The European Union decided for the General Data Protection Regulation act to be active from May 2018. All companies with data on European Citizens will be covered by this Act. With severe penalties for data breaches of sensitive data, then IT security has got new weight when IT spending is decided. Even as early as 2016 IT security spending was up 18% to 2015 according to Gartner.
Perhaps even more important, we have seen attack after attack worldwide on private and public organizations. Operations have been suspended for days and sensitive and critical information has been divulged to the public. The consequence is of course that top management now is asking the CIO:
“Will this happen to us” or “Why will this not happen to us?”
Preventing attacks is not only about technology. It is about processes too, in particular where credentials like passwords are handled!
Gartner predicts that spending on IT security for large organizations will grow to 8-10% of IT spending in 2018 compared to 6-8% in 2015.
Threats are everywhere, thus there are many threats from weak password processes. With password processes, we mean the process to assist the user in solving a corporate password problem. A typical situation is a user who has forgotten his password Monday morning. The standard process is that a service desk analyst will give the user a new password. But what is the risk that someone else than the real user can get a password and get unauthorized access to sensitive corporate data? GDPR states that unauthorized access from just one person is a data breach!
A worldwide interest group for service desk professionals: Service Desk Institute (SDI) made a study in 2016:
In as much as 35% of organizations the service desk analysts personally decide how to authenticate a user – it is not decided by management! For the remaining 65% many have weak authentication questions, and it is very hard to monitor the actual quality of the authentication process when it is a manual process.
In Verizon’s Data Breach Incident Report from 2017 it shows, that 81% of hacking related breaches leveraged stolen or weak passwords
Security requires a 360-degree protection and thinking. Attacks will focus on the weakest link in the protection of IT systems. International Data Corporation (IDC) says in a Technology Spotlight report:
“The weak link in any process will always be the one to be exploited. With respect to controlling identities and access, the weak link is the password.”
Present State of Enterprise Password Management
The purpose of passwords is to authenticate the real user in a secure way to his user-id. It is the user’s responsibility to protect his password. He does this by not giving it away to other persons, and to the best of his ability prevents that others are shoulder watching when he enters the password into the IT system. He should not write it on sticky notes or similar.
It is however the organization’s responsibility to make sure that others can’t get hold of the user’s present password or get a new one to open the user’s account. It is generally agreed that password protection then relies on the password policies, technical protection and password processes.
Password policy primarily defines complexity and max duration of a password. More advanced principles might be included to prevent users to reuse elements of passwords or use popular passwords. The technical protection is the technical issues:
“Where is the user repository stored? What encryption methods are used? Who have privileged access to the repository or the users’ passwords?”
Password processes are when users need help because they have a password problem. In most organizations, this is the responsibility of the service desk or is solved in a Self-Service Password Reset (SSPR) system. Some organizations have a special user administration office to do it.
The facilitated password reset process is however always present. No matter how well-designed self-service solutions we deploy, then some users will need assistance and call the service desk. We should expect that attackers will test this process. You can get access to protected accounts without any techni8cal knowledge if you are smart enough to convince the service desk.
This means that you can’t have a secure IT-system if you don’t protect the facilitated password process (Gartner uses the term : Facilitated Password Reset process). The principles for a secure facilitated password process relies on the following building blocks:
- Have a managent decided process
- Prevent circumventions by staff
- The process must balance risks and costs for different user groups
- Proofing process must use dynamic and contextual data and intelligence in addition to static data and tokens
- Authentication can include manager approval
To see how FastPass FPR (Facilitated Password Reset) solves the challenge please LINK here