A few days ago, LastPass Enterprise got a fairly substantial update, which brought closer integration with Okta and Azure Active Directory, an expanded selection of roles that admins can provision, and more.
To detail these and other aspects of the product, we had a chat with Matt Kaplan, who is the General Manager of Emerging Products for LogMeIn - which acquired LastPass two years ago - and by extension of LastPass.
First of all, thank you very much for taking the time to answer our questions. Let’s start with a short introduction about LastPass’ consumer and enterprise offerings, for those not familiar.
LastPass is a simple, secure password manager that helps you improve your online security by automating and enabling better password management practices. With LastPass, you can easily generate and use strong, long, and unique passwords, for every single one of your online accounts. LastPass securely stores those passwords as well as other important sensitive data in your LastPass personal and company vaults.
At LastPass, we’re dedicated to delivering effortless security for our users both at home and in the workplace. We do this by providing free and low-cost security solutions for personal use, as well as an enterprise-grade security solution for SMBs and large enterprises. Our Personal portfolio includes LastPass Free, LastPass Premium and the newly-released, LastPass Families. Our Business portfolio includes LastPass Teams and LastPass Enterprise.
Sticking to the consumer side a tad longer, what would you say is the product’s USP (unique selling point), when compared to competing offerings?
The great thing about LastPass is that you only have one password to remember. You create and remember your one master password and LastPass does the rest. Our unique selling point is universal access to your passwords for free (use and sync LastPass on a wide range of browsers, platforms, and unlimited devices) where as other solutions require an annual fee for device synchronization. In our low-cost premium plans we offer safe convenient password sharing, and a “digital emergency plan” to give a loved one access to your vault in an emergency, all wrapped in an experience that’s easy-to-use.
Another important selling point is our zero-knowledge security architecture. All sensitive data stored in your LastPass vault is encrypted locally at the user's device with a key—your master password-- that is never shared with us. What that means is that LastPass never has your master password or access to the data within your vault.
At the beginning of the month you released ‘The Password Exposé’, in which you pointed out the “human element” as the “largest and most effective attack surface.” Could you share what in your opinion is the root cause of passwords as a “compounding problem”?
Humans are really the weakest link in a security strategy. With more than 191 passwords on average – there is no way a person can remember unique credentials for each one – so they compensate by creating weak passwords and reusing them on multiple websites and online accounts. Unfortunately, with the frequency of data breaches and hacks, it's all too easy for your one password to fall into the wrong hands. Additionally, the line between “business” and “personal” worlds is a blurry one. People are motivated by convenience and productivity, so using the same weak password for both personal and business accounts creates a huge attack surface that grows with the size of the employee base. Employees also use non-sanctioned, personal accounts in the workplace to share files and other sensitive company-owned information because it’s easier than using the IT-managed applications.
In the same document, you mention that, according to your findings, over half of the most popular websites do not have “out-of-the-box support for SSO” (Single Sign-On). How does LastPass fit into this access control system?
Putting a business password manager in place ensures all of those websites and services not under SSO control are “captured” and managed by IT policies – even the ones IT is not aware are being used. Many of our customers use LastPass Enterprise alongside SSO solutions, so no entryway to the business is left open by an unsecured password.
The practice of sharing passwords, while not recommended for security reasons, is a day-to-day occurrence for things like social media accounts or dedicated brand pages. How does your offering handle such situations?
Whether it’s to give a spouse access to jointly-managed accounts, or to make sure passwords are available in case of emergency, it’s inevitable we will all need to share access via a password with someone at some point. But when sharing passwords in the workplace, it’s too easy to lose accountability and too difficult to make sure everyone is following good password security practices. And if a shared password isn’t reset, an ex-employee or former vendor who had access to a sensitive account could become the source of a data breach.
LastPass has a secure password sharing feature built in so that you can easily share passwords in an encrypted format with someone else. It also provides greater accountability by letting you know who has access to a password at any given time. You don’t have to rely on insecure methods of sharing passwords such as email, texting, shared Excel documents, or writing them down.
Folks who have both consumer and enterprise versions of the product can link their accounts together, if they so desire – in fact there’s even a policy that can be applied to require this. What fail-safes does LastPass employ to reduce the likelihood of this joint unit being compromised?
