GigaOm Radar for Enterprise Password Managementv2.01

1. Summary

Every organization has employees who are buried in username and password combinations, both business and personal. Humans are not good at remembering long and complex passwords, and this leads to poor practices that include reusing passwords, writing them down, or saving them in browsers. These practices present a significant risk to the security of an organization.

Cybercriminals are aware of these unsafely stored passwords and know that compromising a user’s credentials can give them access to key systems and sensitive data. This means these usernames and passwords are a priority target, making it essential that organizations find ways to tackle the complexity of user access and improve password security.

Enterprise password management can be an answer to that challenge. Password managers provide a centralized platform usually built around a secure vault that is accessed through a master password logon. Password managers can greatly simplify the user’s password experience by automating many of the complex tasks related to user access, including password creation, enforcement of password policies, automated credential completion, and secure password sharing, all of which help to reduce logon friction, improve user efficiency, and reduce the complexity that leads to poor password practices and heightened risk. Some solutions go further, integrating password management into a broader identity management platform and allowing it to deliver capabilities such as single sign-on (SSO) and identity lifecycle management.

Password and credential management is not limited to user access. Organizations often need to provide secure credentials to non-software systems or as part of their software development process. Often, this access is not provided through username and password but via certificates and cryptographic keys, generally called secrets, the management of which is complex. However, vendors are now adding secrets management to their solutions, helping to reduce its complexity through automation of practices such as credential injection into code and key rotation.

Passwords, however, are not a viable long-term approach to system access, and organizations must find a way to move toward a passwordless future that replaces traditional credentials with different authentication factors and biometrics to control access. Password managers can help bridge this gap by introducing passwordless access to their platforms and using it to obfuscate passwords and other credentials when users access enterprise systems, initiating the shift toward passwordless operations, even for platforms that as yet do not support such access.

At the same time, after recent breaches involving password management vendors, organizations are likely questioning the security of password managers. This is a wake-up call to the industry. But while the security of these solutions is a serious consideration, the risks presented by poor password management are too numerous and significant to ignore. At present, password managers are still the best way to address the risk of compromised credentials.

This GigaOm Radar report highlights key enterprise password management vendors and equips IT decision-makers with the information needed to select the best fit for their business and use case requirements. In the corresponding GigaOm report “Key Criteria for Evaluating Enterprise Password Management Solutions,” we describe in more detail the key features and metrics that are used to evaluate vendors in this market.

2. Market Categories and Deployment Types

To better understand the market and vendor positioning (Table 1), we assess how well password management solutions are positioned to serve specific market segments and deployment models.

For this report, we recognize the following market segments:

• Small-to-medium business (SMB): In this category, we assess solutions on their ability to meet the needs of organizations ranging from small businesses to medium-sized companies. Here, ease of use and deployment are more important than extensive management functionality and feature set. This category may also include cases in which vendors have specific commercial offerings for this sector.
• Large enterprise: Here, offerings are assessed on their ability to support large and business-critical projects. Optimal solutions in this category have a strong focus on flexibility, performance, scalability, and the ability to effectively integrate into existing environments. This category may also include cases in which vendors have specific commercial offerings for this sector.
• Managed service provider (MSP): Increasingly, organizations across all disciplines of IT are looking to consume managed services to augment in-house capabilities. Here, we assess solutions based on how effective they are in supporting, both technically and commercially, either managed service providers or those offering their own managed services. This category may also include vendors with specific commercial offerings for this sector.

In addition, we recognize two deployment models for solutions in this report:

• SaaS: These solutions are available only in the cloud. Designed, deployed, and managed by the service provider, they are available only from that specific provider. While we recognize all solutions may have on-premises elements with local vault copies, this category is defined by vendors whose primary management console and vault is stored within the service.
• On-premises: These solutions operate in the same or similar manner as their SaaS equivalents. However, their central vault will be housed within a customer’s own environment. This may include vendors who offer both SaaS and self-hosted vault options. These solutions are not shared and are specific to a single customer.

Table 1. Vendor Positioning: Market Segment and Deployment Model

For this evaluation, we looked at the deployment model in a binary way, rating vendors (++) if they support that deployment model and (-) if they do not.

3. Key Criteria Comparison

Building on the findings from the GigaOm report, “Key Criteria for Evaluating Enterprise Password Management Solutions,” Table 2 summarizes how each vendor included in this research performs in the areas we consider differentiating and critical in this sector. Table 3 follows this summary with insight into each product’s evaluation metrics—the top-line characteristics that define the impact each will have on the organization.

The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the market landscape, and gauge the potential impact on the business.

Table 2. Key Criteria Comparison

Table 3. Evaluation Metrics Comparison

By combining the information provided in the tables above, the reader can develop a clear understanding of the technical solutions available in the market.

4. GigaOm Radar

This report synthesizes the analysis of key criteria and their impact on evaluation metrics to inform the GigaOm Radar graphic in Figure 1. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and feature sets.

The GigaOm Radar plots vendor solutions across a series of concentric rings, with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation, and Feature Play versus Platform Play—while providing an arrow that projects each solution’s evolution over the coming 12 to 18 months.

Figure 1. GigaOm Radar for Enterprise Password Management

As you can see in the Radar chart in Figure 1, the majority of the vendors fall in the Innovation half of the chart horizontally and in the Platform Play half vertically. In this update to our previous report, we have made a minor change to the definitions for Feature versus Platform Players. This change reflects the increasing consolidation of password and identity services into single platforms as traditional identity platform providers add password management to their offerings and password manager vendors include identity services in theirs.

