_Challenge

More secure, insightful password management

In order to comply with the BIO (Baseline Information Security Government) and be prepared for NIS2, Omgevingsdienst Noordzeekanaalgebied (here after OD NZKG) needed to ensure good password management and clear guidelines for employees. But central password management was lacking: employees used their own solutions, from browser password managers to mediocre or difficult-to-manage tools.

“Most people used Chrome, Edge and iPhone password managers,” says Harald Inen, ICT advisor at the Environment Service OD NZKG. “Although these solutions are user-friendly, we missed a central solution that also provided insight into usage.”

There was also another major risk: password reuse. “We know that passwords are repeated. Passwords that you use to log into Windows are also used outside the home.” This led to too great risks for the organization, says Harald.

‍

_Approach

From IT to the rest of the organization

The organization investigated the market and ultimately chose MindYourPass because of its unique approach: not a traditional “password vault” that itself is an attractive target, but a technique that generates passwords dynamically and therefore does not store them centrally. Another factor was that MindyourPass is a Dutch party, with short lines of communication and good contact.

Before implementation, a baseline measurement was first done. By measuring login behavior, we identified which sites requested passwords, how often passwords were reused and where the biggest risks were. This provided valuable insight and provided a starting point for discussions about policy and awareness.

The rollout itself was a learning process. Initially, they started with the IT department. “You shouldn't do that,” laughs Harald. “IT uses a password manager differently than the rest of the organization. You're now taking on the most complex, complicated piece.”

That's why the approach was changed: small teams of 15-30 people who are motivated to use it. They are intensively supervised and trained - after which they can then motivate and manage the rest of the organization.

‍

_Outcome

Grip and insight

Thanks to this phased approach, the OD NZKG is getting more and more control over its password landscape. There is now better insight into the application landscape and accounts that fall outside Single Sign-On.

“In addition to being a password manager, it also offers great functionality to gain even more insight into the security of your environment,” explains Harald. “And that's worth money.”

The tool supports the organization's password policy by enabling enforceable requirements, such as not reusing passwords. 50-60 people are now working with MindYourPass and usage is slowly growing.

‍

_Reflection

Building a safer organization

The rollout brought valuable lessons. The first group (IT) did not appear to be a logical pilot group because of their technical needs and critical attitude. Adoption also appears to be challenging in general, especially because browser password managers seem much easier. That is why the organization is now focusing on better information and more visual communication, and exceptions to the policy are carefully motivated and recorded.

The cooperation with MindYourPass has been positively experienced: the team is involved, thinks along and the technology fits well with the strategy of not storing passwords centrally. The solution not only helps to meet the BIO requirements, but especially to manage risks in an increasingly complex digital environment. For example, the North Sea Area Environment Service is gradually building a safer organization.

‍