IDC Password Compliance

IDC infographic

Password Management and GDPR Compliance

GDPR impacts multiple areas of security functions (and other technology and business areas too). In the flurry of activity and anxiety as we head toward the May 2018 deadline, companies need to review and if necessary enhance those processes considered as foundational. Password management is one of these, as it underpins the assumptions that so many other applications make: that user credentials are trustworthy.

One such assumption is that individual users are intrinsically tied to access credentials. This is only the case where it can be shown that no other person could come to know the password as it was created or reset. Self-service password management can offer such an outcome, but user adoption rates of these services is often low. Assisted service password reset normally introduces a second person, and this individual — a service desk staffer, for example — could expose the password, through accident or design. Even if this is not the case, how can you be sure?

This IDC Technology Spotlight introduces the identity and access implications of GDPR, and shows why password reset represents a potential risk factor that may compromise compliance. It then shows how self-service password reset can lower this risk, as long as the second person threat is removed. In fact, if implemented correctly, the removal of this threat can also drive adoption of self-service password resets, increasing efficiency and maximizing return on investment.

The Importance of Identity and Access Control to GDPR

GDPR does not have much to say in specific terms about information security. However, the importance of security is fundamental to the principles and practice of GDPR. Security is established as a core principle in Article 5, where it states that personal data shall be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing … using appropriate technical or organizational measures.” Article 4 includes the definition of a data breach to include “unauthorized … access to personal data.”

Clearly, then, access control to prevent “unauthorized processing” and “unauthorized access” is critical to GDPR compliance. Although explicit emphasis within GDPR is on security of data, there is plenty of implicit reference to the security of identity. In addition to Articles 4 and 5, GDPR also refers to identity in the following places:

  • Recital 39: “Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorized access to or use of personal data and the equipment used for the processing.”
  • Recital 49: “The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security … constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorized access to electronic communications networks …”
  • Recital 83: “In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as … unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed …” (Our emphases).

GDPR is light on prescription of security controls. It is outcome-focused, and companies need to work out for themselves how to achieve and maintain compliance. However, GDPR does leave some heavy hints as to what regulators are looking for. Article 32 — Security of Processing — is the only article that specifies the security outcomes, which include:

  • Paragraph 1 (b) — “The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services,” and
  • Paragraph 4 — “The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.”

IDC believes that GDPR will force companies to review their processes and technologies in a broad range of security functions, and that managing access to personal data is key among them. Arguably, in addition to this new legal obligation, companies also have commercial and moral obligations to protect users’ identities. Loss of control of user identities can cost firms dearly if they lead to a data breach or an infection of ransomware. Further, companies should protect their users from their credentials being hijacked or otherwise compromised: users are often unwitting accomplices in the exploitation of security vulnerabilities and unfairly regarded as culpable or, worse, “stupid.”

The weak link in any process will always be the one to be exploited. With respect to controlling identities and access, the weak link is the password.

Password Resets — The Weak Link

Passwords continue to be a primary vector for compromised credentials. The most recent Data Breach Incident Report (DBIR) by Verizon states that 63% of confirmed data breaches involved weak, default, or stolen passwords. The Service Desk Institute reports that a third of support organizations expect password-related issues to take up more than 25% of their calls. 41% do not even use a password reset tool, while 35% of those have no defined password authentication process at all.

Passwords have many critics, and the weaknesses of passwords are well documented. However, passwords persist because they are cheap, familiar, and easy to use. In fact, most of the breaches associated with passwords are a consequence not of any inherent weakness in passwords themselves, but in password management. Password reset is a primary culprit here.

Password resets may seem trivial in the grand scheme of data breaches. Sexy they are not, and they struggle for attention against advanced persistent threats and polymorphic malware. Yet the humble password reset may have profound consequences if it leads to data breaches through compromised credentials. And the consequences of getting password management wrong are about to increase for companies with the introduction of GDPR. Indeed, you don’t have to have a data breach to be non- compliant with GDPR. Poor process or lack of evidence will do it.

