Identity and Access Management - How to stop your users taking you to the data apocalypse: part 1
This week, Core is presenting on behalf of One Identity at IDM Whitehall, and I thought it would be fitting for this weeks’ blog, the latest in my Identity and Access Management series, to focus on the content of that seminar: identity hacking and how to prevent it.
Getting back to basics
One of the main things I come across when initially talking to customers about Identity and Access Management is a challenge as to what business value it delivers. Why spend money on an enterprise IDAM solution when Azure AD can deliver a lot of the functionality? And it’s a fair challenge for some customers; in fact, for customers that are only adopting Microsoft’s cloud platform, Azure AD is a suitable solution if you switch all of the right features on.
However, it’s rare to come across a customer that is truly only consuming cloud services from one provider. Most companies today are using a host of cloud services, from accounting and payroll, through HR, expenses, CRM, purchasing and social media. Better yet, they are probably consuming multiple platforms for each of these. For instance, a lot of companies have an official presence on LinkedIn, Facebook and Twitter, services like Glassdoor and Trustpilot, and I know a lot of companies of various sizes that buy items for their businesses on Amazon and eBay.
These are all cloud services, and all of them present a challenge to your business. But most businesses don’t think of them as cloud services, or discount them because they don’t contain corporate or personally identifiable data, so they don’t realise the potential security challenges that they can present.
People: the double-edged sword
If there is one single thing every business on the planet needs to be successful, it’s people. Currently, there is not one successful business that doesn’t have people driving it forward, and typically, the better the people, the more successful the business is.
But, this same critical resource is also the biggest security threat to your business. Specifically, people are the biggest factor in enabling a data breach, with all of the regulatory, reputational and remediation costs that come with it.
There are actually two key reasons why, but both of them are there purely to support the limitations of human beings when we need to give them access to data and services.
The first of these is the desire to provide the customer with a great, frictionless user experience. Nobody wants to sell or drive consumption of a cloud platform that is a hassle for users to access, and no user is going to flock to a platform that is difficult or challenging to use. Software providers globally spend millions of dollars collectively trying to make the user experience as easy and intuitive as possible, with pleasing visuals and common-sense navigation, (and also, great platform-level security). This has to extend out to the whole experience including the initial log in. Sure, it needs to be secure, but it also needs to be friendly and relatively straightforward for the user. If the initial log in process is too complicated user interest will fall at the first hurdle.
So, typically every cloud platform has pared down its (at least initial) log in process down to a simple de facto standard: give me your username and your password in order to gain access. If you are really lucky, the user may have the option to switch more security on, but whether they do or not is a different story.
Nothing unusual so far… this is the model we have used for access in the workplace for years, right? Well, actually, it is this experiential piece that has been the main driver for ‘Shadow IT’ solutions over the years; people using non-approved services because they are easier to use than the corporate-approved applications (coincidentally, also adding to the problems that we highlight in this blog).
The problem with human beings
This leads into the second and main reason for the security challenge: human beings are not good at memorising multiple complex usernames and passwords.
One of the ways that the software industry copes with this, is to suggest (or mandate) that your username is your primary email address, so you have one less thing to remember.
Email addresses are, by nature, not protected information. We share them with anyone we communicate with, on social media platforms, and give them out to anyone who asks for it. As a result, the entire security factor protecting the data in your cloud applications may revolve around only one factor: a password.
Reminder: human beings are not good at memorising multiple complex passwords. We just weren’t designed for it. So, your people will generally be using one of the following strategies for their password, not just in your corporate platforms, but also in their own consumer applications, which multiplies the threat substantially, and they are deliberately listed in order of adoption.
Strategy 1 – The Golden Password
Conventional wisdom is that if you create a suitably complicated alpha numeric password, or string of three random words, you will be secure. Well, partly; at least you can be relatively secure from some sort of brute-force attack. But, if your golden password is compromised in any way, a cyber threat actor then has access to everything. Your golden password could be compromised in a number of ways:
- Phishing attack
- A breach on one of the platforms you use
- A breach on a device
- Via key logging or a “man in the middle” attack
- Someone watching the keys you tap while you are at your desk (unless you work alone in a SCIF room), in a coffee shop or some other public place while you are accessing any service, personal or corporate
The golden password model is the most common password strategy for human beings. And just because you enforce a 30, 60 or 90-day password refresh on corporate platforms, don’t think for one minute you have solved this problem. The most likely coping mechanism for that one, is for the user to simply change a digit, normally at the end of the password string, each time the password is updated.
For the Digital Jedis in IT that would never dream of this approach, if you don’t believe me, look at the password histories of your employees. Even if they are hashed out, are they always the same length or do they increase by one character after 10 resets? Bingo…
N.B. – Some people think that when any website asks for a username and a password, they have to use the same one as they use on the device, or they won’t get access. My parents both came to this conclusion independently and merrily used (until I corrected them), the same single set of credentials for everything, because they thought that there was some magic key inside their device that tied this all together. This isn’t a generational thing; I know a few Millennials that came to the same conclusion, thinking there was some form of global identity specific encryption at play.
