GDPR – Remember Your Password Processes
63% OF DATA BREACHES ARE CAUSED BY PASSWORD PROBLEMS
Secure passwords for enterprise users
According to an IDC whitepaper 63% of data breaches are caused by password problems. This proves a strong need for solutions for password risks for enterprise users.
We see very often that the user authentication process at the service desk is limited in scope and time. This means that it is easy for another user or an external agent to get a password for a legitimate user. This constitutes a GDPR breach when an unauthorized person gets access to sensitive data!
To be GDPR compliant the service desk analysts must have clear management decided process to adhere to. Every password service request must be detailed documented to prove that the process has been followed. Furthermore, the steps to authenticate the user must be strong enough to keep intruders out.
Self-service solutions (SSPR) are in nature compliant and secure if 2-factor authentication is implemented. You will however always have some users who need assistance. This process is called the Facilitated Password Reset process. The new challenge is to reduce or remove password risks for enterprise users.
Privileged users are the risk factor
Avoid privileged users in the service desk
The ideal situation is that only the user ever touches his own password. There are however a situation where a user needs assistance:
- If he forgets the password, then he must get help for a new password
Traditionally the service desk will with a privileged password make a new password for the user. The privileged password makes it very easy to make new passwords for any account and it is very difficult to monitor the process. The password reset process for end-users must be controlled by an IT-workflow and application. Then the service desk analysts no more need the privileged passwords and a high risk is removed!
The basic concept for technical protection is to prevent others from reading and understanding the user’s password, when it is in the IT system.
The primary methods are:
- Encryption of password when it is stored.
- Encryption of data when in transport
- Firewalls/DMZ’s to prevent externals to get in
- Prevent malware and key-lockers to be installed
Password policies are made to help users protect their passwords. The risks are that someone tries to get our password, so they can impersonate us, and read and send from my e-mail. Examples are that someone looks over the shoulder and tries to catch the password. Others might have tapped it someday (perhaps from a sticky note) and then continues to use it. If we use month or year in the password it is not difficult to guess future passwords. This has led to the development of password policies; of which these are the most standard:
- At least XX characters with complex structure
- History: Must be difficult from the last XX times
- Internal logic: Must not have logic elements repeating
A recent development is to prevent users from making frequently used passwords. If you have a password filter that can match the users new password against a database of frequently used passwords, then the filter can deny the password. This will make it harder for a hacker to breach it.
What is annoying is to call a service desk and demonstrate that you can’t remember your password. A gentle way to circumvent this is to give users a self-service solution. It is fast and you don’t need to tell anyone you can’t remember your password!
Password exception processes
In most situations, the majority of companies have a manual process where a privileged user makes and delivers a new password. This opens up for an additional risk:
Can the privileged users make and give passwords to a “wrong” user? The answer is yes
It is obvious that organizations must put at least as much effort into password processes as are put into password policies and password security technologies. Basic principles for solutions must be that the process is defined by management! Furthermore, the process must be registered to be available for monitoring.
Management must decide exactly what information the service desk analyst must have available to make a positive authentication of a user. The process can be different for different user groups. Users with access only to simple data might have a light process, where users with access to critical systems must have a 2-person authentication process. The complete process must be controlled by the password reset IT solution. If the service desk agents only have a manual process in place the monitoring gets extremely challenging! The basic principles are:
A password reset process is defined by management
2-person authentication is integrated for users with access to sensitive systems
Users must be able to reset the password themselves through re-enrollment to a self-service portal
Privileged users (service desk supporters) should not have access to standard tools (Windows) for a password reset.
IDC has in its Technology Spotlight: “Password Management and GDPR Compliance: Lowering Risk Through State-of-the-Art Assisted Password Reset” analyzed the issues and made some recommendations.