🔒 Setup BitWarden for the Organisation

TYPE AUDIENCE PRIORITY COMPLEXITY EFFORT COST UPDATED
Preparation 🏗️ ⭐⭐⭐ ⭐⭐ 🏗️ 🔁💵💵 2021-06-28

Rationale

Password managers are essential for any digital security practice. That's why we suggest that the same password manager be provided to all staff in your organisation. This way, team members can share tips with each other and learn from each other how to best use it. The organisation can then also leverage more advanced features, such as emergency access and secure password sharing.

We thus recommend that you 🔒 Setup a Bitwarden Account for your organisation.

Instructions

What you should know

While the free (basic) version of BitWarden has all of the essential features a password manager should offer, the teams version offers additional features which are very useful for organisations managing their password security through Bitwarden as it allows organisations to:

  1. Securely share passwords - Share passwords at the organisation level, so that they don't need to be shared through other communication channels.
  2. Restrict access to specific user groups - so only the right group has access to the group's passwords
  3. Review access logs - of who accessed which password when

These benefits come on top of the premium benefits which are also available to all teams users:

  1. Personal Emergency Access - Ability to setup an emergency contact which can take over a staff's password in cases of emergency. Useful when the staff member is compromised and their passwords all need to urgently be reset.
  2. Built-in support to Two-Factor authentication - Support for Timed One-Time Passwords. Useful if your organisation has decided to 🔒 Use Multi-Factor Authentication.
  3. Vault Health Reports - for all your staff to see when their passwords have been compromised, are weak, or have been used in multiple sites.
  4. YubiKey support - The ability to use hardware security keys. Only useful if you are going to 💻-🖥️-📱 Issue Yubikeys to Staff.

Together these features go a long way in keeping your staff's online accounts safe.

What you should prepare

Based on the feature sets described above, there are three options for your organisation.

Which of these options is best for you will depend on your needs and willingness to pay for these features.

Note that emergency access can be arranged yourselves by giving everyone's master password to a point person, but this introduces management overhead and chances for mistakes if someone updates their master password but then forgets to share it with the point person.

Securely sharing passwords is much more difficult to organise yourselves and we would strongly recommend against trying to do so, as failing to manage it well could introduce additional security risks.

Note that non-profits can request a 30% discount on the prices.

What you should do

Once you've decided whether your organisation will provide its staff with BASIC, PREMIUM or TEAMS accounts, you will want to go through the following steps

1. All Accounts

Regardless of the accounts type, all staff will need to install Bitwarden on their devices. If you have chosen the TEAMS option, invite your staff to join Bitwarden, else ask them to sign up with Work Email.

The relevant guides are:

  1. 🔒 Setup a Bitwarden Account
  2. 🔒 Setup Bitwarden on Desktop
  3. 🔒 Setup Bitwarden on Mobile

2. Premium Accounts : Emergency Protocol

In addition to the benefits for individal users, the most useful feature offered for premium accounts is "Emergency access". In order to fully integrate this into your security practice your organisation should consider:

  1. Point Person - who should be the person who has emergency access to another staff's passwords - this doesn't need to be the same person for the whole organisation, but they do need to be available and know what they are responsible for.
  2. Trigger conditions - Agree under what conditions the Emergency Contact Person will request access to the other staff's passwords.
  3. Access Control - Should they only have read access? Or the ability to take over control as if they owned that BitWarden account?
  4. Automatic Grant - Since BitWarden will send a request to the owner of the BitWarden account whether they want to grant emergency access, there's also a time-out you can set after which the access is automatically granted. This is very useful when people are no longer in a position to grant access.

The flow of the setup would be as follows:

Pasted image 20210607224006.png

3. Teams Accounts

The most useful feature offered for business accounts is the ability to share passwords and manage access to them.

The most basic usage of this feature can be used when sharing passwords for web services which are not tied to individuals but to the organisation instead, i.e. ones which are registered to [email protected].

For more advanced usage of this feature would allow you to have fine-grained control over the encrypted vaults you share on the cloud between teams. In combination with Cryptomator, Bitwarden can thus be used to 💻-🖥️ Manage Sensitive Files in the Cloud with a Team.