This change impacts only two of the vendors from our previous report: 1Password, which focuses on excelling in both password and secrets management, and LastPass, which is even more focused on password management after a change in leadership, making it one of our strongest Challengers.

Other changes in this update include the addition of new vendors CyberArk, Enpass, JumpCloud, and Zoho, which have either added password management to existing platforms or have become Leaders in this space, warranting inclusion in this report.

1Password and Keeper, with very strong solutions, remain in the Leaders circle. This positioning results from continued excellence across all credential disciplines, which includes password management, secrets management, and automation. Both vendors also show broad levels of innovation in their approaches, developing new services and embracing emerging technologies such as passwordless access and passkey support.

Two additional vendors entered the Leaders circle. New to this report is CyberArk, a Leader with a solution built on its impressive identity platform that provides strong password management capabilities, especially when combined with its identity and privileged access management solutions. NordPass, a strong Challenger in our previous report, continued to develop in key areas, helping them to score well on both existing and new criteria.

We have several vendors that are new to this year’s report—not all of whom are new to this space. Enpass, not a new offering, takes an innovative approach to password management deployment that deserves inclusion. JumpCloud now offers a strong, new, decentralized architecture for its identity platform, powered by its recent acquisition of MYKI. Zoho greatly improved its password management solution and now offers a strong product.

Vendors from our previous report include Dashlane, which remains a strong Challenger and continues to improve its solution, and LastPass, which, despite having had a challenging year, continues to deliver a strong password solution. With a new focus made possible by its separation from its previous parent company, it is likely to be among our Leaders in future reports.

All vendors are improving solutions at a steady pace, as designated by their Fast Mover arrows. However, LastPass, with its new strategic leadership, and 1Password have both shown notable innovation over the previous 12 months, and their rapid development makes them Outperformers in this space.

5. Vendor Insights

1Password

1Password was a Leader in our previous report and continues to innovate and show leadership, both technically and strategically.

The solution, while architected similarly to many others in this market around a central and endpoint vault model, has switched up the way this approach works, with the end user device vault now the master, and the central vault the replication target. A further security enhancement is its two-key-derivation that combines an account password and a 128-bit, machine-generated secret key to secure its vaults. This approach ensures that if a vault is stolen, the cybercriminal would not be able to access it because they would need both the user key and machine key for access. The two-key approach does have some risk, however; it puts access reliance at the end point, so if the device and its access keys are lost, the vault will be inaccessible for that user. The company claims this dual approach helps it to greatly increase security by moving the authoritative copy and security of that copy out to the endpoint, thereby reducing the threat that comes with a breach of the central vault.

1Password’s background in consumer password management means the company has a strong focus on ensuring a good end-user experience, and its success in this regard is validated by customer feedback we received. This does not make it a consumer solution, however. 1Password provides strong capabilities that will be very attractive to enterprises, with APIs, automation, and an extremely strong secrets capability that will please both developers and DevOps teams.

In our previous report, we highlighted a number of strong areas, including multifactor authentication (MFA), password policies, secrets automation, and advanced password sharing. We also noted some weaknesses, especially the lack of SSO integration with key identity providers (IdPs) and a need to improve central reporting tools to help organizations more effectively manage passwords and reduce risks.

Since that report, there have been improvements in several key areas:

• SSO integration: SSO integration with OKTA and Azure AD is now supported, with more to come, improving provisioning, user experience, and enterprise integration.
• Unlock with SSO: This feature acts as an additional layer of identity proofing on top of the existing 1Password security model. It uses an SSO integration with an IdP to download encrypted credentials on authentication, and the unique device key stored on the device is then used to unlock those credentials to access 1Password data.
• Developer tools: There has been a significant investment in many developer tools, including a command-line interface (CLI), shell plug-ins, an SSH agent, and CI/CD integrations.
• Admin console updates: The administration experience has been updated to provide better reporting, clear dashboards, and improved workflows.
• Passwordless authentication: Big strides have been made to enable passwordless access, including the acquisition of Passage in late 2022 and the delivery of previews of passkey functionality within 1Password, which are expected to be delivered by summer of 2023.

This adds up to an impressive solution that scored well on many of the key criteria and evaluation metrics in this report, including:

• Secrets automation: 1Password continues to build on an already impressive capability. The solution now lets users secure their keys using biometrics, and it also added the ability to load secrets into scripts, automate some administrative tasks, and generate, store, and use SSH keys directly from 1Password for Git and other workflows.
• Security auditing and reporting: The improved reporting tools are much better at providing a company-wide view of security risk. This includes breach checks, password health analysis, and an overview of password security health across teams. 1Password also enables integration with security information and event management (SIEM) tools via its event reporting APIs.
• Breadth of support: 1Password is one of only a few vendors that highlight the extent of its support, which includes dedicated onboarding and customer success teams for any business customers with 75 seats or more. Support teams are available in multiple geographies, and there is multiple-channel support via email, chat, and telephone.

Challenges for the solution are relatively few and specific. There is no support for or focus on MSPs. And for those looking for an on-premises solution to address data locality concerns, 1Password is a SaaS platform that’s solely focused on password and secret management, so other vendors will likely be more appropriate.

