GigaOm Radar for Enterprise Password Managementv1.01

1. Summary

It’s critical for enterprises to manage how their resources (data, accounts, corporate controlled assets) are accessed—whether resources are local or remote. The growth of software as a service (SaaS), the increase in the number of accounts per individual, and the prevalence of remote work have combined to create a password emergency for enterprises. Employees have dozens of personal and corporate accounts and more passwords than they could possibly hope to remember. So, they record them somewhere: a note stuck to the monitor or under the keyboard, or worse, on a network file share.

That’s the core problem that password management aims to address: how to keep password storage safe and secure while still providing easy access for employees.

The basic architecture of an enterprise password management system is reflected in Figure 1.

Figure 1. Basic Architecture of an Enterprise Password Management System

There’s one vendor in this Radar report who offers data center install (noted in the product write-up). All others are SaaS-only for the server side. We use the term “service” to apply to all password management solutions.

The process flow starts when a user logs in to a local application on mobile or desktop. That login validates the user to the password management service and handles all communications with the service. The user’s data, including credentials and secrets, is always encrypted at the client level and then exchanged with the service.

The way data is encrypted is a differentiator for some products, but all of them encrypt. And while the server stores sensitive information, it’s full of encrypted data, making it a much less appealing target to attackers. When the same user logs in to a different device, their data is replicated to that device client to keep all clients up to date.

The password management service stores enough information to validate access, but in most cases, actual login is handled on the client device and encrypted before being sent to the password management service. This process means the vendor cannot reset lost login credentials. It also means that the vendor datastore is protected by the encryption at the client level—the password management service stores and replicates only encrypted data. The same principles apply to the local solution, but in the data center instead of remotely.

In this Radar report, we look at how well enterprise password management products address the need to make password storage safe and easy.

As organizations move employees away from password-only access, the importance of two-factor authentication (2FA) and multifactor authentication (MFA) has grown. This is one area we delve into closely, assessing how password management tools help organizations move to these technologies and beyond to passwordless authentication.

While we rate password managers on their ability to support 2FA and MFA, there’s a valid argument that it’s no longer 2FA/MFA if all the information is stored in the password manager and available to whoever has access to the account. Please consider your organization’s stance on this topic when reading our evaluations.

Another area where password management can offer significant advantages is secrets management. Secrets, including passwords for systems use and secure sockets layer (SSL) certificates, had long existed in business IT systems. But the growth of the internet, combined with increasing use of access keys for application programming interface (API) usage—including infrastructure as a service (IaaS) and SaaS access—caused the number of secrets to increase exponentially. We see secrets management as integral to password management, and while traditional secrets management solutions exist, the technology is the same as that required for password management. As such, we don’t have a separate secrets management Radar.

We use the following terms throughout this document when discussing support for the platforms and browsers your employees will want or need password access from:

• Expected platforms: Windows, OS/X, Android, iOS
• Expected browsers: Chrome, Microsoft Edge, Microsoft IE, Chromium derivatives

If a product in this analysis supports more (or less) than these platforms and/or browsers, we will note that in the individual write-up.

This GigaOm Radar report highlights enterprise password management vendors and equips IT decision-makers with the information needed to select the best fit for their business and use case requirements. In the corresponding GigaOm report “Key Criteria for Evaluating Enterprise Password Management Solutions,” we describe in more detail the key features and metrics that are used to evaluate vendors in this market.