As the new year starts and people are making resolutions and plans for the coming year, business leaders are also thinking about the same for their organisations. There are plenty of exciting technologies and solutions that can catch the eye; SASE, SD-WAN, SIEM, XDR, SOAR (lots of S’s right now apparently). But what about investing in our most basic of security measure: the humble password.
For years the password has been the main way we ensure that accounts are protected and only accessible by authorised people, but in 2022 I think its finally time that its given the attention it deserves.
Until recently, the prevailing wisdom has been to make passwords long, complex and short-lived to ensure that they can’t be easily compromised and that if they are disclosed, exposure should be minimum due to the length and history requirements that are being enforced. This is all fine in a perfect world, but humans are naturally imperfect beings, so compromises are introduced. Complexity rules are loosened to ensure staff are able to remember their passwords without writing them down; password age rules are removed for service accounts so you don’t have to remember which servers and services are using them. The protections we put in place for one of our most precious security features are slowly eroded to make them usable in the real world.
Now we also have to contend with SaaS services consuming the world, where your users can be anywhere in the world, at any time of the day, wanting access to corporate data and resources. With our faithful password protecting them, all it takes is one successful phishing email or mis-clicked link and that password is now in the hands of our adversaries and should be considered compromised. But that leads to the problem of how are we meant to know that it has been breached?
This is a quandary a lot of organisations are finding themselves in. Sure we can gather the logs from all our systems to see who is authenticating and from where, but who is looking at these logs and acting on them? How long is it going to take someone to respond and how much damage can be be done before its discovered. This is where we are seeing organisations want to invest in SOAR solutions to reduce the response times when incidents are happening, but why not stop the compromise happening to start with?
The solution doesn’t have to be complex and its one that has been known about for years, yet for some reason is so easily forgotten about: Multi-factor Authentication or MFA. Just one look at the Sysadmin Sub-Reddit shows the number of people getting their AWS accounts compromised due to password re-use, with thousands of dollars of charges being racked up when AWS will provide you MFA right out of the box.
Once requiring physical tokens or key-fobs, most modern MFA providers have an app that sits on your smartphone. Most people have a smartphone in their pockets all day, so the consumption of MFA is easier than ever, so why are we still seeing these same compromises happening? Is it laziness, reticence, hesitance or just apathy that is causing us to be stuck in a the same password only situation.
There are plenty of solutions out there to choose from them vendors such as Okta, Ping Identity or Microsoft, but why stop at just MFA? Most modern MFA providers also come with additional benefits such as access policies that control who can access what resource, when MFA should be required and ensuring all systems containing user details are kept up to date with the same information. This is where we move away from simple passwords into the realms of Identity and Access Management (IDAM or IAM).
You get a plethora of benefits by investing into IDAM, such as single-sign on or integration in your JLM processes, but even just deploying MFA into all your authentication workflows provides immeasurable security benefits and peace of mind to your organisation. Yet so often this is not top of the list of technologies to look into, because there is also something else grabbing the headlines.
So this new year, treat yourself and your organisation. Make the new years resolution to take a look at how you authenticate your users and whether or not this is sufficient in the world of SaaS and remote working. Lets all make it our resolution to end the scourge of password only systems.
Do you have any questions about your authentication strategy?
Get in touch with SEP2 today to find out how to protect your business.