by Anastasios Arampatzis
During the past 18 months, organizations across all industries and sectors have faced and responded to unparalleled challenges, which were the driver of an accelerated cloud adoption and remote work models. The increased pace of digital transformation introduces numerous benefits and opportunities, as well as greater threats. IT security teams have realized that traditional security controls and policies are no longer adequate to protect systems and data distributed across multiple cloud environments and accessed by private computing devices and networks. A novel approach to access management is required.
Identity is the new perimeter
Traditional access security was based on a mix of physical controls and logical network controls to validate the identity of those requesting access to systems and data. Data servers and data resided on-premises and everyone inside the corporate perimeter was considered as a trusted entity.
However, in cloud-based organizations and remote work settings, where everyone is an outsider, corporate boundaries have evaporated. With thousands of entry points to systems and data, originating from literally anywhere, how can you define the network perimetry? You simply can’t.
In this challenging setup, identity rose as a new opportunity. As many security professionals state “identity is the new perimeter.” Strong identity authentication and validation is the cornerstone for ensuring that only authorized individuals (and machines) can gain access to critical resources and sensitive data.
Lack of robust identity and access management (IAM) results in data breaches that are costly – not only because the victim pays penalties for violating security and privacy regulations, but also because brand is damaged, and revenue is lost. The impact of weak access management processes is depicted in the latest iteration of the Verizon Data Breach Investigation Report:
- 70% of all misuse varieties in breaches were privilege misuse.
- 61% of breaches involved credential data.
- User credentials are among the most sought-after data in breaches.
As technology evolves, businesses are presented with many authentication methods to choose from, which are much stronger and safer than passwords. Despite that, passwords still prevail.
Passwords: insecure and expensive
The number of platforms used in daily business has skyrocketed the volume of passwords users have to remember. According to a recent study, users now need to manage 100 passwords across their various web accounts. To respond to this password sprawl, and make their lives easier, users are adopting bad practices, such as creating weak passwords with small variations from one another, or simply reusing the same password across multiple platforms.
These practices prevail even if users are aware of the imminent risks. Two-thirds of a survey respondents said that they “always” or “mostly” reuse a known password, even though 91% said they knew reusing a password posed a risk to their business.
The Ponemon Institute and Proofpoint revealed that organizations experience an average of 5.3 credential compromises every year. Each of those incidents cost an average of $692,531 for organizations to contain in 2021, which is nearly double the figure of $381,920 back in 2015.
Passwords are expensive for organizations to manage as well. A survey back in 2018 revealed that large organizations commonly allocated over £700,000 each year for password-related support costs. The same study highlighted that even a single password reset could cost organizations as much as $70 in terms of teams’ time and money.
Moving beyond passwords
It is time that organizations moved away from insecure and expensive passwords. Just a few days ago, Microsoft announced that users “can now completely remove the password from [their] Microsoft account.” Instead, users will use the Microsoft Authenticator app to validate themselves to access Microsoft services such as Office 365. It is clear that the future of authentication is passwordless.
But until we reach that point, organizations can leverage Single Sign-On (SSO) and multi-factor authentication (MFA).
SSO solutions act as an intermediary between users and target systems mapping different credentials sets required by various applications and services to a single username/password pair. An access management solution offering SSO capabilities helps to eliminate password fatigue by requiring users to remember only a single set of credentials.
However, SSO offers a static type of authentication. With employees being on mobility, static identity validation is risky. Access management needs to have the ability of step-up authentication based on a variety of contextual metrics, such as location, time, device, network type, etc. In a risk-based access management solution, SSO is augmented by multi-factor authentication (MFA), where identity validation is using two or more authentication factors – knowledge, possession, and inheritance.
Although MFA is not a panacea to our access challenges, it certainly enforces a strong authentication regime, making the lives of criminals hard. MFA should be deployed across all privileged accounts and to protect the access to sensitive data. In effect, all critical systems, government or private ones, should be protected by MFA. This is also the key message of President Biden’s Executive Order for strengthening the security posture of federal agencies and critical infrastructure.
Know your risks
As we have mentioned above, authentication is a risk-based decision. Hence, before deploying an authentication solution, organizations should assess their risk and regulatory environment. Identify and classify all assets and data, prioritize their importance and criticality, and select the access controls that are appropriate for each asset.
Having a clear visibility into your infrastructure is the cornerstone to your access management. ADACOM offers a wide portfolio of services to help you assess your security posture and maturity, understand your risks and requirements and select the controls that can help you reduce your overall business risk. Our experts will listen to your concerns. Contact them now.