Strategy 2 – The Password List
The second most widely-used strategy for coping with managing complex password requirements is for someone to create a list of passwords. This can either be for someone who just cannot memorise a password at all, or someone who is aware enough to know that “one password to rule them all” is not wise, but they aren’t advanced enough technically to use our next strategy.
Password lists exist in many forms, ranging from post-it notes on the monitor or a cork board, to notebooks, through to the note-taking application on a mobile phone. If you are really lucky, someone using the latter may have password-protected the note application, but don’t count on it… and it doesn’t matter anyway in a lot of scenarios.
In this model, the people still generate the password themselves, from their brain, and this again can lead to predictable behaviours, repetition or re-use. Incorporating the name of the family dog, a favourite restaurant or someone’s birthday is probably secure enough to withstand brute force attacks, but not beyond some social engineering.
For mobile employees the password list needs to be mobile too, so they will either have a notebook or a note app with them at all times. If they are logging in somewhere in public, they will probably open the notebook or app to get their password as they log on. Anyone with a smartphone camera could take a snap, (and the likelihood is that the page won’t just have the one password contained on it). Or, they could lose the notebook or device.
As for the post-it notes on the monitor or elsewhere in the office, well they are safe because they are in the office, aren’t they? Not really. Your office will have various people within it - disgruntled employees, contractors, visitors, cleaners, delivery people… a whole host of human beings who may have an even larger host of reasons why obtaining a password would be useful or desirable.
Strategy 3 – The Password Manager
The truly enlightened will hopefully be using some form of Password Manager that will generate a unique, complex password for each platform, air-gapping every platform you access from the others and providing the perfect circle of security.
There are a wide range of Password Managers in the marketplace and most of them are very secure, leveraging biometric capabilities of the device for access and enabling 2-factor authentication for access. The best ones are paid apps or require an ongoing subscription, which is important to note. I’m not sure anyone should trust a “free” password management tool. And that is the holy grail for solutions outside of an enterprise IDAM solution, except for a couple of things…
Firstly, not every device or password manager app enables biometrics, in which case the user will need to (you guessed it) enter a username and password to gain access, or in some cases a passcode on a phone handset. Also, quite often, 2FA is an option rather than a mandated requirement that the user needs to accept and switch on. This throws us back to all of the issues of phishing or someone seeing your access password while you enter it. And if you only need it as a backup in the event that your device is lost or damaged, how do you remember it? We are back to golden password or password list territory.
If the Password Manager is not integrated with corporate devices or apps, this again will lead to someone logging into the Password Manager interface, where they will be presented with a range of usernames and passwords to either key in or copy and paste, that again could be compromised by anyone in eyeline of the screen.
If you are a complete Digital Jedi, and you have switched on the biometrics and 2FA, you are relatively secure, or as secure as you can be independently. But you have a productivity problem if you lose or break your primary device.
Chances are you will have to revert back to some sort of username or password combination with a verification process to get access back to your passwords, and that is a vector that could be exploited by a cyber-criminal. SMS messages can be intercepted or diverted, as can email traffic.
So, what IS the answer?
Having this discussion with a customer is always interesting. In the IT world, we tend to be focussed on what is happening at 40,000 feet, looking at strategic issues, high-tech developments and clever solves for complex problems. The result is, we tend to forget about ground-level issues where the basic problems are.
This is the point in the conversation where the worried look creeps in and the reality of the risk is obvious. They always knew it, really, it had just been forgotten because other challenges frankly are more interesting. Or maybe the problem has been forgotten because there is no obvious solution for it?
The absolute worst part about all three of the scenarios above, is that in every case you won’t know that a password has been compromised until you have had a breach. Maybe you would in the event that someone lost the password list notebook, (as long as they looked for it relatively quickly afterwards), and then immediately notified everyone and got them to change their passwords…
Here comes another human failing: we as human beings don’t like admitting that we have made a mistake, and there is a very real chance that a percentage of people, having lost their password list, might delay taking action while they panic about the potential repercussions of exposing their mistake to their employer, or try to figure out a way to get out of the problem without involving anyone else.
And there are other breaches all of the time. I have had a number of identities compromised through platform-level breaches on LinkedIn, Twitter, Last FM, Talk-Talk and a couple of others. I haven’t done anything wrong, but my credentials got out. In my case they were all personal apps, but all were a potential issue for my employers at the time. In the early days, I used to use a small number of golden passwords, one for general personal, low threat log ins; one for subscriptions and anything with payment details; and a third for work stuff, so there was an air gap between each one, a small layer of protection. That was the limit of what I could manage in psychic RAM.
Now I do something different….
The cold hard reality of this is that there is no single system or strategy that is 100 per cent secure. And that is fine. You don’t have to swim faster than the shark to not get eaten, you just need to swim faster than the person next to you.
That said, you can get a significant order of magnitude higher than all of the strategies listed above by adopting an enterprise grade IDAM solution, such as Aurora. Aurora enables us to provide multiple layers of security to protect against or completely mitigate all of these issues. In the shark analogy above, IDAM is a fairly substantial boat, with a couple of guys to help you out of the water and a couple more guys with harpoons.
Read part two of 'How to stop your users taking you to the data apocalypse' here.