A few customers have asked about the pros and cons of a self-hosted password management solution, such as Bitwarden. Since I have a lot of experience with this topic, I thought I would share some of the key reasons to use a cloud-based password manager like Keeper, instead of a self-hosted password vault.
Pros of a Self-Hosted Solution
The only benefit of a self-hosted password management platform I can think of, is when there’s an environment in which the users are only using a desktop computer, in an air-gapped network environment. This situation does not apply to the vast majority of individuals or businesses.
Cons of a Self-Hosted Solution
Management of Infrastructure
In a self-hosted solution, the customer is responsible for deployment of the container, hosting in a server, load balancing, SSL certs, routing and firewall. The customer will transition from the duties of managing end-users to the duties of managing an entire software platform. When things go wrong – and they will – the admin has sole and full responsibility.
Expertise will be needed in the following:
- Docker containers
- Docker Swarm for high availability
- Database server hosting, maintenance, upgrades and backup
- Load balancing
- Firewall/Web application firewall (WAF)
- Windows or Linux services administration
- Instance patching, backup and recovery
- Hardware Administration – installation and ongoing maintenance of servers, network infrastructure (routers, switches), firewall/security appliances, storage arrays, and electrical.
- Facility maintenance – emergency power backup (generators, battery), environmental, physical security and access control.
Keeper is deployed to a large cloud infrastructure in multiple geographic data centers, with a full-time dedicated team of DevOps personnel in the US who manage, secure and monitor the environment.
Deploying Custom Settings
In a self-hosted solution, all of the deployed apps must be modified by the admin and each end-user to include custom URL endpoint settings. The users will be challenged to do this, and must have network connectivity to the hosted endpoint. You can also push these settings through group policy and mobile device management (MDM), but this assumes that you have full and complete control over all endpoint devices. Any device outside of your control must be manually configured by the admin or user.
Keeper’s end-user applications do not require configuration – they work out of the box.
Lack of Critical Use Cases
There are several use cases which may not be available in an on-prem installation of a password vault service. For example:
- Real-time syncing and pushes requires cloud infrastructure connectivity. A cloud relay may be provided by the vendor to solve this, but it therefore defeats the point of self-hosting.
- Integration of single sign-on (SSO) with on-premise key management services that is very complex
- Integration with APIs will require network routing from development/production servers to the target self-hosted endpoint
Keeper provides real-time syncing and does not require any on-prem services to operate or integrate with SSO. All APIs communicate with the Keeper cloud directly, using zero-knowledge encryption. No internal network routing changes are required.
In order to allow end-users to access the vault on their remote systems or mobile devices, the hosted application must expose inbound network access to the target. This means the service will be publicly accessible, which allows bots and bad actors to attack it. As a result, you’ll be forced to purchase and deploy a 3rd party front-end WAF solution such as Cloudflare, AWS Shield, etc.
Keeper is a fully managed, zero-knowledge solution which is hosted in Amazon Web Services. Amazon Shield/WAF is deployed to control distributed denial of service (DDoS) and other bot attacks.
With a self-hosted solution, all on-prem software must be backed up, patched, taken down, and restarted on a continuous basis. A vault solution that is rapidly changing requires many moving components and constant product updates across the various platforms – web, desktop, mobile, browser extensions, etc. The rapid pace of updates will require frequent software patches for any on-prem product. And there is always the risk that a bad patch or a missed patch could cause a serious issue.
Keeper’s software across all platforms is always up-to-date and patched with the latest security updates. No customer intervention is required.
Backup and Recovery
Databases, servers, configuration and containers must be backed up. Recovery must be tested and verified on a continuous basis. If daily backups are performed from an on-premise instance of a database, this runs the risk of losing critical and confidential passwords in the 24-hour period.
Keeper’s database infrastructure is multi-region and multi-zone. Backups of data can be restored to any point in time – up to the second – within 30 days. In addition, Keeper’s Record History feature provides full historical changes to every password or record stored in the platform from the beginning of time.
In a self-hosted solution, the administrator has full control over the software and storage. This also gives the administrator the ability to potentially take control of a user’s vault – even the vault of the administrator’s managers and C-level executives.
Taken a step further, if the Admin built the service from source code, they also have the ability to introduce bugs, vulnerabilities and privilege escalations. In most environments, management teams and executives must not allow an administrator to elevate their privilege and access the contents of user vaults.
Keeper is built using a Zero-Knowledge and Zero-Trust Security Architecture. Keeper can be easily configured to create delegated admin roles with limited permissions. Keeper Admins never have the ability to decrypt the vaults of users whom they do not manage.
Open Source Risks
Providing an open source community with the full front-end and back-end source code repository is noteworthy and has benefits in regards to transparency. However, there is limited security benefit for most businesses. If a pull request from a malicious actor is accepted into an open source project without adequate peer review, vulnerabilities can be introduced. Just because source code is public does not mean that security researchers are analyzing and testing the code for security vulnerabilities. Vulnerabilities have been known to sit for years in many public source code projects.
Keeper contracts with industry-leading cybersecurity researchers to perform quarterly penetration tests against Keeper software targets, both internal and external – with full source code access. Keeper has also partnered with Bugcrowd to manage its vulnerability disclosure program (VDP). Read more at https://bugcrowd.com/keepersecurity.
Keeper’s APIs and software development kits (SDKs) such as Commander and Secrets Manager are public source and available on our Github repository.
Audit Gaps from Employee Turnover
Inevitably, an administrator with control over this environment may end up leaving the organization. This has the potential to leave behind an unmanaged, unmaintained or insecure system. In addition, if the administrator is terminated or leaves on bad terms, there would be no audit trail of any malicious behavior (such as taking copies of user vaults, introducing vulnerabilities or destroying data).
Keeper has an Advanced Reporting & Alerts Module which contains an audit trail of all user activity. Keeper Admins never have direct access to its end-users’ vault data.
If you have any questions, feel free to email us at: firstname.lastname@example.org.