Recommended Security Settings
Administrative recommendations for Keeper Security policies and settings
At the foundation, Keeper is an encryption platform with policies and controls in place to protect customer data, within the constraints set by the Keeper administrator. In this shared security model, the customer is responsible for implementing recommended policies to ensure least privilege, break glass access, and the highest levels of data protection. This document outlines key recommendations and policies that will help you secure the data stored within the environment, while ensuring the best possible experience for your target users.
Keeper Administrators hold the encryption keys used to access the Admin Console, provision users, manage enforcement policies and perform day to day user administration.
The "Keeper Administrator" role should have at least two users in that role. We strongly recommend adding a secondary admin to this role in case one account is lost, the person leaves the organization or the. The Keeper support team cannot elevate a user to an administrative role or reset an administrator's Master Password, by design.
Account Transfer provides a mechanism for a designated administrator to recover the contents of a user's vault, in case the employee suddenly leaves or is terminated. This is an optional feature that must be configured by the Keeper Administrator during the initial deployment phase of the Keeper rollout, because it requires specific steps to escrow the user's encryption keys.
The Account Transfer policy is recommended if users are authenticating with a Master Password, and if the enterprise has concerns regarding the loss of specific user vaults.
As with any SaaS platform, account recovery provides end-users with a route to restore access to their account, if the primary authentication methods are lost or forgotten. In Keeper, by default the user has an ability to configure a self-selected Security Question and Answer. The answer is then used to encrypt the user's Data Key using a key derivation similar to the Master Password method.
If you are deploying to users with a single sign-on product like Azure, account recovery may not be necessary or warranted, since authentication is delegated to your identity provider. In addition, the encryption model of SSO authentication with Elliptic Curve cryptography is far superior to the encryption model with password-based key derivation. Therefore, it is best to simply not have account recovery as an option, if this is acceptable to your users.
To disable account recovery, visit the Role > Enforcement Policies > Account Settings > select "Disable security question and answer for account recovery".
For users who login with a Master Password, the key to decrypt and encrypt the Data Key is derived from the user’s Master Password using the password-based key derivation function (PBKDF2), with 1,000,000 iterations by default. After the user types their Master Password, the key is derived locally and then unwraps the Data Key. After the Data Key is decrypted, it is used to unwrap the individual record keys and folder keys. The Record Key then decrypts each of the stored record contents locally.
Keeper implements several mitigations against unauthorized access, device verification, throttling and other protections in the Amazon AWS environment. Enforcing a strong Master Password complexity significantly reduces any risk of offline brute force attack on a user's encrypted vault.
The National Institute of Standards and Technology (NIST) provides password guidelines in: Special Publication 800-63B. The guidelines promote a balance between usability and security; Or in other words, passwords should be easy to remember but hard to guess. The NIST instruction recommends an eight character minimum but a higher value will ultimately result in a harder to guess/crack password. Keeper recommends at least 12 characters.
Two-Factor Authentication (2FA), also commonly referred to as multi-factor authentication (MFA), adds an additional layer of security to access the vault. The first layer is something your users know; their Master Password or SSO. The second layer is something they have. It can be either their mobile device (SMS text or a TOTP application) or by using a hardware device such as YubiKey or Google Titan key.
While Keeper's cloud infrastructure implements several mitigations against brute force attack, adding a second means of authentication will makes it considerably more difficult for an attacker to gain access a user's vault. Using a role based enforcement can ensure all users of the enterprise are mandated to configure 2FA on their vault account. SSO-enabled users should ensure 2FA is configured with their IdP at a minimum. Keeper checks for a signed assertion from the identity provider during SSO authentication. For additional security, 2FA can be enabled on the Keeper side in addition to the IdP. To set up 2FA See the section in the guide: Two-factor Authentication
To prevent users from accessing their work vault outside of approved locations and networks, administrators should consider activating IP Address Allowlisting. This is a role-based enforcement setting that designated users can only access their vaults when their device is on an approved network.
Keeper's Advanced Reporting System provides built-in Alerting capabilities that will notify users and Administrators for important events. As a best practice, we have created a list of recommended alerts that can be configured by the Keeper Administrator.
As a general security practice, we recommend that Enterprise customers limit the ability of end-users to install unapproved 3rd party browser extensions. Browser extensions with elevated permissions could have the ability to access any information within any website or browser-based application. Please refer to your device management software to ensure that Keeper is allowed, and unapproved extensions are blocked or removed.