operation also gets reflected in the audit trail to ensure accountability. In case of mobile access, Password Manager Pro provides native apps for iOS and Android platforms. The mobile apps are as secure as the web installation and use the same AES-256 encryption.
7. Disaster Recovery
Disasters are not only inevitable but also unpredictable. The best that can be done is to have a good disaster recovery plan in place, which ensures a quick return to normalcy after the disaster or data loss. Password Manager Pro offers provision for both live backup and periodic backup of data through scheduled tasks. In case there is data loss, users can quickly make a fresh install of the same version and restore the backed-up data to the database. The backed-up data is also encrypted and cannot be deciphered unless one presents the encryption key.
Emergency Access – For fire-call or break-glass purposes, one or a few administrators can be designated as super-administrators who will have unconditional access to all information in the system, including all passwords added to the system by other administrators.
8. Automatic Connections to Websites and Applications
To make login operations easier, Password Manager Pro offers Browser Extensions and also a special bookmarklet. These are designed to ensure the highest level of security and privacy in all stages of data retrieval and transit. Content Security Policy (CSP) best practices are enforced to combat content injection attacks.
These eight points are proof enough that Password Manager Pro has been designed with every enterprise’s IT security in mind. Moreover, we have released a comprehensive Security Specifications document that gives an even more detailed description of how Password Manager Pro is secure by design. Here’s the link for you to read more about it.