COMPLIANT AND SECURE PASSWORD MANAGEMENT
IF AT LEAST 35% OF COMPANIES DON’T AUTHENTICATE USERS WITH A PASSWORD RESET CALL – WHAT IS THEN AT RISK?
Passwords cause data breaches
With the European Union’s decision on the General Data Protection Regulation (GDPR) Act, compliance has gone to the top of IT priority. If companies have a breach of data or don’t report data breaches within 72 hours they can be fined up to 4% of annual revenue! According to GDPR, companies have to identify critical data and map out who have access.
IDC has in February 2017 released a Technology Spotlight on GDPR and password compliance processes. It documents specifically how GDPR emphasizes protection and authentication of the personal data. Several articles and paragraphs defines how lack of authentication can lead to data breaches. A data breach must be reported within 72 hours to the authorities and is a violation of GDPR.
IDC refers to research showing that 63% of all known data breaches are caused by password problems.
According to a Service Desk Institute survey 35% of organizations don’t have a clear authentication process for their password service. The remaining 65% have a process but not necessarily a strong process.
SDI Report "On Security, GDPR and Self-Service Passwords"
Best Practices for security
IDC argues strongly that present state of user authentication in service desks doesn’t live up to the demands for a secure process. IDC refers to requirements issued by official organizations demanding a 2-persons’ process: A person with privileges and a person knowing the end-user asking for the password.
Alternatively, a password self-service solution with clear authentication process will be compliant (if it is WEB-application secure!). No matter how good the self-service implementation is, some users will however sometimes call the service desk anyway.
It is very difficult to monitor and make a manual process compliant, so as part of the right password process, the manual service desk password process must be done in an IT solution. As a consequence of this, then the service desk doesn’t need to have privileged rights to reset passwords directly in Active Directory, hereby significantly reducing the risk for fraud committed by individual service desk employees!
How passwords are broken
The strategy to avoid passwords being guessed or shoulder watched is to make passwords reasonably complicated, avoid patterns in passwords and avoid password copy of past passwords.
To handle the situation where a password has been guessed then frequent forced changes to passwords end the misuse from intruders.
When a 2nd person from the service desk is involved in password issuance, this means risks for misuse. If the service desk person is corrupt or just ‘a good friend’ to the intruder, then it might be possible to shortcut the password security process. Even the mitigation of interim passwords doesn’t prevent an intruder and service desk employee to circumvent the password protection. One mitigation process might be a very strict reporting on password resets. A simpler mitigation will be self-service, where the user is the only one touching his password.
See more at “Password risks and mitigation”
The IDC recommendation and best practices for password compliance are:
- Implement a password self-service solution with high adoption
- Remove the privileged password to AD for the service desk analysts
- Make a 2-person process when users call in to service desk. Combine this with IT system with user reenrolment to self-service, so the privileged users don’t see the user’s new password.