“Do you want to get rid of passwords once and for all?”, IT Pro Portal asked last week. 84% of people say yes, according to a recent survey from LaunchKey.
And why wouldn’t they? Stolen credentials are an ongoing, serious IT security problem. Using tools like key loggers, nation-state attackers and cyber criminals can easily capture user names and passwords.
It’s very difficult for even the largest organizations – which have IT security staff and budgets, as well as antimalware, antivirus, firewalls, IPS, IDS, and similar perimeter security tools – to protect themselves from these types of cyber attacks. So it can seem downright hopeless for small and midsize businesses.
According to security firm Mandiant, 100% of the data breaches they investigated involved stolen credentials. That figure seems to say all you need to know about the ability of passwords to protect access to your critical data.
So it would appear that passwords are inherently insecure. However, IT security professionals generally agree that passwords as an authentication method are not soon going away. The question is, what do you do next?
Start thinking about things like limited-time credentials with workflow approvals, multifactor authentication and risk scoring. And think about it from this point of view. If your user names and passwords are most likely being captured, that means you’re already compromised and the bad guys are already inside your machines.
Privileged Identity Management Defeats Stolen Credentials
Privileged identity management is an interesting element in this because when you consider the compromise of a superuser account, as opposed to a standard user account, the potential for consequences escalates tremendously. These superuser, or privileged,accounts are often called the keys to the IT kingdom for their ability to provide the access needed to change system configuration settings or run programs.
The purpose of a privileged identity management solution is to automatically find the privileged accounts wherever they exist in the enterprise. And then, give each one of these accounts unique and frequently changing credentials. That way, when key loggers or other hacking tools manage to harvest credentials, the stolen credentials can only be used for a limited period of time and only in one place. If the credential is changed every two hours, the value of the attacker’s stolen credential is nullified.
Multifactor Authentication and Approval Workflows Provide Additional Layers of Security
With multifactor authentication, users are required to identify themselves with two unique factors. They use something they know (a password) and something they have (a hardware token) before being granted access to sensitive systems.
And with approval workflows, access to the system requires the permission of a gatekeeper. An IT admin might want access to a certain machine, but first someone else must provide approvals. The owner of the system is pinged. He’s asked if it’s okay for the admin to have administrative access to the system. If he says yes, the admin is in. But only for a limited time.
Privileged Access Risk Scoring
The next iteration in privileged identity management involves risk scoring. Large organizations look at the contextual usage of identities to determine the risks associated with how an identity is used and where it’s used from. Time and date, IP address and geography are factored into risk scoring.
Privileged identity management works with analytics engines to provide real-time risk scores that are adaptive to individual users. You might see that a certain employee historically accesses a particular sensitive system once or twice a week. But then if that the employee suddenly begins accessing that sensitive system four or five times a day, while also requesting access to machines he’s never used before, this builds up the risk score. A high enough risk score triggers an alert or even shuts down the account altogether.
Prevent Mass Harvesting of Credentials
Intruders may get in and passwords may get compromised. But privileged identity management prevents mass harvesting of credentials and persistent administrative access. Rather than giving everyone the keys to all things in the kingdom, you can parcel the keys out one at a time. And only for a limited period.
Want more tips for securing privileged credentials? Get our white paper, Best Practices in Privileged Identity Management.