Monitor all the vaults - 20 Tips when upgrading your enterprise password manager
Are you thinking about upgrading your enterprise password manager? Focus beyond the tactical A-to-B product swap, and consider these 20 tips to increase your odds of a successful migration, strengthen relationships across teams, and boost your visibility, detection & response capabilities.
1. Plan – for this project to be a phased effort.
2. Anticipate – a few bumps along the way.
3. Recruit – some champions who will help you gain initial traction.
4. Purge – unused accounts, don’t keep what you don’t need.
5. Change – don’t just migrate. Make them unique.
6. Strengthen – the 90’s called, and they want their 8-character passwords back.
7. Enable – strong MFA, now is the perfect time.
8. Hardware Tokens – Still thinking about it? Start a pilot now.
9. Consolidate – all those assorted OTP code generators you have floating around.
10. Enroll – in breach dump monitoring.
11. Think Twice – about who’s watching the fort.
12. Rehearse – because slow is smooth, and smooth is fast.
13. Chat – with your high-privilege users about where they’re storing other secrets.
14. Collect – critical activity logs on your company’s usage and management of credentials.
15. Baseline – what regular credential access and management activity looks like.
16. Monitor – to identify subtle aberrations, like account takeovers.
17. Optimize – strengthen relationships and containment contacts across the business.
18. Operationalize – a rhythm for continuous improvement and adoption.
19. Pace yourself – it’s a journey and not a sprint.
20. Ask – Don’t be afraid to ask for help.
Set a directional destination and scope the project into small, iterative phases, allowing you to prioritize adoption groups with granularity.
A pilot group of 5-10 is a great place to start, followed by prioritized groups. There’s no one-size-fits-all way to approach this, so don’t overthink it. Consider starting with user risk profiles, privilege levels, geographical locations, and departments. The key is to iterate, learn from feedback, adjust, and proceed. Don’t try to crush this in one huge leap.
You should anticipate a few bumps along the way, at least initially. Here’s why. Unlike many security controls that aim to be as behind the scenes or as invisible to users as possible, enterprise-class password managers are the exact opposite. They’re a part of our lives from the moment we wake up and log in every morning. They’ve become as personal and private to us as our cell phones, physical wallet or purse, and your migration project wants to introduce change. This is not a project you’ll get a 2nd chance to do well. Get it wrong, and you (or your service desk) could be dealing with the receiving end of human emotions, salty opinions, and justifiable dissatisfaction. Instead, make a good first impression by anticipating and avoiding some common pitfalls.
On the flip side of this opportunity is the joy people will soon experience when they realize how much time they save. Rarely do “more secure”, “easier to use”, and “save time” all land in the same sentence. Frictionless MFA and password management can be a huge productivity boost for certain teams, and because these solutions are here to stay, your team can be the one to help them get there. Just remember you’re not rolling out a new piece of tech, you’re making a change to people’s daily workflows and how they access the very things they need to thrive and be successful. Anticipate this, plan for it, and you’ll be on a good path.
Begin with a very small pilot cohort of users who will become your champions in later phases. Department managers and supervisors are excellent champions. Listen and learn about their concerns early, then address them quickly. They know their lanes of the business far better than anyone. Get some firm wins under your belt with just a few of these leaders early and iterate from there. When their teams eventually migrate, they’ll be better positioned to help you succeed.
A migration is the best time to purge old and unused credentials. Recently I went from 780+ to under 400, nearly a 50% reduction, and I consider myself conscious and proactive. While this type of review is manual and time-consuming, the benefits of purging far outweigh the risk of having creds laying around. This is also why I am not a huge fan of hasty bulk export/import-only migrations. It can rob you of your opportunity to clean house.
This is by far the absolute most important step. Change your passwords when you migrate. Don’t bring yesterday's baggage. This is also another place to reconsider if bulk export/import is right for you. I’m not saying it’s a bad option, just give it some thought before reaching for that easy button. Bulk export/import might make sense in very limited scenarios, like when a time deadline for rapid transition is necessary, or in cases where every user already has impeccable password management hygiene… <crickets chirping>. While bulk export/import is generally supported by all vendors to ensure a swift cutover to their product from a competitor, don’t forget the most important step, change all the passwords.
While you’re at it, let the password manager strengthen your passwords for you, so it’s guaranteed to be unique, long, complex, and free of human biases, influences, or bad habits. No more anxiety or cognitive horsepower spent worrying over what to choose. The password manager will help do all the heavy lifting here. It's a beautiful thing, letting go the burden of trying to remembering everything. Less really is more, and so is only needing to remember one password <insert cymbal crash>.
#7 Enable Strong MFA
While technically speaking this step has nothing to do with migrating from one manager to another, it’s absolutely a great time to adopt strong Multi-Factor Authentication (MFA) options. Users will typically need to visit the resource to change their password when migrating credentials, so have them review the available MFA options while they’re at it and configure stronger, more modern choices. Why does this matter? Because most companies have a workforce with several hundred 3rd party logins NOT enabled via SSO or your central identity provider. The point is to make it easy for them to do the right thing with all of the hundreds of credentials in their 360 orbit, especially those that fall outside of company controls. Their password manager is the perfect place to manage all of them.