1Password provides a strong solution suitable for individuals, SMBs, and large enterprises, which is reflected in positive feedback from customers. It also has a strong roadmap that suggests that an investment in 1Password would provide good value into the future.

Strengths: The vendor is focused on passwords and secrets management, and the solution does both well, including very strong secrets automation. Its use of unique keys on trusted devices to decrypt and encrypt will also appeal to those keen to have the most robust security on their vault. Moreover, its attention to the user experience, as well as its investment in automation and API availability, will make it attractive to both SMBs and enterprises. It also provides excellent support, the value of which should never be underestimated.

Challenges: 1Password is more narrowly focused than some vendors, so companies wishing to consolidate their identities on a single platform will want to look elsewhere. While there have been strides made in SSO integration, this is still limited, although Okta and Azure AD will satisfy many, but it’s important to evaluate that integration to ensure it meets current needs. It does intend to have generic open ID connect (OIDC) support for SSO in beta shortly, which will address a number of other IdP integration use cases. MSPs will also need to consider alternatives as there’s no support for that market sector.

CyberArk

CyberArk is new to this report, thanks to the addition of Workforce Password Management to its broader identity and access management (IAM) and privileged access management (PAM) portfolio.

Workforce Password Management is designed around a central vault to securely hold passwords and secrets, with support for multiple channels (web, browser extension, and mobile app). The credentials can be hosted in the SaaS-based CyberArk Identity Cloud vault or in a secure, PAM-based, self-hosted enterprise vault, which is important to those who have stringent data sovereignty requirements.

The cloud vault is contractually backed by a 99.99% uptime SLA. As would be expected from a solution built on a CyberArk foundation, Workforce Password Management has extensive integration with existing identity management platforms via security assurance markup language (SAML) and OIDC, as well as prebuilt integrations with well-known leading providers such as Azure AD, OKTA, and Ping. The solution is aimed at business users only and has robust controls to prevent users from adding personal or consumer passwords to the vaults.

CyberArk offers a strong enterprise-class solution that scores well on many of the key criteria and evaluation metrics, including:

• Employee provisioning and deprovisioning: With its foundation in identity management, it’s no surprise that CyberArk scores well on this criterion. The product integrates with well-known IdPs, from which it can automate the provisioning and deprovisioning, and it can do this as well with its own SSO and lifecycle management tools. These tools can also integrate with popular enterprise HR systems to enable HR-driven identity management, and the solution can be used as an identity source, which allows identities to be orchestrated downstream to applications from the CyberArk platform.
• Advanced password sharing: CyberArk’s PAM heritage positively influenced its capabilities here, providing some powerful sharing options. Admins can control users, groups, or roles that need access to shared application credentials, set password modification restrictions, add a start and end time for access to applications, and revoke application sharing for a specific user, group, or role. Granular controls can also be applied to password permissions, including the ability to mask credentials from users. In addition, admins can define the chain of custody for user-added credentials and enforce profiles that require users accessing shared apps to satisfy an MFA challenge.
• Flexibility and scalability: CyberArk provides extensive deployment options, beyond those seen elsewhere. It offers an on-premises vault that can host up to 500 million credentials, and its cloud solution offers even more flexibility via the use of pods distributed across its AWS platform. Though the pods are designed for CyberArk’s shared platform, larger customers can request a dedicated pod to ensure a specific service level appropriate for their business.

There are some areas of concerns raised in customer feedback. Initial setup is said to be complex, and cost is reported to be higher than for some of the competition. However, this complexity and cost may be tied to on-premises implementations, as CyberArk claims that users of its SaaS platform can be up and running quickly and easily. Our research showed its per user cost was in-line with major competitors.

Those who want full secrets automation should note that this requires CyberArk’s Conjur platform. This is consistent with CyberArk’s strategy, however, which sees robust enterprise secrets management as a separate challenge that should be met by a separate solution. There are also some limitations in its reporting, with a lack of reports on reused, weak, or compromised passwords, although the vendor notes this issue should be addressed in 2023.

It should also be noted that CyberArk is an identity platform of which password management is one element. To get the best from its password management, customers will likely have to invest in other components of the identity solution. Nevertheless, CyberArk offers a strong enterprise-focused platform and for those wanting on-premises vaults, it is an excellent choice.

Strengths: CyberArk is an identity platform provider that brings some strong capabilities to its password management platform, particularly around sharing and identity lifecycle management, which can help reduce operations overhead. Its installation flexibility includes on-premises options that will be very attractive to those with data sovereignty concerns.

Challenges: Users highlight issues with initial setup complexity and cost, which should be considered. The solution is fully enterprise focused, and while some of its competitors offer customers separate personal password managers, CyberArk actively discourages this practice and has policies to enforce restrictions on personal use of the vault. Those who need full secrets automation must add CyberArk’s Conjur platform to achieve it. A lack of risk reporting is also worth noting, although this is likely to be addressed soon.

Dashlane

Dashlane is a SaaS solution that stores login information in a secured remote environment. While it has products for the personal market, the focus here is on its business solution, which provides advanced password management and authentication required for business IT to manage and monitor users and passwords. It also includes onboarding and offboarding functionality, directory integration, two-factor authentication (2FA)/MFA functionality, and reporting.

Dashlane’s background in consumer password management means the company knows ease of use is important, and its business product remains focused on making certain that users, whether technical or not, can access their passwords without difficulty.

