Automated Logic, a business unit of Carrier (a global provider of sustainable and intelligent building and cold chain solutions), is responsible for the designing, installing, and servicing building automation systems (also known as BASs).
The foundation of strong BASs rests on operational technology (OT) that makes modern buildings comfortable and efficient and reduces the cost of operation for their owner. This is accomplished through sensors that determine the current state of systems and occupants and then send signals to electromechanical equipment to affect the systems they control.
Automated Logic’s BASs are architected around Web Control, a central server that accesses customer networks so it can perform its building automation services. But, that access also presents security risks.
Building Credential Management to Scale Business Management
Visit opensourcesecuritysummit.com to learn more about this annual conference.
While the need to operate on customer networks and customer infrastructure was non-negotiable, Automated Logic found that it was being presented with inconsistent methods of access to customer networks. It had to keep track of shared, individual, and service account credentials - all of which were required to change regularly due to password rotation. The company also kept track of individual credentials associated with its application server and the databases it uses.
Automated Logic goes to market through field offices, which are managed by different sets of employees. The employees had done the best they could to manage the credentials complexity. Unfortunately, the nature of the problem meant the company was still left in a sub-optimal state.
“There wasn’t any consistency in the way these credentials were tracked,” said Ed Horn, software product manager with Automated Logic. “Credentials were generated that were either predictable or outright reused. Most people can recognize that state of affairs carries with it a very specific and worrisome set of risks.”
Adds Horn, “As a service business, our ability to gain access to customer systems and be able to affect fixes or updates is critical to our success as a business. Having credentials in the hands of individuals, so only they have access, or having credentials that are poorly managed or inaccessible - that was enough to keep us up at night. So in an effort to ensure that access was reliable, the credentials were often created to be predictable. People who had legitimate business knowledge of these credentials would have knowledge of credentials for new customer sites and new installations, regardless of whether or not a legitimate business need had elapsed. And that is not a great situation.”
The leadership team at Automated Logic realized it needed a solution to its access management challenges. The solution they landed on was a password vault solution - specifically, Bitwarden.
Ahead of selecting Bitwarden, the team developed a list of requirements for their optimal password management vault. Those requirements included:
Single-sign on integration
Secure method of sharing credentials and notes
Credential autofill in Chrome and Edge browsers
Automated Logic conducted extensive research as it sought to identify the password management vault solution best suited to meet its needs. The team visited support forums (including Reddit) and perused feedback on social media before narrowing down its list to two partners. Automated Logic then engaged in comprehensive and thorough pilots with both solutions in order to make its final decision. Piloting the solutions was advantageous for many reasons, not least of which included the ability of Automated Logic employees to test out both options. Ultimately they decided to select Bitwarden as their password management solution, having landed on four compelling factors:
Partnership with the solution provider
“In summary, it really all came down to a few things,” said Horn. “It’s user preference - that’s obvious. It's an admin and management preference, so how well it fits with your business. And certainly the thing everyone thinks about, is the technology right? Does it fit? But truly, at the end of the day our selection came down to partnership. And it was really about selecting a business partner to move us forward in our quest for better security.”