October 12, 2016
On enterprise security measures
Lastpass provides a significant opportunity to secure network servers and particularly in the case of an entity dealing with significant security concerns and multiple platforms – governments, NGOs, international development organizations – it is a stopgap measure for the proliferation of the umpteen passwords that have now become such a burden that they limit productivity and distract staff.
Particularly in leveraging various web browser extensions across the enterprise, we will help further instill a culture of security: the service “nudges” users as appropriate to ensure appropriate security measures are taken. These gentle reminders and ease of use of the Lastpass interface will reaffirm the wisdom of security measures and in passive support further integrate security principles across the organization as we embrace more intensive cloud-based solutions.
Security must not be seen as a separate entity but rather as an integrated whole of every practice within an organization. We must weigh our responsibilities to our customers and the entities and divisions we serve throughout governments at the local, state and federal levels:
- The efficiency the Lastpass system will allow us more time to engage in security as a practice and improve the ease with which our services reach the end user
- Lastpass protects data without increasing the burden on the institutional or enterprise user or the service recipient
- Lastpass uncomplicates systems and allows our divisions to see and understand complimentary products and platforms that might be otherwise untapped or underleveraged
I recommend a staged test across a set of employees working in less security-intensive capacities; these functions might include communications or human resources or talent teams that have less password-intensive tools. I recommend then following the deployment in a limited capacity employees responsible for a greater number of platforms and passwords, in service delivery or policy implementation functions. In the same vein, I would caution we must ensure any deployment of Lastpass is gated to government devices only – we should not enable users to install Lastpass on home computers or any other networks that might be compromised, although it might be tempting due to the ease of use of the product.
Potential intruders or intrusive forces might come from any direction, whether through phishing attacks from content accessed inside our networks to the hacking of systems vulnerabilities. While password protection does not serve as panacea for these issues, it does elevate the seriousness with which our organization considers security measures without imposing a great deal of burden on the institution itself. That said, the deployment of the Lastpass tool the entity must ensure it is not ceding vigilance and discipline in security on the part of our employees and IT department. As with the implementation of any new enterprise solution, we will need to ensure we host regular trainings for the Lastpass product alongside any other enterprise tools we hope to test and deploy, and we need to further affirm and expand the resources and expertise available when necessary to manage questions related to the Lastpass tool. It is not enough to solely deploy password management tools – hardware security must be taken seriously as well. I recommend a service like the triple-strength Intel Authenticate which verifies symmetrically with new Intel products across a pin, a hardware item (either PC or mobile phone) and fingerprint authentication, true “unwired” hardware security.