The solution has a central administration console, from which integration can be set up with a range of IdPs, including Azure AD, Okta, JumpCloud, and Google Workspace. There are also client applications for Android and IOS, as well as browser extensions, but Dashlane no longer supports desktop applications for Windows and Mac, which were deprecated in January 2022 (although macOS users can use the iPad app on macOS via the app store).

In our previous report, we highlighted several positives about the solution that remain true, including:

• Its focus is on simplicity for end users.
• SSO integration with a range of IdPs, which helps with both onboarding and reducing complexity.
• Its flexible options for backing up vault data.

We also noted some limitations in its password policy management that still remain true: its approach is based on the ZXCVBN algorithm, which automatically scans new passwords and applies recommendations based on the algorithm. While this simplifies password generation, it gives IT Ops teams no say in the strength requirements and so users must trust the algorithm to force strong enough passwords to protect corporate resources. Some organizations may find this approach problematic because they can’t set their own password requirements in line with organization policies, which may cause issues during security audits.

Since our last report, Dashlane has introduced a range of new capabilities and improvements, which includes:

• Connecting related websites: This nice usability feature allows passwords for related domains to be grouped together, making access and management easier.
• Improvements to MFA: Central admin controls have been substantially improved, enabling easier enforcement and easier access to recovery codes.
• Basic secrets functionality: The ability to add non-password sensitive items into secure notes provides some additional capabilities that organizations will find useful.

Dashlane scores well on a number of key criteria, including:

• Employee provisioning/deprovisioning: Good links to IdPs and SSO integration allow Dashlane to reduce the operational complexity typically involved in user provisioning, with users automatically provisioned when added into the linked IdP, and the integrated SSO makes adoption easy, which helps to reduce the operational burden.
• Security auditing and reporting: The central admin console provides good security insights into password health across the organization, further enhanced by its insights into the dark web and by its ability to monitor for and identify compromised credentials, which allows organizations to take proactive action to secure potentially compromised credentials and passwords.

More recent innovations from Dashlane (announced after our research period closed) include the introduction of its new Dashlane Confidential SSO to public beta. This innovation, built using AWS Nitro Enclaves, removes layers of complexity in deployment, offering a seamless integration with any SAML 2.0 (Security Assertion Markup Language) IdP. It means only a valid SSO user has access to their key, allowing employees to quickly access their vaults with the same credentials they use for other professional apps. Dashlane also introduced Dashlane Passwordless Login, now in preview but to be released soon. With passwordless login, users will be able to securely access their Dashlane account without having to create and remember a single password, helping customers on their journey to passwordless authentication.

Customers seem to be pleased with the solution, praising its ease of use and effectiveness in improving password security. Customer complaints focus on the UI, suggesting it can sometimes feel dated and difficult to navigate. Inefficient workflows, particularly around the sharing of passwords across groups, were also highlighted by some.

Overall, Dashlane’s solution delivers a set of password management features that many organizations will want. It is likely to appeal to smaller organizations, while it continues to grow from its consumer base. Its basic approach and lack of broader identity capabilities may put off bigger organizations.

Strengths: Good integration with existing IdPs and support for SSO help with adoption. A useful central admin console provides strong security insights that can highlight poor password practices as well as proactively alert on possible breached credentials through its dark web monitoring.

Challenges: Dashlane’s consumer background brings with it some limitations in terms of the capabilities enterprises need, such as secrets management and broader identity features. Moreover, as noted earlier, its password policy management approach limits flexibility.

Enpass

Enpass is new to this report but has been supplying password manager solutions for both the commercial and personal markets since 2013.

Enpass takes a technical approach that’s different from most of the solutions we evaluated—it has no central vault. Instead, all vaults are stored locally and users can choose between the local device or existing cloud storage, with supported options including Microsoft OneDrive and SharePoint. The range of endpoints supported is good, with clients for Windows, Mac, Linux, iOS, Android, and browser extensions. Deployment of the endpoint vaults can be centralized using a customer’s unified endpoint management (UEM) or master data management (MDM) solution.

The lack of a centralized vendor-hosted vault will be seen as a bonus for some organizations, as it removes some of the risks perceived with centralized solutions. However, this approach lacks some of the convenience of centralized solutions because it can’t control where user vaults are located, nor can it centralize the protection of those vaults. This means it’s up to the customer to ensure suitable protection is set up at the endpoints.

Despite its different approach, the platform still scores well on a number of our key criteria and evaluation metrics:

• Employee provisioning/deprovisioning: Even with its decentralized structure, the Enpass solution provides central administration to enable policy distribution and reporting. It includes an audit dashboard and breach monitoring capabilities. In addition, the solution can be integrated with SCIM 2 IdPs, and there is prebuilt integration with Azure AD and Okta, among others.
• Ease of adoption: Enpass’s flexible deployment model allows users to choose their own trusted cloud storage or local network to store and share password vaults. This approach can help ease adoption for customers with concerns around centralized storage and the use of SaaS vendors to hold sensitive information.

The Enpass solution meets all of the requirements you would expect from an enterprise password manager. However, it is focused solely on password management and does not offer wider identity management capabilities that some enterprises will desire. This includes SSO integration, although this item is slated to be addressed in 2023. Its strongest integrations are Microsoft 365, a consideration for those using Google Workspace, although the vendor says this should be addressed soon. However, the vendor has no plans to include secrets management and automation.

Customer feedback is positive, although there are some complaints about the quality of the interface, as well as some concerns about customer support relating to the time it takes to respond to queries.