#8 Hardware tokens. Start a pilot now.
Thinking about rolling out hardware tokens like YubiKeys? Now is a perfect time. I prefer timing these efforts together for a couple of reasons.
Users can put their password manager to dual-use, so it helps them keep track of the hardware keys they possess and all the places where they’ve configured them as an authentication factor. One simple approach is to use tags in your password manager. That way, should a user ever need to replace a key, they can quickly filter by tag, identify the right accounts, de-provision the old key, and re-provision the new key everywhere, often within minutes.
#9 Consolidate OTP code generators
The unmanageable sprawl and shortcomings of popular authenticator apps used to manage our time-based one-time password (TOTP) codes has gotten out of control. Consider the employee who separates from the organization and will likely retain these TOTP codes on their personal devices, all co-mingled right alongside personal account codes. Modern password managers can consolidate and centralize this functionality for you, securely synchronizing OTP codes to all other user devices and integrating them into the browser login session for a truly frictionless MFA login experience. They can do all of this and still account for a future change in affiliation should the employer and employee part ways. It’s an ideal balance between personal privacy, security, and work boundaries.
#10 Enroll in breach dump monitoring
For individual personal accounts, consider enrolling in HaveIBeenPwnd. This amazing service by Troy Hunt collects information on breaches involving password dumps and can notify you if your account ever shows up in one. Businesses desiring to centrally monitor breach dump notifications, who have an entire workforce, multiple top-level domains, or 3rd party staffing arrangements should look no further than 1Password Business for this.
If an account matching known usernames or verified company TLDs is ever discovered in a breach dump, it will warn so that swift remediation actions can be taken.
#11 Think twice – about who’s watching the fort
Don’t assume your MSSP, 3rd party SOC, or MDR provider will warn you if things go sideways. Most managed services firms escalate response guidance against commonly known threats, usually found in your EDR, NDR, SIEM, or cloud telemetry. Very few will warn you if user accounts have been detected in public breach dumps. Even fewer, if any, ingest and correlate telemetry from your enterprise-class password management platform and infrastructure secrets managers. This is because most firms struggle to have an intricate familiarity with your user workforce or application architectures regarding what abnormal vault administration behavior and user access patterns would even look like. Threat actor activity might present itself as a needle hiding in a stack of needles. You should identify owners for monitoring who can get to know your business well and can work closely with your internal teams.
It’s not a comforting topic to think about, a threat actor breaching your password vaults and obtaining their contents. Depending on what you store there, users may be unable to change them easily. Driver license numbers, addresses, birthdays, other key pieces of PII, certain production system credentials or API secrets, etc. are not easily changed on a whim. For everything else, we recommend rehearsing the mass changing of passwords. This is about building organizational processes and muscle memory. Maybe you remember fire drills or tornado drills at school? It's the same thing. The more an organization rehearses a response process, the faster they get as a team. In the military, the saying is “Slow is Smooth, and Smooth is Fast”. Rehearsal drills will be slow the first time, but continued rehearsal will flush out the bumps, fears, and nervousness until it becomes smooth and second nature. Smooth begins to build confidence and competence. Eventually smooth becomes fast.
When your shared vault breach occurs, you will need your workforce to be fast, focused, and coordinated when asked to change the hundreds of credentials that fall outside of your organizational control.
Modern enterprise-class password managers make this easy for users to walk their list of credentials rapidly, prioritize them, and change passwords quickly. The other obvious benefit to rehearsing changes often is that you’re nullifying any previous passwords that may have been stolen unknowingly. You have a solution now that makes it blazing fast, so when in doubt, change em’ and change em’ often.
#13 Have a chat that goes beyond passwords
You're going to need to have a casual chat with your developer gurus, architect sherpas, DevOps engineer wizards, sysadmin heroes, security ninjas, and any other high-privilege users. Ask them about where they’re storing and how they’re accessing other forms of credentials. Beyond basic username/password creds, mature password managers help you to securely generate, manage, and access things like SSH keys, API keys, and other infrastructure secrets programmatically and at scale for various technical workflows. For example, using 1Password CLI, you can:
Use shell-plugins to authenticate any 3rd party CLI with your fingerprint securely,
create and retrieve items directly from encrypted vaults via CLI, and then
push them into environment variables,
safely reference them in configuration files, or anywhere else, and
finally eliminate plain-text secrets in code or configs, while still being able to
keep them synced across devices, systems, and platforms,
among many other cool things.
Begin talking to these teams about all forms of secrets management. Find out how accessing them is currently audited and monitored. How would unauthorized access, either at rest or at runtime, be observed, and by whom? How fast could the organization remediate? These teams will often know, or at least have a good idea, where all the clear text creds and API secrets are buried but potentially vulnerable. Talk through these scenarios and listen to their concerns. Work together to establish a plan to prioritize and shore up any visibility gaps and migrate sensitive creds into vaults before someone else (paid or unpaid) finds them for you.
