Password Management in a New Era of Remote Working
By: Matthew Vulpis
Originally published in TechZone 360
2020 was a year of tremendous chaos and stress on many levels and stretched the limits of IT teams who were responsible for securing corporate assets, as entire companies sent employees home to work, including those same IT teams. A new generation of IT heroes was born, and CIOs, CISOs, and IT analysts and managers stepped up to address uncommon challenges, even as cyberattacks grew to all-time highs.
Among the many puzzles to be solved were password policies, monitoring, management, and – above all – automation. As the Verizon DBIR reported last year, most cyber breaches happened due to mismanaged passwords, either shared, easily compromised, or stolen. Whether accidentally or intentionally leveraged, individuals continued to be at fault for most hacks, whether full or part-time employees, or consultant and contractors, or even third-party vendors with access to critical infrastructure.
Something as simple as maintaining a complex password could go a long way, but doing so can be anything but simple as the dispersion of the workforce threw a wrench into the more stable environment where most employees were within the physical perimeter of workplaces.
Nearly every worker is aware that weak passwords (like 12345 or ABCDE) are not secure, even as consumers are now prompted to use passwords with certain combinations of upper case, lower case, numbers, and symbols and are increasingly opting in to allow the platforms for services they subscribe to, to automatically generate and store complex passwords in a personal vault.
It goes without saying that every organization should go beyond requiring the use of strong passwords on all devices, whether company-owned or not. The best cybersecurity systems are virtually useless if remote users use weak passwords.
We asked Michael Fritzlo, Executive Chairman of Ironsphere, a privileged access management software company, what they recommend as we embark on a new year, where few doubt the workplace will ever return to what we used to consider “normal.”
“The strongest passwords are long and random, contain a mix of alpha, numeric, and special characters, have both upper- and lower-case letters, and are essentially impossible to guess,” Fritzlo said. “Strong passwords are also changed frequently to ensure that if the password were to become compromised, it would be replaced immediately, which is where password vault automation comes in.”
In addition to remote working security basics (for example, security software on all devices, continual updates to operating systems to address new vulnerabilities, the use of a Virtual Private Network with data encryption, a minimum of two-factor authentication and preferably multi-factor authentication, and clear policies and guidelines on sharing and saving information) Michael Fritzlo indicated “Advanced software-based approaches and cybersecurity automation enable organizations to protect themselves from one of the primary causes of breaches – adversaries taking control of privileged accounts by being able to “crack the code” on privileged users’ passwords.”
“Rather than trusting privileged users to set up and remember passwords, modern approaches automate this process, where users’ credentials are securely stored within a vault where access is determined by Role-Based Access Controls, and passwords are encrypted with algorithms. Advanced Password Vaults update passwords across the entire IT infrastructure, ensuring the protection of networks, servers, applications, and data. For comprehensive coverage, automated systems can also secure end-point devices from being compromised, even if credentials are lost, shared, or stolen.”
While a variety of solutions are available in the market today, and hundreds of thousands of organizations, from small to medium businesses to government agencies and educational institutions, have certain policies and authentication capabilities in place, Fritzlo said given the growth and sophistication of attacks, an advanced password vault posture is critical.
“A systematic approach is key; this is not something that should be done half-way. IT leaders should ensure that their password vault manager will be able to work with all relevant systems, including remote desktops, virtual desktops, web and browser-based applications, across all mobile devices including smartphones and laptops,” Michael Fritzlo said. “The installation and configuration should be easy or invisible to end-users, and auto-discovery should be included to minimize work time and mistakes.”
Fritzlo also said filtering, alerting, reporting, analytics, and cost should be part of the evolution of password automation and pointed out the relationship to data governance and risk.
For example, does the solution interoperate with third-party vendor products (web servers, app servers, routers, and other networking equipment?
Does the solution work seamlessly with ITSM solutions for change management and governance control?
Is 100% keylogging and recording included to support compliance and audit requirements?
“With the right password vault technology, organizations prevent unauthorized access to critical systems and stop attacks using stolen privileged credentials,” Fritzlo concluded. “Imagine the difference when more organizations use this technology to prevent adversaries from breaking into their infrastructure; while cybercriminals are increasingly sophisticated, they will have to work harder, and they will learn that even if they attempt to circumvent systems, the systems are recording their every keystroke, which will enable law enforcement to track down intruders, making the investment in stealing information or taking control of assets less attractive.”
We have all found ourselves in a different world of work given the events that have defined 2020, and few professionals are feeling the pressure more than IT and OT teams.
Just as cyber risks evolve, the evolution of risk appetite frameworks is more active than ever. With more sophisticated adversaries, more digital transformation initiatives, more mobile works, ecosystem partnerships and connectivity to multiple clouds and services, enlightened management teams and their boards are updating their levels of “risk tolerance.”
Two-factor authentication has been around for decades – requiring an additional step between entering a username and password, for example, then entering a one-time security code sent to a mobile device – to access applications, systems and data.