Enpass has a solid product that is more likely to appeal to smaller businesses and possibly to MSPs who are looking for a solution that can easily be included in their broader offerings. It’s strictly a password manager, so it does have some elements missing, and potential customers will need to weigh the impact of its decentralized deployment model. There is, however, a good roadmap, so expect to see this product continue to improve.

Strengths: A solid solution that is aimed at the endpoint, Enpass’ reliance on local or cloud-based vaults will be attractive to some buyers. Its ease of adoption and integration with Microsoft 365 will also be appealing for those using that platform (with Google Workspace to follow). There is a nice central admin console and useful reports can be generated around risk and potential breach.

Challenges: Enpass’ decentralized model, which places the onus on the endpoint for the protection of vaults, will add operations overhead that may deter some organizations. The lack of secrets management will be off-putting for those looking for a single vendor to cover all passwords and credentials, and the missing SSO integration adds an extra layer of user complexity.

JumpCloud

JumpCloud is a new addition to this year’s report. It is primarily an identity as a service (IDaaS) solution, but in 2022 acquired MYKI password manager which it has integrated into its existing broad range of capabilities.

JumpCloud avoids the centralized approach of most competitors, relying instead on individual endpoint vaults, which are synchronized across a user’s multiple devices using encrypted communications driven by central JumpCloud servers. The vendor claims that this approach delivers the best of both local and central vaults while mitigating the security risks posed by “traditional” cloud-based password managers. It asserts that eliminating the single central vault reduces the risks posed by compromised master passwords.

However, this approach presents other risks, particularly around vault protection—if users are not properly protecting those vaults (with backup), in the event of a data loss, they will find themselves without any vault access or way of recovery. JumpCloud is addressing this shortcoming by adding the ability for admins to backup individual user vault images centrally in a way that preserves the decentralized architecture. This functionality is planned for release in the summer of 2023.

Like its other platforms, JumpCloud’s Password Manager primarily targets SMBs (fewer than 5,000 users is its definition) and MSPs. The solution is tightly integrated with its IAM capabilities to provide seamless management of users, identities, devices, and access from a single admin console. It is this consolidation with its identity platform that makes JumpCloud attractive, especially for its target market. Whether for existing customers wanting to add password management to their identity platform or a company using password management as a first step toward a more robust identity strategy, JumpCloud as a single vendor will prove appealing.

The solution offers the capabilities you would expect from a password manager, with centralized policies and automation of provisioning and deprovisioning with a wide range of identity platforms. It supports a good range of endpoints, with vaults for desktops, mobile devices, and browser extensions available. The admin console is also neat and intuitive, which helps reduce operational cost and provide insights into password security across an organization, which is an essential part of credential security.

The solution scored well on a number of criteria.

• SSO integration: Built on the JumpCloud identity platform, the password manager has extensive SSO capabilities that enable smooth integration with well-known directories, HR systems, and even applications or resources that do not have SSO capabilities (such as legacy or internal applications).
• Employee provisioning/deprovisioning: Driven by its IdP heritage, JumpCloud’s user lifecycle management capabilities are strong. New users are automatically assigned password management capabilities, and when users leave, their accounts are suspended and immediately logged out of their password management vaults.
• Platform security: JumpCloud claims that its distributed architecture is inherently more secure than that of centralized cloud vaults. Moreover, the maturity and experience of both JumpCloud and MYKI mean the vendor can offer strong assurances around business security, including providing customers with up-to-the-minute status of outages and security events at: https://status.jumpcloud.com/.

JumpCloud’s solution does include some limitations. Its SMB focus should be a consideration for larger organizations, and this extends to those needing FedRAMP certifications as this is not something JumpCloud has pursued. The solution also lacks robust secrets management, and while its decentralized architecture will be attractive to some buyers, that approach can be troublesome, particularly for those concerned with data locality and vault protection.

The JumpCloud Password Manager is a strong addition to its identity platforms. This view is supported by customers who like its ease of use and ease of adoption, and highly rate the support JumpCloud provides. This is an attractive solution and should be a strong contender for MSPs and SMBs especially.

Strengths: The password manager’s integration with the JumpCloud identity platform is a strong plus for existing customers, as well as for those wishing to adopt password management as a gateway into broader identity management. Its focus on MSPs makes it attractive for those operating in that market.

Challenges: With a strategic focus on SMBs and MSPs, this solution may not meet the needs of large enterprises. Moreover, the limited secrets automation and the decentralized architecture will be considerations for some organizations, and the solution should be evaluated accordingly.

Keeper Security

Keeper Security was a Leader in our previous report, and it has continued to invest, adding key functionality while improving already strong elements of the solution.

The solution is a zero-knowledge (Keeper does not keep user master passwords) security and encryption platform that includes password management, secrets management, connection management, and PAM. Users can access it from virtually any device.

The solution scales from small to large businesses, and the company has invested significantly in building a strong MSP platform. It has also invested in FedRAMP and StateRAMP certifications to ensure its solution can be used by US federal and other government and public agencies. Moreover, Keeper has invested in teams and commercial models to support each of these markets.

Our previous report praised Keeper in a number of areas which it is still strong in:

• Secrets management
• Flexible password policies and granular controls
• Password change notification integration with popular tools (Microsoft Teams and Slack, for example) to ensure clear notification of password changes
• Flexibility in the kind of information that can be securely stored, including passwords, cloud secrets, and SSL certificates
• MFA capabilities

In our previous report, we also highlighted some concerns, such as Keeper’s approach to PAM and the integration of all these elements—passwords, secrets, connection management, and PAM.

