GDPR – remember your password processes

63% of data breaches are caused by password problems

Secure passwords for enterprise users

According to an IDC whitepaper 63% of data breaches are caused by password problems –Get your copy. This proves a strong need for solutions for password risks for enterprise users

We see very often that the user authentication process at the service desk is limited in scope and time. This means that it is easy for another user or an external agent to get a password for a legitimate user. This constitutes a GDPR breach when an unauthorized person gets access to sensitive data! 

To be GDPR compliant the service desk analysts must have a clear management decided process to adhere to. Every password service request must be detailed documented to prove that the process has been followed. Furthermore the steps to authenticate the user must be strong enough to keep intruders out.

Self-service solutions (SSPR) are in nature compliant and secure if 2-factor authentication is implemented. You will however always have some users who need assistance. This process is called the Facilitated Password Reset process. The new challenge is to reduce or remove the password risks for enterprise users.

Privileged users are the risk factor

Avoid privileged users in the service desk

The ideal situation is that only the user ever touches his own password. There are however a situation where a user needs assistance:

  • If he forgets the password, then he must get help for a new password

Traditionally the service desk will with a privileged password make a new password for the user. The privileged password makes it very easy to make new passwords for any account and it is very difficult to monitor the process. The password reset process for end-users must be controlled by an IT-workflow and application. Then the service desk analysts no more need the privileged passwords and a high risk is removed!

 

 

Password protection

Technical protection

The basic concept for technical protection is to prevent others from reading and understanding the user’s password, when it is in the IT system.

The primary methods are:

  • Encryption of password when it is stored.
  • Encryption of data when in transport
  • Firewalls/DMZ’s to prevent externals to get in
  • Prevent malware and key-lockers to be installed

Password Policies

Password policies are made to help users protect their passwords. The risks are that someone tries to get our password, so they can impersonate us, and read and send from my e-mail. Examples are that someone looks over the shoulder and tries to catch the password. Others might have tapped it someday (perhaps from a sticky note) and then continues to use it. If we use month or year in the password it is not difficult to guess future passwords. This has led to the development of password policies; of which these are the most standard:

  • At least XX characters with complex structure
  • History: Must be difficult from the last XX times
  • Internal logic: Must not have logic elements repeating

A recent development is to prevent users from making frequently used passwords. If you have a password filter that can match the users new password against a database of frequently used passwords, then the filter can deny the password. This will make it harder for a hacker to breach it.

What is annoying is to call a service desk and demonstrate that you can’t remember your password. A gentle way to circumvent this is to give users a self-service solution. It is fast and you don’t need to tell anyone you can’t remember your password!

See the IDC blog on GDPR and password security

processesassword processes

In most situations the majority of companies have a manual process where a privileged user makes and delivers a new password. This opens up for an additional risk:

Can the privileged users make and give passwords to a “wrong” user? The answer is yes

It is obvious that organizations must put as least as much effort into password processes as are put into password policies and password security technologies. Basic principles for solutions must be that the process is defined by management! Furthermore the process must be registered to be available for monitoring.

Management must decide exactly what information the service desk analyst must have available to make a positive authentication of a user. The process can be different for different user groups. Users with access only to simple data might have a light process, where users with access to critical systems must have a 2-person authentication process. The complete process must be controlled by the password reset IT solution. If the service desk agents only have a manual process in place the monitoring gets extremely challenging! The basic principles are:

  • A password reset process is defined by management
  • 2-person authentication is integrated for users with access to sensitive systems
  • Users must be able to reset the password themselves through re-enrollment  to a self-service portal
  • Privileged users (service desk supporters) should not have access to standard tools (Windows) for password reset

IDC has in its Technology Spotlight: “Password Management and GDPR Compliance: Lowering Risk Through State-of-the-Art Assisted Password Reset” analysed the issues and made some recommendations. The FastPass vision and concept for password compliance can be found here 

Testimonials

”We strive continuously to improve our service. It is important to us to deliver modern and simple solutions helping customers to a more efficient operation. The cooperation with FastPass is yet another step in this direction”.

Mads Jacobsen
 Associate vice president

... seen an 80% reduction in assisted password resets. We’re very satisfied with the product. It has significantly freed us up from frustrating and unrewarding password resets

Oliver Holmes

Deputy Director, Technology and Operations

... The numbers have grown to the point that it would be impossible to operate in today’s busy environment without a password management service

 

 

FastPass handled 2,531 password calls, or more than 80% of the total password calls from all the users.

Per Kristensen

Project manager

 

...we have met our Customers’ Service and Cost Improvement challenges by reducing our call abandon rates by over 55% and our average wait times by over 60%, despite our overall budget being reduced.

Pete Townley

Lead Service Delivery

 

… about 90% use FastPass to reset their passwords. So we’ve seen a substantial reduction in calls to the help desk.

Winston Hughed

Vice President IT

 

We are very pleased with the product.  Fast pass has simplified password management and eliminated many password related calls

 

Chuck Mick

ERP Manager

Nyrstar has chosen FastPass to automate and improve the processes related to users’ forgotten passwords. This has improved user satisfaction and reduced the workload in the IT HelpDesk.

The number of forgotten passwords per involved user per year has dropped from 1,6 to 0,3. This is an improvement of 83%!

Hans Lauwers

SAP

 

... The numbers have grown to the point that it would be impossible to operate in today’s busy environment without a password management service

Haydn Tarr

IT Technical Lead & Coordinator

 

Our employees use it to synchronize their Windows password with their IBM i password when they need to be changed every 90 days due to compliance. We find this is a quiet, behind-the-scenes way for our employees to change and remember their passwords.”

Larry Marxen

Director of Information Systems

 

North America T: +1 (212) 419-4921

Europe T: + 45 4810 0410

FastPassCorp A/S 1350 Avenue of the Americas, 2nd Floor, New York, NY 10019, USA FastPassCorp A/S Lyngby Hovedgade 98Kgs. Lyngby, DK 2800 Denmark

© FastPassCorp A/S. All Rights Reserved.

Logo of fastpasscorp, the self-service password management provider