By Michael Brengs
A hacker attacks. Your company reacts. That’s the default position most companies find themselves in, despite their best intentions.
Proactive security is ideal, but when most organizations think about proactivity, they think intrusion prevention… and then they stop thinking. What people are forgetting is the fundamentals: identity and access management (IAM).
IAM controls who gets into a network and what they can do once inside. A lot of breaches are caused by careless mistakes, such as granting administrative powers to a partner whose staff can then change or take whatever they want without constraints. Something similar happened earlier this year when Amazon was breached by hackers leveraging weak passwords and poor security hygiene to divert funds from Amazon’s vendors into the hackers’ own bank accounts.
Breaches like that are common, but they don’t have to be. Business leaders need to ask their CISOs what is being done to prevent unauthorized or over-privileged access, and cybersecurity professionals need to rethink their IAM strategies to make sure every partner and vendor has exactly the access they need and not a single byte more.
Goodbye, Mr. Robot. Hello, Tony Soprano.
In the not-so-distant past, passwords alone provided an adequate level of protection for the average enterprise. When critical business operations were performed with pen and paper, user accounts could be protected with simple passwords, and passwords could be shared without much risk. There have always been hackers but their low numbers and skill levels limited the damage they could inflict. That’s all changed.
The stereotype of a hacker in a hoodie is outdated. A hacker is now more likely to be a sophisticated member of a crew that is trained, organized, and funded by a criminal organization or a nation-state, and these types of attackers are good at what they do. Last year in the UK, for instance, 36 percent of all crimes reported were cybercrimes and that’s just the crimes reported. Many companies do not publicize breaches because the publicity could cost them more than the attack.
Cybercriminals can be successful because the methods businesses use to connect with each other create a lot of unlocked doors and open windows. The rise of SaaS, cloud, APIs, and vendor self-service tools, has blurred the boundaries of the typical network; you know your vendor is part of your network, but what about your vendor’s vendor? Understanding what needs to be protected, who should have access, and what security protocols must be in place for all network participants should be everyone’s job so sometimes it becomes nobody’s job.
Are passwords passé?
Everyone knows that 123456 isn’t a good password. Yet not only do people continue to use 123456, but it was also actually the most common password of 2016… and 2015, and 2014, and 2013. Savvy network administrators try to quash this carelessness by regularly making users change their passwords to strings that include a certain number and type of characters. Then the IT support team spends its days answering lost password requests since no one can remember how to log in. Maybe those IT teams should be grateful; at least the people calling the helpdesk aren’t writing their passwords on sticky notes that are now hanging on their monitors for the world to steal which is the practice of about half of any typical user base.
Multi-factor authentication for the Masses
There are three factors used to authenticate identity: something you know, like a password; something you have, like a fob; or something you are, like a fingerprint or retina. The gold standard right now is to incorporate at least two of these factors into an IAM program. This is called multi-factor authentication, or MFA.
MFA has been used in critical technology environments, like data centers, for many years. But while the server guys were entering PINs in conjunction with using card readers or iris scanners, the typical end-users were still just using passwords to get into their corporate systems. The problems associated with managing physical tokens or biometric data for an entire workforce were just too great a burden for most organizations.
However, smartphones have changed the way end-users view MFA. Since most people have a smartphone, they’re already carrying a physical token, and since most of them use fingerprint recognition to unlock those phones, they’re already using biometrics. Employees may rebel at the idea of providing biometric data to their corporations, but they’re not going to mind using biometric data to unlock their phones to retrieve a temporary password sent by text.
Authentication as a Service
Nobody is against multi-factor authentication. Common sense would indicate that if one lock is good, two locks are better. But business leaders have to keep their organizations secure in all ways, and they may perceive the cost and difficulty of implementing MFA as a risk as well.
However, IAM solutions that include MFA don’t have to be hard. Companies can control access in the same way they run operational software by using the cloud.
The benefits of Authentication as a Service (AaaS) are the same as those of any SaaS product: no need to maintain, update, upgrade, or install. But there are additional benefits as well. Unlike CRM or BI solutions that have to evolve in accordance with user demand, IAM solutions must meet both changing user demands and the changing threat landscape. Hackers are always working to improve their techniques, tactics, and procedures, so an IAM solution needs to be agile. Software that comes in a box or requires a team of project managers and engineers to update is simply too slow and clunky to provide adequate protection in a world of dangers that move at the speed of light.
Harden the whole company
Turning on an AaaS solution is as simple as signing a contract, but just as with any IAM implementation, access needs to be planned strategically. Determining which members of a trading circle need access to which services and data will lay the foundation for a successful AaaS initiative. That said, something is better than nothing, so don’t put off adopting an AaaS solution until your strategy is complete. The beauty of a cloud-based product is that it’s flexible, so you can make changes as you evolve your program.
As everyone knows by now, security is not a technology problem; it’s a people problem. By removing the ability of people to choose 123456 as their password, preventing the need for them write down their passwords on sticky notes, and tightly controlling their activities once they log in, true proactive security can be established. A thoughtful IAM strategy is an essential component of a holistic security posture.
About the Author
Michael Brengs has over 23 years of experience in the software industry and has been deploying identity management solutions since joining OpenNetwork Technologies in 2000 (acquired by BMC Software), and later with Oblix (acquired by Oracle). He is currently a managing partner with Optimal IdM. Mr. Brengs attended the University of South Florida where he earned an undergraduate degree in Management Information Systems. I highly recommend you look at our solution, the OptimalCloud with a free trial. Secure, scalable and customizable, the OptimalCloud is a complete Identity-as-a-Service (IDaaS) solution with delegated administration and workflow capabilities that can be customized to meet the specific needs of its clients. The OptimalCloud offers a private, secure and dedicated cloud which is essential for meeting corporate security and compliance restrictions. The multi-factor authentication-as-a-service offering allows customers to implement a variety of MFA solutions using their existing on-prem or cloud federation solutions including time-based one-time password (TOTP), short message service (SMS), e-mail and push authentication. Further to that, The OptimalCloud’s built-in cloud reporting system provides real-time historical audit record of all activity including detailed granular reporting which is stored in a dedicated private database. The OptimalCloud is billed as an affordable, flat monthly fee which fits with budgetary and approval requirements.