Password Vault - Enterprise

Question

I want to be clear from the get-go that I am NOT looking for a user password management solution. My organization already uses AD for that.

What I am looking for is a password vault. Up until now, passwords which are used for certain applications have been stored on paper in a safe. The decision has been made to place them in a secure, encrypted electronic application/vault. I would like it if either the passwords could be stored and accessed on a network drive or if the app could be installed on a server and accessed via a web interface. I'd also like the ability to have 2 or 3 administrator accounts which could provide read-only access to others if needed. Neither of these is hard and fast, though. I'm at the end of my rope and just want something, anything that will do the trick. And yes, I realize I'm asking for a lot.

The environment is Windows.

I have done a lot of research on my own and it seems that this kind of software falls into one of two camps. First, it's a small, free (or close to it), portable, open-source style solution like KeePass that, while probably fairly secure, offers no guarantees and isn't certified in any way. Second, it's a massive, organization-wide, AD-replacement style solution which is FIPS-140 certified and contains a password vault within it and is expensive and complete overkill for my needs.

I can't seem to find something middle-of-the-road, which is what I'd like. All I want is the password vault portion of these massive solutions and I'd be happy. One lead that I thought was promising was Cyber-Ark's Enterprise Password Vault, but the company has no pricing information on their website and nothing which states I can buy only the EPV and not the entire suite it's listed in. I also can't seem to get a hold of anyone on from the company who can answer those questions.

Any suggestions?

PS. I realise there are some gaps here in terms of complete lack of background information provided, but please, no lectures or admonitions of what I should be doing in terms of practice and policy to avoid the need for the software I'm asking for. I'm aware, believe me.

score 3 · Answer 1 · answered Aug 22 '12 at 18:04

My company uses Thycotic's Secret Server. It is commercial, but it is also scalable, and the total cost depends on the number of users (active) and the feature set you need/want.

It is web accessible only (IIS/ASP.Net), and has a hosted version as well as installed versions.

Security wise, it is good enough for government agencies (US) and their booth at VMWare last year listed divisions of the Department of The Navy as current clients.

score 2 · Accepted Answer · answered Aug 20 '12 at 19:03

2

This isn't a third alternative in its own right but it does cover some of what I perceive to be the drawbacks of using KeePass and related packages more tailored for an individual than a team.

We have file system auditing enabled for any access attempts to any of our password repositories. We have separate repositories, one for the development staff and another for the engineer team. This covers the need for varying security levels within KeePass and the fact that individual access isn't logged.

We also have a third repository for anything uber sensitive. That repository has immediate alerting built in (via the auditing above) and is protected by a tamper resistant envelope in a secure location. To avoid unnecessary access to this envelope we export a copy of the usernames and descriptions which include how and why to avoid using these accounts.

answered Aug 20 '12 at 19:03

Tim Brigham

3,762
3
29
35

May I ask how long you've been using KeePass for this kind of thing? Have you ever had any major issues with it? (i.e. crashing, data corruption, etc.) – Tim Aug 20 '12 at 19:24
@Tim - We've been using for a couple years individually, I'd say a year to 18 months for the second paragraph, a few months for the third paragraph. – Tim Brigham Aug 20 '12 at 20:39
And have you had any big crashing/corruption problems with it in that time? My main concern with KeePass is reliability (I need to be at least fairly sure that it's going to work when I need it to), as I've never used it personally. – Tim Aug 20 '12 at 20:53
@Tim - no stability or reliability problems whatsoever. – Tim Brigham Aug 20 '12 at 20:54
There's [a page on the KeePass site that discusses the multiple user scenario](http://keepass.info/help/base/multiuser.html). Personally I'd be nervous using KeePass in multiple user mode unless there was just one person updating the database. – jdigital Aug 29 '13 at 22:05

Josh · Answer 3 · 2012-08-22T17:38:55.543

If you're cool w/ open source, check out Password Safe, courtesy of Bruce Schneier: http://www.schneier.com/passsafe.html

Unfortunately, it only has one 'master' access password. However, if you store the vault on a network drive, anyone who opens it after another person already has it open will get the read-only vs/ read/write access prompt, and there's an option when you install the client piece to make the default when opening a vault read-only, so there are ways to work around what you're looking for.

score -4 · Answer 4 · edited Aug 29 '13 at 21:43

-4

One solution you might want to consider is Pleasant Password Server. This solution uses KeePass for you user interface, but is a highly secure encrypted database housed on your server.

edited Aug 29 '13 at 21:43

Rory Alsop

61,367
12
115
320

answered Aug 29 '13 at 16:18

Richard

19

1

Richard - self promotion isn't really welcome here, but if you give an answer with good reasons why it should fit, and announce your affiliation, that would typically be OK. – Rory Alsop Aug 29 '13 at 21:45

Password Vault - Enterprise

4 Answers4

Linked