Those areas of concern became the object of Keeper’s focus since the last report. The integration of its portfolio has been improved greatly, with an enhanced administration console that provides a clear and intuitive modern interface that reduces operational overhead. The new PAM solution, though not a requirement for password management, is a welcome addition.

This year, Keeper scored high on several key criteria and evaluation metrics, including:

• Secrets automation: Keeper’s secrets management is a real standout, with the ability to hold a wide array of secrets, such as API keys, database passwords, access keys, and certificates. Even better, it also provides strong automation of these secrets, including the ability to rotate passwords, SSH keys, and cloud identities to reduce the complexity and overhead of this type of credentials management.
• Advanced passwords sharing: Shared passwords is a challenge for businesses, but one that Keeper handles very well, with shared folders, direct sharing (users can share directly with each other), and an innovative external one-time share that allows securely sharing a record or file with an external user via a single-use hyperlink.
• Security auditing and reporting: To be really secure, organizations need to understand their password posture. Keeper’s Advanced Reporting and Alerts Module (ARAM) captures over 150 different user and administrator events for both detailed reporting and integration with SIEM solutions, and provides advanced notifications via email, SMS, or Slack.

Customers praise the solution’s flexibility, support, and account management. Areas noted as needing further development (which Keeper recognizes) include the need to provide an on-premises version of its solution to meet some customer demand and to deliver more advanced features for its PAM solution.

Overall, Keeper provides a robust solution with a strong portfolio of capabilities—including secrets management—and successfully serves the public sector and small to large organizations alike.

Strengths: Keeper offers a strong set of capabilities, including improved integration and PAM features. Its secrets management is particularly strong, so for those needing this feature, Keeper should be high on the list of vendors to consider. With a commercial and technical model that truly supports all types of businesses, potential customers should feel comfortable they will be well served, and this includes service providers looking for a password management partner.

Challenges: Keeper needs to improve its PAM capabilities for those who need more advanced capabilities along with password management. And currently Keeper doesn’t offer an on-premises version for those who require passwords and credentials to remain on-site.

LastPass

A well-known name in the industry, LastPass has recently been going through a number of strategic changes in both direction and leadership. This includes separating from its parent company into a standalone security company, giving it increased flexibility and control.

However, it would be remiss to not mention the major security breach LastPass disclosed in August 2022. This breach damaged LastPass’s reputation and, in fact, the password management industry as a whole. Regardless of the strength of its solution, LastPass will have to work hard to rebuild trust in its brand. Within this guide, we will focus on LastPass’ technology and its response to the incident, rather than the incident itself.

Since that incident, LastPass has invested in security, privacy, and operational best practices, which has allowed it to strengthen the security of its product, organization, and underlying architecture.

The solution supports SMBs and large enterprises: it’s simple and flexible enough to work well in smaller businesses, and offers extensive integrations with a wide range of IdPs, a requirement for larger enterprises. It is missing capabilities—such as more capable PAM or secrets management—that may make it less suitable for midsize organizations, which are more likely to wish to consolidate password management into a single vendor.

In our previous report, LastPass was recognized for:

• Its strong SSO capabilities, which provide a good range of solutions for organizations. This includes its own SSO solution for those looking to bring SSO and password management within one vendor.
• Its broad array of support for virtually all endpoint device types.

We also highlighted some negatives—including limitations in its portfolio, such as its lack of full secrets management and PAM—which have not been addressed and are not on the business roadmap shared during this research.

However, LastPass has built upon its already strong password management product, perhaps as a consequence of its new leadership team. New developments include:

• Integration with all identity platforms, allowing it to be easily integrated as a password manager for organizations with existing IdPs.
• Passwordless end user vault access.
• Dark web controls and alerts for admins.
• Changes in response to the 2022 security breach, such as ISO/IEC 27001: 2013 certification and implementation of SHA-256, a slower hashing algorithm that provides more protection against brute-force attacks.

LastPass also has a number of key roadmap developments planned, which includes expanding its security team to help reduce the risk of future breaches. It is also investing in improving the UI and its passwordless support.

Future improvements are likely to include better feature parity across its desktop apps and better performance of its shared folders. In addition, the company recognizes that customers are increasingly interested in capabilities related to PAM and secrets management.

Overall, LastPass provides an impressive and easy-to-use technology that scored well on a number of key criteria:

• 2FA/MFA capable: LastPass offers a good range of capabilities and controls as well as its own authenticator product. It includes the ability to dictate which authenticator apps are allowed and enforce MFA before users can access a vault.
• Employee provisioning/deprovisioning: Its very broad IdP integrations mean that LastPass can automate onboarding and offboarding using identity information from Microsoft AD, Azure AD, Google Workspace, Okta, PingOne, PingFederate, OneLogin, and its own customer’s APIs.
• Security auditing and reporting: LastPass offers a broad range of reports, plus the ability to export audit trails to key stakeholders as needed. Reports include user activity, admin activity, site login activity, and security reports.

Customers are generally happy with the solution and the main gripes are related to the UX, which LassPass acknowledges.

LastPass offers a good password manager, and though its capabilities aren’t as broad as some, the company is looking to address the gaps. However, LastPass’ biggest issue is likely to be the rebuilding of trust in its strong offering.

