Should Your Password Manager Be in the Cloud or On Premises?I wish I could give you a simple answer to the question in the title of this article: Should a password manager be located in the Cloud or at your business’s physical location? The Cloud is one of the biggest—if not the biggest—buzzwords in the IT world currently, and for good reason. The Cloud holds a lot of promise for a lot of IT applications. Storing your data offsite in a flexible, scalable solution is attractive because of its ease-of-use, its accessibility from anywhere, and because it frees companies from maintaining rooms full of servers on their own sites. But with the many benefits of the Cloud come hefty security risks. When businesses use cloud services, they are literally turning their valuable data over to other businesses that have vastly different objectives.
In password management, as in almost every other corner of the IT world right now, managed service providers (MSPs) that use a password management solution to keep track of their employees’ credentials on all of their clients’ different systems are trying to decide whether or not it’s wise to store their passwords in the Cloud. Here are some of the questions they’re asking:
In a cloud-based password manager, who else has access to the data?
When your data is hosted in the Cloud, you can never truly be sure who has access to it and what they will do with it. In addition, you and your team might not be allowed direct access to the password data at all. You have to trust in the capabilities, competency, and intent of your cloud services provider, and some MSPs are wondering if that’s a leap of faith worth taking.
If a breach occurs of a cloud storage provider, will my systems also be breached?
Cloud storage breaches do happen. Look at what happened to LastPass a couple of years ago. Passwords are powerful instruments. If even one falls into the wrong hands, it could trigger a painful and costly recovery process for you and your clients. In the Cloud, those passwords are protected by providers over whom you don’t have full control. Are the right security measures in place to prevent a breach? Is the data encrypted properly?
Does cloud storage of passwords meet my compliance obligations?
For some organizations, like law enforcement for example, storing credentials in the Cloud is prohibited out of concern for data security. Make sure you understand your company’s and your clients’ compliance obligations before seeking out a cloud storage solution for password management.
Is on-premises storage of password information any safer than the cloud?
Some professionals believe that storing password information on-premises is “safe enough.” But, as we have discussed before in this blog, storing credentials anywhere without the proper system in place for controlling and auditing the data is risky. Employees can leave your company, taking password data with them. The people who installed the system on which password data is stored also have the capability of breaching or bypassing the system.
So, the question you should be asking is not, “Can I use a cloud password manager or should I store my password data on-premises?” Instead, ask, “How can I keep my company’s password-protected systems secure no matter where we store password data?” For that, we recommend a password management solution based on the concepts of access control, auditing, and change management. What does such a solution look like? We discuss it in-depth—including Cloud and on-premises options—in our 42-page e-book, “The Password Management Playbook.”
More Tech articles from Business 2 Community: