Password Managers: To Buy or to Build?
80% of hacking-related company breaches can be traced back to compromised and weak credentials, according to Verizon’s 2019 Data Breach Investigations Report. Password managers can start improving business security from the day they’re rolled out, and are one of the greatest defenses against password-related breaches. When choosing a password manager, companies may question whether to build in-house or trust a third-party company to protect their most sensitive data.
In some scenarios, building a password manager may be the right solution. After all, doing so gives full control over how data is stored, and that data never has to be uploaded to third-party servers. Additionally, in-house teams will be familiar with the security capabilities and limitations of the password manager, because they built it.
However, there are complexities to building a password manager that may not be immediately obvious. While at first glance it may appear optimal, in many cases, using an existing product is a better solution. Let’s evaluate what to take into account before making that decision.
Security
First, consider how to build a password manager that is competitive with the industry standard. DIY systems can often be easier to penetrate than larger, tried-and-true ones. If a company creates a password manager, it needs to match the security of commercial offerings.
Another important question is: once this security is in place, how will it be maintained? Businesses need to think about whether they have the bandwidth to find the bugs. Enterprise password managers have entire teams dedicated to maintaining security and fending off threats. They also issue incentives for finding bugs and flaws and are subject to rigorous security audits.
Usability
If the resources are available to match the level of security on offer from third-party solutions, then building a password manager in-house may be a good idea. But there’s another aspect to consider, which is separate from security: usability.
Simply put, if a password manager is unintuitive, frustrating, or buggy, employees won’t want to use it. Thus, usability should be a consideration alongside security; the two should go hand in hand as teams prefer seamless technology experiences and are quick to get frustrated by even minor inconveniences.
The best password managers make employees’ lives easier and integrate smoothly into their existing workflows. Security is not a top priority for employees, but getting through their workday as efficiently and as free from hassle as possible, is. If a password manager is clunky, slow, or doesn’t have a simple interface, employees will be unlikely to use it correctly, or use it at all.
Investment & Cost
Of course, there’s also the considerable cost associated with creating and maintaining an in-house password manager, versus implementing an existing security solution. It becomes even greater if a company is thinking of rolling out Single Sign-On (SSO). Existing enterprise password managers are excellent companions to SSO and can even be provisioned using identity managers. However, the expense of implementing SSO and also building a password manager can be prohibitive budget-wise.
For most businesses, the cost of maintaining, supporting and securing a custom-built password manager only goes up as a business grows and the use cases become more complex. Additionally, for companies with multiple locations or that operate internationally, localization can bring up unexpected expenses. In contrast, existing password managers already offer solutions available in multiple languages.
Many commercial password managers also offer additional features companies may not be able to implement on their own. Some act as authenticators for sites that use Two-Factor Authentication (2FA), and even check for vulnerable passwords and breaches on websites employees use. Additional features can also include app translations, support documentation, and password history. Implementing these seemingly small features can make a big difference, but building them will bring unexpected expenses down the line.
Implementation
If a business has a flexible and resourceful team that’s able to balance both security and usability, there’s still one more aspect to consider: the task of rolling out a password manager. Established providers will usually assist with the rollout and have a wealth of experience to offer for this undertaking.
Also consider: if a password manager is built in-house, how are employees going to access it? Will it be made available on personal devices? Also, will it be used by employees who work remotely? Will it be available on Windows, macOS, iOS, Android, Chrome, as well across a variety of browsers employees use?
There’s also the aspect of support. If an employee (or hundreds of employees, depending on the size of an organization) have an issue with an in-house password manager, is there the resources to provide immediate help? With enterprise password managers, companies have fast access to premium support. If a business builds its own, it’ll need to provide that, too.
In short, companies want employees to rely on the software. If businesses can’t provide immediate solutions to problems, then employees may not use the in-house solution.
If a company can handle all the above, and if its needs aren’t being met by any product on the market, then building a password manager is worth considering. But if there aren’t the dedicated resources available, and quick security improvements are a priority, then using an existing password management solution is the best option to secure their data and business information.