#14. Collect Activity Logs
Without having access to the actual contents of a vault or sensitive field-level data, you can safely collect activity logs pertaining to the usage and administration activities of your password management platform and forward these events to your SIEM or downstream monitoring platform of choice. This will allow you to define your own retention schedule, design custom detection and alerting logic, and supplement other data sources and use cases. Below are a few categories of activity logs that 1Password Business produces.
Vault Administration; including creating/deleting, adding/removing vaults, etc.
Vault items; creation, editing, archiving, deleting, sharing, etc.
Users and their access; creating, adding/removing access to vaults, etc.
Invitations; to other users and temporary guests to a vault or object.
Groups; creating/deleting, adding/removing members, changing roles, etc.
Integrations; creating/deleting, adding/removing tokens, service accounts accessing items.
File Uploads; creating/adding documents in a vault for storage.
Email Changes; beginning and completing email changes for users.
Devices; authorizing and removing devices used to access vaults and their contents.
Billing; and other related account management functions.
You should reconsider any password management solution that doesn't have a robust audit and logging functionality or offer you native integrations to downstream tools like Splunk, Elastic, or your SIEM of choice, as well as a mature events API for your other integration use cases. You must collect this data today because doing so is critical to meeting your compliance, security operations, threat management, and audit requirements.
As adoption grows and vault administrators in your organization begin to create and share vaults across their various teams, you can begin collecting a baseline of what normal interaction might look like across the company. What does regular user activity by department or groups of users look like, during what times, and from what geolocations, source IP addresses, and registered devices? What do vault owners and administrators' activity look like?
Now shift focus to abnormal, consider what a targeted attack scenario might look like against a DevOps engineer having access to private vaults containing critical API credentials or infrastructure secrets vital to your company’s products or services. What about a top-level Vault Administrator who poses an insider threat risk? How would that present itself in the data? How quickly will you know? How fast can you contain it? None of these things can happen if you don’t start with visibility, rich data, and a baseline understanding of normal.
Monitoring brings us to the core message of this entire article. You must continuously monitor all the vaults. Enterprise password managers are here to stay, and their adoption is increasing. We also know threat actors will increase their targeting of these solutions (and the companies that make them) as long as adoption increases and their contents hold increasing value. To my fellow defenders, as if you didn’t have enough on your plate already, what with needing to monitor your logs, networks, endpoints, cloud infrastructure, SaaS, identity providers, and valuable data, you must also monitor all the vaults and you need to be doing it now.
Multiple recent attacks on password management platforms and companies have demonstrated that you must continuously monitor not only the vaults where credentials and secrets are stored, accessed, backed up, etc., but also the management applications used to administer them, the individual interactions by all the consumers (inclusive of applications, users, and vault admins), and all systems and devices from which those consumers originate their interactions.
The challenge will always be reliably detecting a compromise fast enough to mitigate the subsequent impact. Your organization must be prepared to decide quickly on executing containment actions. Don’t wait until an incident to start building relationships. Now is the time to optimize your escalation processes with the right individuals who have the authority to authorize emergency changes, account containment, or cycle the secrets on critical infrastructure applications. It doesn’t have to be formal, but start your conversations today over lunch, coffee, or beers. Discuss these scenarios before they happen, and ask how these changes might impact their decision-making and response processes. Ask them what help they need to be successfully enabled and ready for such an event. Then after you’ve helped them become enabled, shift your discussions to the topic of rehearsal. Find an agreeable initial cadence, and start changing those creds and rotating secrets. With confidence, you can increase frequency. Smooth will become Fast. Optimizing team relationships is a must.
Operationalize a rhythm for continuous improvement. A solid password management program will be comprehensive, flexible, and grow with you over time as needs change. Continuous improvement to your program could involve several new areas:
Operationalizing the above tips into repeatable processes across more teams
Extending free family memberships to all employees to use at home.
Broaden adoption to other business units, subsidiaries, or geographies.
Post-incident remediation & transformation projects
#19 Pace yourself, it’s a journey, not a sprint.
Chances are you’re either green-fielding a new solution or migrating users from an assortment of multiple legacy password managers. Give yourself time and a truckload of patience. As we’ve outlined above, you have many moving pieces and opportunities to find success and bring value during this effort. The key is to pace yourself.
#20 Ask – don’t be afraid to ask for help.
There’s a lot of ground to cover after an initial product trial period ends and before you call the transition done (if there ever is such a place). Don't just view this as an A-B product swap. You have an amazing opportunity to establish a series of entirely new capabilities that securely enable multiple teams and enhance your visibility, detection, and response functions in profound ways that will yield way more value to you and the organization over time. Don’t be afraid to ask for help in planning, stepping through the project implementation, and optimizing your investment well in the future.
Reach out today
We hope these tips have been helpful. If you'd like to try 1Password Business for free for 14 days, or learn more about how our consulting and managed services subscriptions can help your team accomplish the goals above, please reach out.
Treyis Advisors LLC is an independent practitioner-led cybersecurity consultancy helping cybersecurity defenders tackle tough visibility challenges in their programs. We are proud to be a 1Password Partner, and offer several consulting and managed services options to help you achieve success with their solutions.
All for now,