As world leaders scramble to navigate global threats, technology experts are imploring businesses to shore up their cybersecurity systems and business continuity plans to avoid a potential wave of state-backed cyberattacks. Modern IT security can sometimes feel like a moving target. With the laundry list of new developments and susceptibilities, sometimes IT teams forget the most vulnerable point of attack: Passwords.
Many information security professionals have long known that passwords are a weak link in the security chain. For example, one in four breaches in 2021 utilized stolen passwords, according to the latest Verizon Data Breach Investigations Report. So, in the case of foreign affairs (or everyday modern enterprise operations), all it takes is for a hacker to find a spreadsheet of accounts, as was the case with the recent Lapsus$ breach, to unleash business secrets and halt productivity.
Acknowledged but often unaddressed
Most organizations have recognized this vulnerability and adopted strong password guidelines like minimum length and a mix of letters, numbers, characters, and capitalization rules, and password changes at set intervals. But, this ever-growing list of password requirements makes them increasingly difficult to remember.
The proliferation of SaaS and applications has also exponentially increased the number of passwords, causing headaches for both users and IT professionals. Adding to the confusion, each of these passwords come with different user experiences, expirations, and policies. Users respond to this complexity by avoiding changes, choosing weak and insecure passwords. They often compound the problem by reusing existing passwords and writing them down.
Poor hygiene and inconsistent maintenance can then lead to obstacles to the day-to-day operations of an organization. These difficulties range from minor to significant and include user frustration, a high volume of help desk calls, weak authentication, and, ultimately, compromised security and business continuity challenges.
The clear and present danger in shadow IT passwords
Strong corporate password management is essential to securing modern businesses. Even though companies are introducing longer-term strategies like Zero Trust, a quick win is to secure one of the most popular entry points for hackers – passwords. And with hundreds of shadow IT passwords decentralized and largely unmanaged (with poor password hygiene, etc.) outside your organization’s identity and access management program, it’s a considerable risk.
Moreover, while organizations should prepare for a passwordless authentication-based future, that reality is still a long way away. So, in the interim, companies need to implement a strategy that utilizes as few passwords as possible, including products such as a password manager for business, federation, and privileged access management (PAM).
Creating a new authentication foundation
An enterprise password safe and company password manager are the perfect complement to an organization’s existing password management software for business. These applications manage and store online credentials – making multiple logins a thing of the past. Employees won’t need to memorize 30-100 passwords to function in daily operations; instead, corporate password management tools only require users to know one password.
Businesses should complement an enterprise password manager with a time-based one-time password (TOTP) token to ensure better authentication. A strong password manager is necessary for storing encryption keys or even entire files. Depending on their nature, it’s also important that these secrets can be shared without the risk of being leaked or intercepted. This ultimately makes corporate password management for employees (and IT) seamless and more secure.
Company password managers are not the end-all-be-all of cybersecurity but rather a foundational piece of the security journey. Further authentication steps are needed to secure organizations against dynamic threats.
Taking it to the next level with federation
Once a company establishes a new foundation for corporate password management, enterprise organizations need to strongly consider federated access to solutions and resources. The best part? Federation provides the baseline for the goal of a passwordless experience down the road.
In a federated ecosystem, the first system is called the Identity Provider, or IdP. The application (or second system) is called the Service Provider or SP, and the message sent between systems is called an assertion. It typically includes the user’s profile ID and other pertinent information that the SP needs to create a user session. The assertion is cryptographically signed, so the SP can trust it came from the legitimate, authoritative IdP. An example of federation is when users can use their Gmail account or social media credentials to log into other applications, websites, and resources.
SaaS is the primary engine that drives federation. So, its off-premises capabilities are perfect for organizations that now exist in a world where hybrid and remote work are a possibility at any time, anywhere.
Federated access delivers increased security and efficiency for IT admins, and, by removing credentials from the process, provides an essential step in passwordless authentication. The challenge is creating that universal password-free experience because many applications and resources don’t yet support federated standards. Federation takes care of many challenges that arise with corporate password management, but what about the issues surrounding highly sensitive, privileged accounts?
Going all-in with privileged access management
Enterprise password management and federated access solutions concentrate on authenticating users with standing privileges in an environment. Standing access is an existing account in an enterprise business with the clearance level needed to complete a task that an employee can use anytime.
Many companies inevitably have a significant number of these types of accounts, but some applications are too critical to allow users to maintain standing access to them. For these accounts, especially those with high-value privileges, policies and controls should adhere to the principle of Zero Standing Privileges (ZSP).
In this case, security and IT teams will want to provide users with just-in-time (JIT) access to these solutions. That way, cybersecurity can move towards a strategy that utilizes as few passwords as possible and Zero Trust.
Privileged access management (PAM) platforms operate on the fundamental premise of removing user access to persistent credentials largely held by power users and instead providing brokered access using temporary entitlements. By implementing PAM-enabled processes, like removing users’ access to high-value credentials and requiring them to request access instead, organizations can create a least trust environment that fosters Zero Trust.
This capability makes a privileged access management platform a requirement for enterprise organizations looking to round out a fully capable and protective cybersecurity stack.
The complete authentication picture
A password manager for business, federation, and privileged access management platforms are the perfect trio to secure organizations. These are proven and industry-adopted approaches to minimize the passwords users need. Each of these approaches measurably moves the organization down the path of their Zero Trust journey.
While federation is the go-to method for corporate password management when a solution supports it, modern business requires the flexibility and adaptability that comes with the addition of a company password manager and privileged access management. These three strategies will create a forward-looking and dynamic cybersecurity strategy to protect organizations today and continue to reduce risk in the future.