Strengths: LastPass is a popular and well-known password manager, with good SSO integration. It also provides strong MFA capabilities, which includes its own authenticator product that allows its customers to standardize on an authenticator tightly integrated with the vault. Reporting capabilities around risk are good and customers can get proactive insight into threats from potentially at-risk credentials.

Challenges: While the product lacks some features, its biggest challenge for those looking to buy an enterprise password manager is the impact on trust after serious data breaches in 2022. The company is working hard to ensure it has repaired this damage, but it is likely to remain a key concern both to existing and potential future customers.

NordPass

NordPass is the password management component of Nord Security’s solution suite, which includes the well-known NordVPN service. In our previous report, NordPass was identified as a Challenger, but it has now moved into the Leaders circle.

NordPass is built on an end-to-end encrypted zero-knowledge architecture (they do not hold any unencrypted user data) and is deployed as a SaaS solution. It’s available with either a business or enterprise subscription license, though some functions, such as provisioning integration with Active Directory and SSO integration, require the enterprise license. As is common in this space, the solution is built around a secure centralized password vault, with local vaults available for desktops, mobile devices, and browser extensions, although there is some minor disparity in functionality between the different platforms.

In our previous report, we highlighted the following strengths: strong password policy management controls and a wide range of browser extension support.

The report also noted limitations in NordPass’ ability to provide enterprise-class secrets management and in MFA control of individual vault items.

However, the vendor has continued to develop the product, addressing some of these limitations. Key developments include:

• High-strength encryption: The platform now uses the XChaCha20 encryption algorithm, which supports 256-bit encryption. By choosing this approach, NordPass aims to future-proof its encryption investment.
• NordPass authenticator: This feature provides biometric, possession, and knowledge authentication to allow customers to add 2FA to business accounts stored in NordPass, and to share protected accounts among employees. It was developed to provide MFA tokens to access its vault and can be used as an authenticator into other apps once the Vault is accessed with an MFA token.

NordPass continues to score well on a number of our key criteria:

• 2FA/MFA capable: Recent improvements include patented technology that uses time-based one-time passwords (TOTP) for 2FA directly within NordPass.
• Platform security: NordPass is ISO 27001 and SOC 2 Type 1 certified and independently audited by Cure53, evidence that the company takes the security of its business platform extremely seriously.
• Security auditing and reporting: The platform’s security dashboard provides good password health information as well as a built-in data breach scanner that can identify credentials, payment information, emails, or company domains that have been compromised. Each user has a personal breach monitoring feature by which they can enter credentials or secrets to be assessed for risk.

The solution is easy to use with nice clean interfaces to the admin console and user vaults that are intuitive and not overly fussy. The provisioning feature is solid and includes automatic provisioning/deprovisioning from Active Directory, although there are limitations around the automatic provisioning of Active Directory groups.

There are some issues to consider. Key among these is that NordPass uses only US data centers, which may limit those with data sovereignty concerns. The solution is also missing some features that may make it less attractive to larger enterprises. This includes a lack of APIs for programmatic control and secrets automation. While NordPass has a strong MSP offering with a dedicated team supporting its partners, it does recognize that some of its MSP self-service workflows, especially around billing, can be improved, and a recent release of a dedicated billing API may correct this issue for many customers.

There is a good roadmap that will address a number of these concerns, including the development of European data centers, secrets automation, and group provisioning.

NordPass offers a good solution that published feedback suggests is well liked by its customers. It scales well for growing SMBs, though with some missing features, it may be less attractive to larger enterprises with existing security investments. It’s easy to deploy and easy to manage; its approach is simple and its pricing models straightforward.

Strengths: NordPass is a useful, easy to deploy and easy to manage password management solution. That it is part of the well-known Nord Security family should help reduce concerns over password management security, and this confidence is supported by the company’s own commitment to security certifications. With a simple SaaS model and good support for a range of desktops, mobile devices and browsers, adoption is easy.

Challenges: The solution lacks some of the capabilities that larger organizations need, such as secrets management, automation, API integrations, and granular support for AD groups. The lack of European data centers will also be off-putting for those with data sovereignty concerns.

Zoho Vault

Zoho is new to our report this year, though Zoho’s Vault solution has been available in various iterations for the last 10 years. Zoho’s business focus is on developing a number of tools to meet a wide range of business demands. With over 50 applications in its suite, the product is used by some 80 million users. Each solution is available individually, but many can also be purchased together as a bundle or suite of tools.

Zoho Vault is delivered as a SaaS-based product hosted within Zoho’s own global data centers. It is designed around a central vault that is securely encrypted for synchronization with endpoints, which are supported via clients for mobile and browser extensions. Currently, there’s no desktop version of the product.

The core solution is very extensible, with more than 90 out-of-the-box integrations to its own wide range of applications and also to major identity platforms (Azure AD, Google Workspace, OKTA) as well as SSO. Further extensibility comes from a strong set of APIs that allow Vault to be both programmatically driven and integrated with other third-party tools. Zoho’s Flow platform offers no-code workflow capabilities for building further customizations.

The solution provides the broad array of capabilities you’d expect from a password manager, including import and export of passwords, a password generator, centralized policy management, password sharing, breach password detection, MFA, audit trails, and reports.

The solution did well on a broad range of our key criteria.

