Credential Management Systems (CMS) are available both on an individual level and as an enterprise-wide service. A key feature of CMSs is that they can distribute credentials in a closed-loop system, removing the need for operators to know the passwords being used.
This is particularly important for organizations that manage systems on behalf of other businesses. A CMS increases confidentiality by removing the risk of insider threats.
Here is our list of the six best credential management systems for IT professionals and MSPs:
- Passportal EDITOR’S CHOICE A cloud-based credential management system that automatically discovers all user accounts on a system, lists them for management, and synchs all changes with onside AD and LSAP implementations.
- NinjaRMM Credential Exchange A credentials manager that is integrated into the cloud-based NinjaRMM remote monitoring and management system.
- ManageEngine Desktop Central A unified endpoint management system that includes its own credential management system.
- Dashlane Business A cloud-based credentials manager that allows employees to use the service for personal use as well as for work logins.
- Zoho Vault A cloud-based credential management service that coordinates on-premises and cloud-based access rights systems and also includes secure document storage space.
- LastPass Enterprise A cloud-based credentials manager that creates a single-sign-on account for a long list of business applications.
Credential management components
A central feature of the CMS architecture is password management. The CMS should also be able to generate complex passwords and store them in an encrypted format without disclosing them to administrators running the CMS software.
The second main element of a typical CMS is a password distribution mechanism. Operators that need to access a protected system don’t need to log in to that computer or network. Instead, the facilitating utility requests the credentials from the CMS without human intervention. The CMS then delivers the credentials which feed to an automatic login routine in the system access software.
The credentials distribution process is more than just a messaging system. It integrates encryption and authentication procedures to ensure that the requestor for the credentials is not an intruder and also to protect the transmission of sensitive information from wiretappers.
Most CMSs use a public key encryption system that enables the requestor to prove its identity and also protects transmission without needing to distribute encryption keys. This is very similar to the security procedures used by Transport Layer Security (TLS), the authentication system deployed by HTTPS to protect web traffic.
Another important feature of CMS software is that it can log every credentials request. This enables a business to know exactly which service had access to a resource and at what time. Should a data breach occur, tracing all possible culprits is an essential task, and activity logging provides that information.
CMS services offer extra security features, such as two-factor authentication (2FA) and automatic password rotation. Setting up initial credentials requires an interface to a business’s access rights system. Once a resource’s allowed user accounts have been set up in the CMS, further communications with access rights systems are required whenever passwords are replaced.
The best credential management systems
The need to keep passwords secure and free from disclosure is important in any organization. In the past, IT departments created a weak point in system security because support technicians needed to know system passwords in order to log into a resource and fix a problem.
The creation of credential management systems removed the need for technicians to know passwords in order to carry out their tasks. The automated credentials request procedures built into system access software also removes the need for an operator to get involved with system or user passwords.
Managed Service Providers (MSPs) have an even higher priority for password security. Their technicians not only risk the security of the MSP’s system if they have to acquire credentials, but they also could compromise the security of every client of the MSP. An MSP would find it difficult to win new business if its technicians had to get direct access to the passwords of all users. The implementation of a CMS enables the MSP to demonstrate to potential customers that there is no way any of the staff of the service provider could find out access credentials.
You can read more about each of these options in the following sections.
Passportal is a cloud-based credential management system. It centralizes the controls of identity management and access management in one console. The system is able to manage access rights to resources on many sites, so it is a good tool for centralized IT departments. It is also built to enable an MSP to support credential management for multiple clients.
The Passportal system supports Microsoft-produced access rights systems based on Active Directory and LDAP. It is able to manage credentials for access to a network, endpoints, email, file servers, and cloud-based services, such as Azure and Office 365.
When beginning service, Passportal searches for all AD-controlled services and software and compiles its own user account list to enable credential management to be driven within its own console. The system administrator then works with user accounts listed in Passportal with the ability to add, alter, and delete accounts. All changes made within Passportal get synched to local AD instances.
Passportal is able to create temporary access accounts to allow the technician access to a system without having to use permanent credentials that could be disclosed. The creation of each technician account is recorded and the temporary account gets deleted once the technician’s task is complete.
The password management features of Passportal include a password generator and the enforcement of password rotation. Passwords for each user are held in a personal vault and can be distributed automatically for autofill functions in many applications. The credentials manager integrates with SolarWinds Take Control, N-central, and RMM, ConnectWise Manage, Automate, and Control, Datto Autotask, NinjaRMM, and Kaseya VSA and BMS. When dealing with these integrated services, all credentials get exchanged behind the scenes, so the user never needs to know what they are.
Passportal is charged for by subscription, paid monthly in advance. There is no contract, deposit, or minimum service period. You can schedule a demo here.
Passportal is our top pick for a credentials management system because it centralizes all credentials management activities for multiple sites and even for multiple businesses. The Passportal service is cloud-based and so can be accessed from anywhere through a standard browser. The system automatically discovers all protected hardware and software and generates a list of user accounts in order to begin the credentials management process from within Passportal. There are no initial setup costs for Passportal. Schedule a Demo: https://www.passportalmsp.com/demo OS: Cloud-based
Passportal is our top pick for a credentials management system because it centralizes all credentials management activities for multiple sites and even for multiple businesses. The Passportal service is cloud-based and so can be accessed from anywhere through a standard browser. The system automatically discovers all protected hardware and software and generates a list of user accounts in order to begin the credentials management process from within Passportal. There are no initial setup costs for Passportal.
Schedule a Demo: https://www.passportalmsp.com/demo
NinjaRMM is a remote monitoring and management system, which can manage several sites from one central location. This makes it a good tool for IT professionals operating a central IT department. Multi-tenant features in the system also make NinjaRMM an ideal software platform for Managed Service Providers.