Considering FastPassCorp- Optimizing User Self-Service Adoption

FastPassCorp is a provider of a self-service password reset solution that reports high user adoption rates that exceed 80%, while ensuring the integrity of passwords in assisted reset instances.

What drives users to prefer self-service password resets? The answer involves a combination of ease of use, convenience, and compulsion.

Firstly, the reset solution must be easy to use. The standard approach to password reset is to use security challenge questions. Basic security dictates that these challenge questions should not be easy to guess or research. Of course, this means the answers are often forgotten by the users, who would then normally have to revert to an assisted reset process. However, FastPass allows users to choose the method of reauthentication: a challenge question, a one-time passcode via SMS, or a PIN sent to a private email address. This flexibility allows user choice, driving adoption (and reducing the risk of frustrated users).

The solution must also be convenient. FastPass is available on the majority of existing systems including those based on Microsoft Active Directory. It also integrates with SAP and Oracle as well as IBM AS400. Importantly, passwords can be synchronized across all support environments or kept separate, according to the preferred security regime. FastPass Cloud also supports Microsoft Azure AD, which opens up the important and growing cloud-based identity platform.

Lastly, at times users need to be compelled to use the self-service system. It should be easy for users to enroll, but even with regular reminders busy (or belligerent) users may choose not to. In these cases, an agent can be deployed on client PCs, which then forces the errant user to enroll. The cost to the user of enrollment is one-off, after which they are always directed in the first instance to the self- service option.

Additional security layers can be implemented, based on the user choice or security regime. In some cases, a user may choose to use multiple authentication factors. In others, the security protocols may mandate multifactor use. For example, when accessing the self-service solution from a remote location the user may be forced to provide additional authentication. Adding an automated notification of a password reset to the user is always good practice.

With full audit trails of self-service password resets this automated part of the solution ensures a compliant reset process.

”We strive continuously to improve our service. It is important to us to deliver modern and simple solutions helping customers to a more efficient operation. The cooperation with FastPass is yet another step in this direction”.

Mads Jacobsen
 Associate vice president

... seen an 80% reduction in assisted password resets. We’re very satisfied with the product. It has significantly freed us up from frustrating and unrewarding password resets

Oliver Holmes

Deputy Director, Technology and Operations

... The numbers have grown to the point that it would be impossible to operate in today’s busy environment without a password management service

 

 

FastPass handled 2,531 password calls, or more than 80% of the total password calls from all the users.

Per Kristensen

Project manager

 

...we have met our Customers’ Service and Cost Improvement challenges by reducing our call abandon rates by over 55% and our average wait times by over 60%, despite our overall budget being reduced.

Pete Townley

Lead Service Delivery

 

… about 90% use FastPass to reset their passwords. So we’ve seen a substantial reduction in calls to the help desk.

Winston Hughed

Vice President IT

 

We are very pleased with the product.  Fast pass has simplified password management and eliminated many password related calls

 

Chuck Mick

ERP Manager

Nyrstar has chosen FastPass to automate and improve the processes related to users’ forgotten passwords. This has improved user satisfaction and reduced the workload in the IT HelpDesk.

The number of forgotten passwords per involved user per year has dropped from 1,6 to 0,3. This is an improvement of 83%!

Hans Lauwers

SAP

 

... The numbers have grown to the point that it would be impossible to operate in today’s busy environment without a password management service

Haydn Tarr

 IT Technical Lead & Coordinator

 

Our employees use it to synchronize their Windows password with their IBM i password when they need to be changed every 90 days due to compliance. We find this is a quiet, behind-the-scenes way for our employees to change and remember their passwords.”

Larry Marxen

Director of Information Systems

 

North America T: +1 (212) 419-4921

Europe T: + 45 4810 0410

E: info@fastpasscorp.com

FastPassCorp A/S 1350 Avenue of the Americas, 2nd Floor, New York, NY 10019, USA FastPassCorp A/S Lyngby Hovedgade 98Kgs. Lyngby, DK 2800 Denmark

© FastPassCorp A/S. All Rights Reserved.