People might now be wondering about the protection on offer from secure vaults and password management providers after the LastPass data breaches, according to Craig Lurey, chief technology officer (CTO) and co-founder at Keeper Security.
And whether stored vault information is defended in the case of a data breach can be down to various factors which should be made clearer to customers, Lurey suggested in this blog post.
“Customers rightly want to understand our protections, in the event that a breach does occur,” he wrote.
At Keeper Security, key points include rigorous password management and enforcement policies strengthened by the way complex hybridised environments and multiple iterations are managed.
“For customers who use a master password to log in, a strong and unique master password is critical, along with the enforcement of 1,000,000 PBKDF2 iterations,” Lurey wrote.
“Keeper administrators can easily enforce master password complexity rules on end-users and iterations in role-based enforcement policies.”
The company says that, for customers deploying Keeper through a single sign-on (SSO) product such as Azure, Okta, Ping, ADFS or other identity provider, master password key derivation is no threat.
Instead, all data encryption uses elliptic curve (EC) keys, with Keeper SSO Connect also being “fully documented and patented”.
Keeper Security therefore offers more detail online, linked to within the blog.
“A detailed description and mathematical proof of the strength of vaults encrypted with password-derived keys versus EC keys is described in Keeper’s encryption model documentation,” Lurey added.
“The Bitcoin blockchain uses ECC-256. This creates a de facto $300 billion bounty on the strength of 256-bit elliptic curves.”
Lurey said that enterprises seeking the best possible security in password management might look at offerings like SSO Connect from Keeper, which also offers “seamless integration” with current identity management stacks.
Encryption of all data, in transit or at rest, is also crucial these days, with control over privacy and compliance requirements retained.
“Customers may host their Keeper tenant in their preferred primary region. Customer data (stored ciphertext) and access to the platform are isolated to the specific region of the customer’s choosing,” explained Lurey.
“All encrypted payloads sent to Keeper servers are wrapped by a 256-bit AES transmission key in addition to Transport Layer Security (TLS), to protect against man-in-the-middle attacks.”
Keys to the cloud – or on-prem
The transmission key is generated on the client device and transferred to the server using ECIES encryption via the server’s EC public key, layering further encryption on top of the data encryption already packaged into the payload, tunnelling direct to Keeper application servers, he said.
Keeper has created an advanced cloud authentication and network communications model built for the highest levels of privacy, security and trust, he maintained, holding long-standing SOC 2 and ISO 27001 certifications. Its solutiojns are also PCI DSS certified.
The vendor also performs quarterly application penetration testing of all its products and systems with the likes of NCC Group and Cybertest, including red-team style pen tests of internal and externally-exposed systems with full source code access.
“Keeper has also partnered with Bugcrowd to manage its bug bounty and vulnerability disclosure program (VDP),” Lurey said.
Anyone with questions is invited to email security@keepersecurity.com for further information, he said.
