Password Manager Applications and Data Integrity

I recently ran into a scenario where password manager apps are used as solutions (?) in generating complex passwords and to keep login information private and secure. I am wondering what your thoughts on the use of apps to store and auto fill passwords to GxP system, especially with respect to access restriction requirements and data integrity. Any validation requirements, etc?

Asked by a colleague

Passwords are horrible, with numerous problems, both from a security and a usability standpoint. Companies often talk about vulnerabilities, external (like phishing) and internal (like fraud), but there are a host of issues from the user’s end. Often, users have to create dozens of passwords for different accounts, leading to frustration and lost productivity around authentication.

So either the user keeps the same password for multiple sites and applications, which is a major security issue, or they diligently create new passwords for each and every account and promptly forget them.

We should be looking to create organizational policies based on facts with a good reason as to why. Don’t make employees stick to outdated security policies. They are less likely to buy into the program, which in itself can have adverse results on governance aspects. In this case, users expect to be able to use password managers so make it possible.

People are using password managers in your organization, probably through the very browser you are reading this. There are two major categories of password managers:

  • Browser-based password manager. These are the systems that come automatically attached to browsers or software that’s downloaded to your computer or network. Chrome, Edge, etc.
  • Password management app is a type of downloadable software that uses encryption to store your credentials safely and securely (most of the time).

There is a lot written on this from the cybersecurity position by people a whole lot more knowledgable than me, so I will focus on the data integrity side of things.

There are three primary requirements here that can be distilled from the key guidances:

  • Establish and maintain organizational, procedural, and technical controls to minimize the risk of unauthorized or inadvertent access to computer systems data and records.
  • Manage role-based system access for users and system administrators, including segregation of duties.
  • Establish manual and automated monitoring of computer systems and environments to identify and respond to potential vulnerabilities and intrusions.

Like everything, the amount of effort here is a risk-based approach depending on the regulated processes, records, and data in the system, and whether the system is externally facing – and remember all your cloud applications are externally facing!

Start by evaluating the Information Security Management System (ISMS) as defined by ISO 27001. Many of the requirements in ISO 27001 overlap with the expectations of a GxP system, so it is important that there be one cohesive approach in the organization (and yes that means your ISMS is fully GxP).

Set Organization Controls for the following:

  1. What password managers are allowed. Make it easy and everyone will use it. Also makes it easier to maintain. Restrict a bring-your-own-app approach.
  2. Strengthen your password requirements. 13+ characters, no repeats (also a possible technical control once you’ve taken this route), etc.
  3. Ensure compliance with the NIST SP800-63b password guidance and the latest version of the German IT-Grundschutz Kompendium of the Bundesamt für Sicherheit in der Informationstechnik (BSI)
  4. Educate, educate, educate

It is important to recognize the difference between dedicated laptops and shared machines. Especially if there is a station that does not have the capability to recognize different users. In these cases, password managers require additional controls, up to being shut off and prevented from use. I cannot stress this enough, a password manager on a shared machine is asking for trouble so treat it with the attention it deserves.

Test your selected password manager(s). Most of your testing will be acceptance of the provider-provided package, but you will want to conduct a nice compact qualification. Test it with GxP systems. This will look a lot like whatever testing you do for a SSO application.

Ensure that the right periodic vulnerability testing exists.

In this day and age, password managers are going to be used. Be aware of the risks and ensure the appropriate processes are in place to manage them.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.