Reliable password management requires more than just a good tool.
Interview with our CTO/CISO Eugen Wiltowski (translated from German). By Volker Strecker.
While the use of a password manager is increasingly recommended for organisations, it cannot provide comprehensive password security on its own. A comprehensive strategy is needed that includes not only software, but also organisational structures and clear processes. In addition to the tool itself, organisational structures and clear and reliable processes must be put in place to ensure that sensitive data is handled responsibly. In today's interview, I would like to take a closer look at this topic and find out how ALPEIN Software SWISS AG, which has developed its own password manager PassSecurium, approaches this critical issue. I spoke to the company's CTO and CISO - Eugen Wiltowski.
Volker Strecker: Good afternoon, Mr Wiltowski. Thank you very much for taking the time for this interview. Today we are talking about the topic of secure password management in your company. Could you start by giving us an overview of how ALPEIN Software ensures that passwords are managed effectively and securely?
Eugen Wiltowski: Good afternoon, Mr Strecker. I am pleased to have the opportunity to talk to you about secure password management. At ALPEIN Software we have a clear strategy to ensure the security of our passwords. Firstly, we use a password manager with role and group permissions to ensure that only authorised employees have access to the accounts and resources assigned to them. The password manager we use, PassSecurium™, is our own product. It is constantly being developed based on the requirements of our product managers and security experts, as well as feedback from our customers.
Volker: That sounds like a sophisticated approach. Can you tell us more about the organisation of passwords and roles in your company?
Eugen: We have created our own organisational structure in which passwords are logically and understandably arranged by department or type and are only accessible to the groups of employees authorised to use them. Each employee group has a colleague with a manager role who organises the group or department and assigns permissions and roles for their area of responsibility.
Volker: How do you ensure that passwords comply with the required security guidelines?
Eugen: Each password storage area is defined with specific password security policies. The most critical of these is the Strong folder. This folder prevents the storage of weaker passwords. The criteria for the security levels can be set by the administrators themselves in PassSecurium™, which is extremely practical as security requirements are constantly growing with the increasing threat of cybercrime and advances in IT. In the past, a password with 8 characters was considered secure; today it should be at least 10 or even 12.
Volker: This is an important point. How do you make sure people use complex passwords?
Eugen: Our employees are trained to create new credentials exclusively with the integrated password generator. This way we ensure that the password complexity corresponds to the requirements of the respective storage folder. Thus, staff do not have to remember passwords, as most passwords are entered through the built-in copy & paste functions.
Volker: I see. Many companies use browser extensions for their password management. Do you use such extensions?
Eugen: No, we do not use browser extensions. Although they are convenient, browsers and JavaScript are frequent targets for hacker attacks. Hackers exploit zero-day gaps to manipulate browser extensions. Therefore, we recommend playing it safe. We advise our customers not to use browser extensions. Instead, we offer alternative methods to securely retrieve passwords, such as via our desktop app.
Volker: How do you control the sharing of passwords within the company and externally?
Eugen: We do not allow passwords to be shared outside the password manager, neither via our internal encrypted chat nor via other means, as this always leaves digital traces. In general, it is ideal to use passwords in such a way that they do not appear in plain text on the screen. Password assignment between employees is done exclusively via the rights assignment and sharing function, which is controlled by administrators or managers. External password sharing for our customers or partners is currently handled through our CloudSecurium™, where we can time limit the sharing link and protect it with a separate temporary password. We are also considering a similar feature directly in PassSecurium™.
Volker: How do you ensure that access to the password manager from outside the company is protected?
Eugen: Access to our password manager is via VPN only. This ensures that no one can access it from the outside. We also strongly recommend that our customers use at least two-factor authentication (2FA) with our AccessSecurium™ app to further secure access to their own password vault. It would be even better to use multiple factors of authentication (known as MFA) at the same time, such as combining VPN with a one-time password (OTP), or using OTP in conjunction with Yubikey hardware sticks, which we actively use ourselves. Unfortunately, most customers are overwhelmed by this. Finding the right balance between security and convenience is always a challenge.
Volker: Thank you for these insights into the password management in ALPEIN Software. It is obvious that security is a top priority for your company.
Eugen: It was a pleasure to talk to you about our security measures. At ALPEIN Software, we understand the importance of robust password management and do everything we can to ensure the security of our data and resources.
I would like to thank Eugen Wiltowski for this insightful interview about secure password management in his company. The practices and policies presented can serve as a model for other companies that want to get a better and more secure grip on their password management. By combining a password manager, clear organisational structures and well thought-out security policies, companies can optimise the handling and storage of sensitive data such as passwords.
Sincerely yours, Volker Strecker.