It’s very important that you use a strong master password and multi-factor authentication. Although with LastPass, you’re protected by the many layers of encryption and security we put in place to keep your data safe, using a strong and unique master password along with two-factor authentication will not only protect you from a brute-force attack but will also ensure that a breach at another random website won’t affect your LastPass account.
Since we touched on linked accounts, perhaps we should also mention the smart organization between personal and work vaults that debuted in the latest LastPass Enterprise update. Is this default policy only configurable by admins, or can the employee tweak the implementation on his or her end?
This is an Enterprise policy that can only be controlled by the admin. With this new policy, LastPass will detect the email address used as the username when an employee registers for a new site and automatically sort credentials to the right vault – business or personal. This ensures work and personal passwords end up in the right vault, without imposing on the privacy of personal employee credentials.
The aforementioned update has also brought Okta and Azure Active Directory integration in LastPass Enterprise. What are some of the changes made compared to the previous implementation of this capability?
LastPass has long supported sync with Microsoft Active Directory to help IT feed the relevant information from their user directory for onboarding and offboarding users to LastPass.
In many companies, user identities are centrally managed through Active Directory (AD), Lightweight Directory Access Protocol (LDAP) directories, or Single Sign-On providers like Okta. As businesses shift to the cloud, leveraging this "source of truth" is critical in ensuring user access is appropriate and safe.
Our latest update expanded our suite of user directory integrations to Okta and Azure AD, making it easier for admins not only to get employees on board with LastPass, but give IT the ability to instantly grant or revoke an employee’s access to the corporate systems managed through LastPass.
On the enterprise side, you’ve also expanded on the types of roles that can be assigned to employees. One example is the Helpdesk role, which has more limited admin privileges. Could you expand a bit on that?
As large organizations deploy and manage LastPass, admins need to be able to delegate LastPass-related tasks to others without giving them full access to the admin dashboard. For example, an internal helpdesk rep may need to provision a user or help reset their multi-factor authentication. In these cases, it's critical that only the right level of privileges are granted to the employee who needs access to the admin dashboard, rather than giving full rights.
Now, admins can build one or more custom “Helpdesk” roles and assign the role to specific users. Available permissions include the option to resend an invitation, require a master password change, add or disable a user, etc. They cannot change policies, view reporting or use any super admin capabilities.
Another highlight of the latest LastPass Enterprise version is the ability for businesses to provide LastPass Premium to their employees, as a perk. How does that work in conjunction with existing Enterprise plans and what would be the cost involved?
Many of our customers have asked about how to help employees take good password practices home. It only takes one employee or one password to compromise an entire company. As we’ve seen from many of the reported breaches at companies, that one password could be a personal one, rather than work-related, that grants entry to attackers. You can’t control your employees’ personal passwords, but you can give them the tools to better manage them.
Our new Premium as a Perk programs includes discounted bulk pricing (the retail value of 1 Premium license is $24/year), a custom landing page for simple employee sign-up, and the ability to renew in bulk.
Finally, is there anything else you can share regarding the short to medium term future of LastPass (both consumer and enterprise)?
If you think about it, nearly all your valuable assets are now stored and accessible online. Your money, investments, digital photos and videos, personal contacts, conversations, and more are all just a click away, secured in most cases by a username and password created years ago. A single breach in one of your accounts could mean the loss of your life savings, your identity, your reputation, and many memories. It’s time to get serious about cybersecurity and LastPass has the perfect solution for individuals, families, teams and enterprises.
The recent updates to our Enterprise offering are an important step in better integrating with – and leveraging – the tools and technologies companies already have in place, so they can achieve their security goals faster. By integrating seamlessly with a customer’s IT environment and providing a tool that’s easy for employees to use, organizations have all they need to successfully and quickly deploy password security, company-wide.
In 2018, we will continue to deliver on our promise to provide effortless security with a best-in-class password management solution for all.
if interested, you can find out more information about the Password Exposé mentioned, at this link. Further details on the SSO implementation and specific features of both enterprise and consumer variants of LastPass can be found in the dedicated help center.