In recent months, password management tools have been in the news thanks to a security breach at LastPass. Because LastPass is one of the more popular tools for individual use, there’s naturally a bit of hand-wringing in the industry regarding their security. LastPass, like many of its competitors, offers a cloud synchronization option for the sake of convenience. This makes it easy for a user to move between devices while retaining access to their username, password, and other secure account information. The LastPass breach is tempered somewhat by the fact that no password data was accessed or stolen, even in encrypted form. Their safeguards seem to have worked — for now.
LastPass is primarily a tool aimed at end users, but how many use it for work-related purposes too? It shouldn’t surprise IT professionals to find users co-mingling passwords for personal and professional services. Password managers with security problems could easily mean spillover problems for IT service providers in organizations. There may be some service management considerations for IT professionals to consider.
Password resets will be a thing
Every time an organization of any sort has a security breach, there’s a natural flurry of password resets and requests for password assistance. Most organizations that get breached force resets on their customers as a way to mitigate further compromises. This is necessary and proper, to be sure, but what happens if the organization isn’t ready to handle mass password resets? What if it does not have adequate self-service capabilities? What if the organization’s service desk is understaffed or under equipped to handle the sudden influx?
If it hasn’t happened already, a highly-publicized security breach ought to be a good reminder to review the support options made available to your customers and their end users. Your self-service tools should be ready, easy to use, and accessible. If these are an afterthought for your organization, your response to any sort of security breach is crippled before it even begins.
Cost to your organization for disruption of users’ access
What happens when your users make use of password management tools, but it’s those tools that get hacked instead of your systems? Could those customers’ information or access on your systems still be at risk? How can you tell and what can you do about it?
Most IT organizations cannot monitor for every security breach from every other company and organization on the Internet. However, you can use incidents like the LastPass breach to remind users of the need to remain on top of their personal data security and that no system is tamper-proof. Changing passwords regularly, even when using a password manager, is a good idea. Two factor authentication might be even more effective, if perhaps more cumbersome.
Should organizations consider providing password management to their users?
If you are an IT service provider and concerned about security, it’s a good bet that the integrity of third-party password management tools is something you monitor. The security of these tools has impacts on the security of your own services. Users with compromised accounts on these third-party services represent an additional support burden on your organization.
So, should you offer your own password management tools as a way to encourage security without relying on a third party? Although this discussion has focused on password management tools that synchronize to a cloud based service owned the tool’s creator, there are other methods to store and synchronize password databases. Many users work with open source and/or freeware apps like KeyPass, synchronized over third-party file storage services like Dropbox, Google Drive, and Microsoft OneDrive. If your organization offers its own internal share drives, these would work as well. But the cost of training customers and encouraging use might be steep, and integration with existing services might be mediocre.
Password managers represent both the best and worst of IT security. They are a fantastic way to help users get out of the habit of using the same password over and over, making it easy to select complex passwords without the added stress of remembering them. However, if the service’s security is compromised, possibly all of that effort is for naught. For ITSM professionals, the question is if these third-party tools should encourage you to look at your own security and self-service options. The answer, of course, is yes.