• Advanced password sharing: A one-click login-only option creates a secure link that allows users to access an application, without needing to share or reveal the password. Passwords can also be easily and securely shared across groups and with third parties.
• 2FA/MFA capable: The solution provides a broad range of MFA support, including with its own OneAuth app, which supports app-based authenticators as well as OTP and hardware keys.
• Platform security management: Zoho’s own security team extensively tests its internal apps as well as running periodical audits with third parties. It also proactively sends out security advisory emails and uses forums to inform users of any emerging threats. Moreover, its SaaS nature means updates can be deployed instantaneously to all customers.

Vault does all of the things you’d expect from a password manager. In addition to the features mentioned earlier, it also has good security reporting capabilities, with informative dashboards, and it enables password policy creation with a good range of default policies and the ability to define custom ones.

There are gaps in the solution, however, including a lack of consistent functionality across the different platforms. Role-based access control (RBAC) capability in the admin console is somewhat limited. Customer feedback has raised questions about support quality and notes that the product is more expensive than some of its competitors.

Zoho Vault is a useful component of Zoho’s broad-ranging business suite. It is possibly most well-suited to SMBs, especially those using Zoho’s other tools. And the breadth of its tools may mean it can serve as a cost-effective single vendor for those looking to consolidate elements of their security stack. While it may be best suited to SMBs, it shouldn’t be ruled out in the enterprise because its API support, SIEM integration, and good off-the-shelf integrations can make it a good addition to an existing security stack. The only market Zoho is not focused on and does not serve is MSPs.

Strengths: Zoho Vault is a valuable part of its broader suite of solutions, and for those looking to consolidate with a single vendor, it offers a range of good capabilities. Though it may seem more appropriate for the SMB market, the availability of API support and no-code automation tools could make this an interesting proposition for the larger enterprise.

Challenges: The lack of a desktop app may be a problem for some businesses, although this is likely to be addressed in the short to medium term. There are also some limits around RBAC for those that want more granular admin controls. And there has been no investment in support for MSPs, so those operating in that market should look elsewhere.

6. Analyst’s Take

The challenge of enforcing strong passwords is a difficult one for organizations. The number of passwords users must retain means that without some kind of assistance, managing them is virtually impossible, resulting in organizations rife with poor password discipline. Cybercriminals know this vulnerability and target user passwords, because compromising credentials represents an easy route to compromising data security.

While password managers are not new, the proliferation and increasing complexity of cybersecurity threats mean that this cannot be a static technology sector. All of the vendors evaluated for this report show innovation in their products, perhaps most of all in technologies that assist in the move to passwordless authentication, an emerging technology that all vendors offer. It is also clear vendors are looking at specific approaches, such as the use of passkeys, as a way of enabling customers on this journey.

Proactive password security is also a strong area of development, with all vendors providing dashboards and reports to help customers identify any potential credential compromise before it can be exploited, allowing them to deal with those threats proactively in advance.

It has also become apparent that consolidation is occurring in this space, with a number of vendors who have broader identity security platforms adding password managers to their solutions. This is an important development as data security risk is not tied to passwords alone. With poor practices around identity management creating an equally serious concern, consolidating solutions into a single platform or providing strong integration between password managers and broader identity security stacks will help to improve security in both areas.

This consolidation also involves some vendors extending their solutions into the more complex world of secrets management. This is an area of particular concern for those with large development and support teams who need secure ways to access platforms at low levels and often rely on public key encryption and certificates. However, these approaches require extensive management, so it’s helpful to see some of the enterprise password management vendors bringing their skills to bear in this area.

On the whole, the architecture of these solutions remains the same, with many of the vendors using a SaaS-based central vault and integration with vaults stored on local devices. However, some vendors have chosen a decentralized approach, which eliminates some of the security concerns of central vaults (like just one vault to compromise). Unfortunately, they also introduce their own risks (no central control and a lack of control of data locality). One vendor that uses a central vault model allows customers to deploy that vault on-premises, which is a strong option for those who are specifically concerned about data locality and sovereignty.

The enterprise password management industry has taken a knock in the past 12 months, with a high-profile data breach impacting one of its main players. However, the industry as a whole has responded well to this situation, with all vendors keen to highlight how they are protecting their own businesses from cyberattack and ensuring the strongest levels of security are firmly in place. While the breach itself was certainly a wake-up call for the market, the actions vendors have taken since are ultimately a good thing for customers.

Enterprise password management can play a central role in a company’s security strategy, so it is good to see a vibrant industry with many strong players. The continued innovation will help organizations to enforce better discipline and encourage them to evolve their password strategies with new capabilities such as passwordless authentication. It’s clear that any organization that wishes to improve its password security posture will benefit from investing in a password manager.

7. About Paul Stringfellow

Paul Stringfellow has more than 25 years of experience in the IT industry helping organizations of all kinds and sizes use technology to deliver strong business outcomes. Today, that work focuses mainly on helping enterprises understand how to manage their data to ensure it is protected, secure, compliant, and available. He is still very much a “hands-on” practitioner and continues to be involved in a diverse range of data projects. Paul has been recognized across the industry and has spoken at many industry, vendor, and community events. He writes for a number of industry publications to share his enthusiasm for technology and to help others realize its value.

Paul hosts his own enterprise technology webcast and writes regularly on his blog.

8. About GigaOm

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

9. Copyright

© Knowingly, Inc. 2023 "GigaOm Radar for Enterprise Password Management" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.