A recent study by Microsoft found that multi-factor authentication alone stops…
As a kid growing up in the ‘80s, I remember in elementary school a discussion predicting we would have flying cars by the time I was a grown-up. Almost four decades later, no flying cars, yet technology is the common denominator when it comes to how we work, socialize with our networks and consume information.
While not as exciting as a flying DeLorean, I also remember a manager telling me a number of years ago about how passwords would soon be rendered obsolete. Biometrics were going to take over and make passwords a relic of the past. While there is an abundant use of biometric technologies as a means of authentication for personal devices today, it has not yet completely made its way into the corporate world. Passwordless authentication is catching on as well, but it is not quite ready for widespread use, especially for legacy systems. So, as I write this nearly 15 years after that conversation with my manager, passwords are still here and they remain king as far as authentication is concerned. At least for a while longer anyway.
Why is Password Management Necessary?
IT security has made tremendous strides since my manager’s prognostication, yet, many organizations continue to struggle with password management today. Until we can completely rid ourselves of the necessity to use passwords, it will be common for people to use bad password habits when left to their own choices. Some of these bad habits include using easily guessable words, reusing the same passwords for both work and personal accounts, and even writing passwords down on sticky notes at work. This creates vulnerability in the workplace, especially when users are being required to authenticate to more and more systems to perform their jobs. Meanwhile, hackers continue to develop sophisticated tactics, and security breach attempts are increasing along with that sophistication. Cybercriminals are using advanced, automated techniques to phish and steal credentials. Passwords are the weakest link in cybersecurity.
We all probably agree that most employees are security conscious and do not intentionally put their organization at risk. We all want to guard our data, whether it is personal information, or information that we use in our professional careers. However, we live in a world with many passwords to remember. As I mentioned above, it is easy to become complacent and overlook using complicated passwords, or forget to perform regular password updates. Now, multiply that by how many accounts you have and the password management problem becomes very apparent. Implementing a password management solution is an absolute necessity to keep systems and information safe. Fortunately, solutions exist.
Choosing the Right Solution
There are many password management options available on the market and choosing the right solution can be difficult. Keep in mind that a password management solution should make use of industry-accepted identity governance principles while giving users the ability to easily manage their credentials across the organization. Below, I’ve highlighted a few other important capabilities that every solution should include.
Configurable password policies strengthen security by using consistent enforcement across all applications. Policies can be set up to force the use of strong passwords and prevent reuse. Policies can be configured to require that passwords contain a minimum number of characters, including the use of numbers, special characters, and both lower and upper case letters. The ability to automatically expire and push password resets on a scheduled basis should also be a basic features.
MFA is an authentication method that grants user access after presenting two or more pieces of evidence (factors) to verify their identity. Using multiple authentication factors to prove one’s identity greatly helps prevent unauthorized access. Security is tightened with MFA because it is unlikely that bad actors could supply the additional personalized factor(s) required for access. This can be as simple as pushing a text message that includes a temporary code to the user’s personal device.
While this feature is not mandatory, it should be strongly considered. Privileged user access is when an employee is granted a higher level of access to data or applications, such as root or system administrator access. Credentials needed for these privileged accounts are commonly provided to many different people. A password solution that forces users to “check out” privileged credentials for a temporary amount of time can help track who has access to what and when. Also, the passwords can be configured to automatically reset after each user is finished using them. Not only does this increase security, but it also helps with auditing and can add an approval process to limit who can access sensitive information and systems. Stealthbits, a Zirous partner, even takes this a step further with their just-in-time, just-enough privilege approach by requiring that an account doesn’t even have to exist until it is needed.
Software as a service is another feature that is not mandatory, but also worth mentioning. Be sure to investigate SaaS offerings and how they can further simplify password management for your organization. With SaaS, features will be continuously improving and won’t require any patching or upgrading on your part. Another Zirous technology partner, Sailpoint, has a great password management solution within their IdentityNow SaaS offering.
Benefits Beyond Security
There are other benefits to expect from organized password management. First, reducing the daily burden on the IT support staff can be realized. Gartner estimates that 40% of all helpdesk calls are related to passwords, so there is plenty of room to reduce unnecessary operational expense. When calls to the helpdesk are reduced, IT staff can focus on work that really matters. Also, empowering users to take care of their own password management will increase their satisfaction. An easy to use interface can help eliminate user frustration from being locked out of accounts. A solution that offers personalized security questions will also help automate password reset processes and reduce time to get up and running again. Admittedly, this benefit is more difficult to measure, but giving users the power to quickly fix their own password issues helps eliminate frustration from their workday.
By making password security practices part of the normal routine, the possibilities of a data breach can be significantly reduced. Plus, users will be happier with an easier process and the IT staff can worry less about support and be more effective and strategic. So, until biometrics and passwordless authentication (and maybe flying cars) become more commonplace and affordable, let’s make using passwords as safe as possible.
True Technology Partners
Making the right decision can be a daunting task. We have only scratched the surface of capabilities, features, and limitations to consider when it comes to a password management system. Zirous is an experienced strategic consultant partnered with the best solutions (Oracle, Sailpoint, Stealthbits, and Okta) to navigate the ever changing technological landscape. With 35 years of experience in the technology industry, Zirous is the right partner to set your business up for long-term success. Let’s get started!