Credential Exchange is a credential management system that is built into NinjaRMM. It is specifically designed to enable technicians to run scripts behind the scenes on endpoints. The system is able to manage access to computers running Winds and macOS and those scripts will be run without requiring the device’s user to log off. The user won’t even realize that troubleshooting and maintenance tasks are going on.
The Credential Exchange service integrates with NijnaRMM’s patch manager and software management functions. It enables automated and manual software updates to be implemented in bulk or individually on any of the managed endpoints running Windows or macOS. It also facilitates access to endpoints using the NinjaRMM remote desktop utility.
Credential usage events are logged for an audit trail along with all technician activity logs that are built into other utilities in NinjaRMM.
NinjaRMM is a cloud-based service and is charged for by subscription. The RMM is available as a total package and includes Credential Exchange. It is available on a 30-day free trial.
Desktop Central enables a central IT department to manage endpoints and servers on multiple remote sites. The functions of this system also extend to mobile devices, making it a unified endpoint management system. None of the functions of Desktop Central would be possible without being able to access the operating systems of all of the devices that it serves. For this purpose, the Desktop Central system has its own Credential Manager.
The Desktop Central system automates many IT department tasks. It includes patch management, software management, mobile device management, configuration management, IT asset management, and endpoint security functions.
Desktop Central allows multiple access accounts for access to the dashboard with a superuser status for system administrators. So, each technician using the system has an individual account.
The Credentials Manager operates on two levels – a secure anonymized central credentials store and a local user-accessible credentials system. The system administrator is able to manage a pool of credentials for automated access to remote devices. These account details are not visible to other users of Desktop Central. Each technician can access a personal section of the Credential Manager to organized allocated access accounts.
The Desktop Central dashboard includes a remote access console and remote desktop system for use by technicians engaged in troubleshooting. The entry into remote devices through this system can be made possible either through administrator credentials or through a personal account of the technician. In either case, the credentials are communicated to the remote access console automatically without visibility or the need for manual input.
Desktop Central is on-premises software that installs on Windows Server and Linux. Credential Manager gives access to devices running Windows, Linux, macOS, iOS, Android, and Windows Mobile. The system is available for a 30-day free trial.
Dashlane Business is a credential manager based in the cloud. Dashlane also offers a password manager for personal use. All user account information is stored in a secure, encrypted vault that is held on the Dashlane cloud server, so it can be accessed from any device in any location in the world that has Internet access.
Each user registered in the system gets a personal vault space and there is also a company-wide credentials management system included with a Dashlane Business account. Employees are able to use their Dashlane service for personal use as well as getting their business passwords managed by the system. The Dashlane service includes a password generator, which creates impossible-to-remember passwords. A Dashlane app on the protected device communicates securely with the Dashlane server to autofill all login screens. The Dashlane app is available for Windows, macOS, iOS, and Android.
Communications between the Dashlane server and protected devices are protected by encryption and access to the dashboard is facilitated through any browser and protected by TLS encryption and authentication. Two-factor authentication is also available but this needs to be activated by the system administrator.
Dashlane Business includes a web protection system that scans any requested web page for malware and blocks it from loading into protected browsers if any hacker tricks are detected.
Dashlane Busines is a subscription service with a rate per user per month. You can access the service on a 30-day free trial.
Zoho Vault is a cloud-based secure storage system that includes a credentials management service and a secure document storage space. Zoho Vault includes a multi-account bundling feature that gives each user a personal space while also creating a group-wide credential management service for system administrators. This means that employees can use their account for personal use as well as for work.
The Zoho Vault is protected by uncrackable 256-bit key AES encryption. The system is accessed through any standard browser and the internet data transfers for console traffic is protected by HTTPS. Zoho also produces an app for access from iOS and Android devices.
The management dashboard syncs with many on-premises or cloud-based access right systems including Active Directory, Azure AD, Google Cloud Platform, and Office 365. This means that Zoho Vault will become your central credentials management dashboard and you won’t need to visit each access rights system because changes made in Zoho Vault get rolled out automatically.
Permissions can be set up per group and you can allocate each user account to a group to automatically set a list of permission per account. Individual permission level settings are also possible.
Each user gets login screens filled in automatically. This means that the complex passwords generated within the management console don’t need to be remembered, and they are not even seen by the end-users. End-user facilities include the ability to grant access to files or directories to other team members registered in the Zoho Vault team account.
A team account of Zoho Vault logs all of the credential-related activities of team members, creating an audit trail that is useful for data security standards compliance and can also be used to investigate data breaches.
Zoho Vault is a subscription service and it is available in three editions for business: Standard, Professional, and Enterprise. The business plans are charged at a rate per user per month. There are no set up fees or minimum service periods. All paid versions are available for a 15-day free trial.
LastPass offers a free credential management service for individuals and has a paid package for business, called LastPass Enterprise. This is a cloud-based service that is able to coordinate with other access rights management systems based on-premises and in the cloud.
The LastPass Enterprise system offers a central dashboard to system administrators where Single Sign-On accounts can be set up for all users. The credential management system is able to integrate with a long list of applications and communicate account credentials without the user getting any sight of passwords. This makes it ideal for use by IT departments and MSPs for technician access.
Among the long list of systems that LastPass Enterprise can manage credentials for are AWS, Salesforce, Datadog, GitHub, Evernote, Google Cloud Platform, Dropbox, and Office 365. Once an application is linked to the LastPass system, all user accounts can be managed centrally through the LastPass system because they will be replicated in the local authorization systems of those other systems.
There are three other LastPass plans for businesses, which are called Teams, MFA, and Identity. However, the Enterprise system is the best of all editions because it includes procedures for multi-factor authentication as well as team credential management services.
LastPass Enterprise is a subscription service with a charge per user per month. You can test the system on a 14-day free trial.