An IT challenge as old as Software as a Service (SaaS) exists in every corner of the organization — whether to have a single technology vendor or multiple solutions. In some organizations, this is the case for password managers.
And since software features vary, there are compelling reasons that lead an organization to have a single solution or more than one.
In this blog, we’ll take a look at why password managers should be implemented with an enterprise-wide approach, and how IT teams can enable their organizations to unify the protection of passwords into one platform.
Single Solution vs. Multiple Solutions
One single, uniform password management solution may check the most boxes for functionality needs across an organization or satisfy the loudest voice in the room. However, if the solution isn’t comprehensive, it may leave some groups wanting for critical functionality.
So why not use multiple vendors? That can certainly satisfy individual departments and teams. However, making all parties happy comes at an extra expense — and inconsistencies in process, control and reporting.
The single vs. multiple solutions debate may hold weight for some software, like word processing solutions. But password managers, like the identity and access management (IAM) policies they enforce, are enterprise-scale.
One password management solution should cover every user, application and device.
Why Organizations Have Multiple Solutions in Place
First, let’s examine some common reasons why organizations use multiple password managers – and why this reasoning doesn’t hold up to scrutiny.
Loud Voices & Lack of Buy-In
Lack of buy-in from senior management or organizational culture, combined with loud voices drowning out the concerns of IT and security personnel, can result in IT lacking the authority to drive important decisions. This includes establishing uniformity in password management and other critical software.
In other words, if Bob in Finance loves Password Manager A, but Suzy in Marketing is committed to Password Manager B, and the C-suite has adopted a laissez-faire attitude towards software usage, IT doesn’t have a leg to stand on. Bob and Suzy will both be allowed to keep using the software they like – and hey, maybe someone else in Sales prefers yet another password manager, and they’re allowed to keep using that one, too.
It’s not hard to imagine how quickly “Use whatever gets the job done” can spiral out of control – particularly since the average organization uses over 100 SaaS apps as it is.
End Users’ Love of Legacy Solutions
This is often related to the issues of loud voices and lack of buy-in.
Before enterprise password management became a priority, individual departments or business units may have independently adopted different solutions to manage their passwords. Even worse, some of these solutions may be highly insecure, including password managers built into browsers, spreadsheets and even sticky notes.
Humans are naturally resistant to change. When a team has been using a particular solution for years, the prospect of switching to another tool may seem daunting. However, the long-term benefits of having a single solution are hard to ignore — from stronger security and efficient compliance reporting to better allocation of IT resources and seamless employee collaboration.
Concerns About Vendor Lock-in and Security Vulnerabilities
In some cases, organizations prefer to use multiple solutions out of fear of vendor lock-in. They’re afraid that if they use only one solution, it will be nearly impossible to switch, and they’ll be married to that vendor forever. However, so long as a chosen vendor allows easy export of passwords, lock-in isn’t an issue.
Additionally, some businesses and even IT leaders may fear the security implications of using just one password manager — particularly in light of recent breaches. In some cases, an organization may keep its credentials in one solution and its backup codes, security question answers and so on in a different solution.
Their logic is that if one password manager is breached, then the organization will at least have the protection of another password manager. However, the coexistence of multiple password managers in an organization doesn’t necessarily offer more protection – and in fact, it arguably degrades security.
Every SaaS program an organization adds to its data environment is yet one more potential endpoint for a threat actor to exploit. The more password managers end users have to fiddle with, the more likely it is that someone, somewhere along the line, will make a mistake.
Organizations are as vulnerable as their unprotected endpoints. In combination with the security architecture of the particular solution and the IT team’s ability to enforce strong policies, employee adoption of a single password manager is a far stronger guarantor of enterprise security.
The Security Benefits of a Single Password Manager
Even when putting aside considerations of the underlying security of individual solutions, which should be a priority in any IT procurement process, there are still a number of reasons why using a single password management solution across the enterprise is far superior to cobbling together multiple solutions.
IT Visibility and Control
According to Verizon’s 2022 Data Breach Investigations Report, 82% of attacks involve the human element — stolen or weak passwords, secrets and credentials. In modern digital organizations, every end-user needs to access software – which means everyone needs to use passwords. Therefore, identity and access management must be holistic and uniform across the enterprise.
A single password management solution unifies visibility and allows IT teams to audit passwords from one platform.
Multiple solutions fragment monitoring across different features and platforms, which are sometimes incompatible with each other. Compatibility between systems, or lack thereof, makes it difficult for IT to reconcile data from different password managers and assess risk holistically.
Employee Security Hygiene
Just as having multiple password managers fragments IT teams’ top-down visibility, it also undercuts the mission of IT to protect the organization by ensuring employee adherence to password policies.
Without one standard for password management that IT can reinforce, often with the aid of human resources (HR), the organization risks password-related cyberattacks and possibly falling out of compliance with HIPAA, GDPR and other industry and regulatory standards.
A single password management solution centralizes control of password habits and behavior, enabling IT administrators to ensure that all employees are using strong, unique passwords for every account; enabling Multi-Factor Authentication (MFA) wherever it’s supported and abiding by other security policies.
Compliance and Reporting
The ability to efficiently audit and control access to credentials and sensitive information is critical to maintaining compliance and preventing breaches. A single solution streamlines compliance with regulations like HIPAA, FedRAMP, StateRAMP, ISO 27001, PCI DSS, GDPR and Sarbanes-Oxley (SOX), all of which require access control reporting.
Multiple solutions require audit and finance teams to reconcile different methods of storing and reporting data. With regulatory compliance costs increasing, as well as remote work adding complexity to compliance and expanding organizations’ attack surfaces, an efficient audit process is more important than ever.
Forensics From a Single Point of View
If a security incident occurs, forensic analysts need to re-create event timelines to understand how the bad actor attacked the organization. Compromised lower-level accounts, such as social media accounts, often provide an entry point for cybercriminals to escalate privileges once they’ve gotten inside.
Similar to the streamlined process for IT control and compliance audits, a single password management solution centralizes event timelines and removes siloed standards for reporting.
The Business Benefits of Using One Enterprise Password Manager
In addition to security considerations, there are a wealth of business benefits to paring down to just one password manager. A single solution also offers a far more cost-effective, supportable and responsive option for protecting passwords and sensitive information.
Cost Savings of a Single Solution
In all likelihood, it is more cost-effective for a company to purchase software through one provider rather than multiple. And given that the typical IT budget will decrease in real terms in 2023, CFOs and IT leaders can look to password managers — among other software — to consolidate functionality and control spending.
Better Ability to Support End-Users
A password manager should reduce the number of password-related tickets that come across the IT service desk, but inevitably, some employees will still need assistance. With just one password manager, and one set of features for system administrators to master, an IT team can devote more time to internal projects that drive the business.
Similar to streamlining internal support for just one tool, having just a single solution provides a single external point of contact to support employee adoption of a password manager. When onboarding new users to a solution, having a single point of contact with the vendor can help coordinate the rollout across an organization.
How to Drive an Enterprise Initiative for Password Management
Because of cost, usability and security, organizations would be better served with a single password manager rather than multiple disparate and incompatible solutions.
Some employees may dig in their heels just at the suggestion that they transition to a single password manager. However, an enterprise strategy for password management – backed up by a single tool – promises greater efficiency, collaboration and security.
With a majority of cyberattacks resulting from stolen, weak and reused passwords, credentials and secrets, organizational security warrants enterprise protection. IT and compliance departments need a single solution to grant ready visibility and control over their critical systems and data.
Ready to unify password management in your organization? Talk to one of our cybersecurity experts about a coordinated rollout of Keeper Password Manager today.