Locking Down Identities in the Cloud Era
Print Issue: March 2020
We’ve been conditioned to think that hackers orchestrate sophisticated break-ins to steal data or otherwise breach an organization. We might also imagine that elite hackers find back doors or create applications to take over systems.
Although these scenarios are possible, the greater security threat is more mundane and more effective for cybercriminals: stealing the right identities. Compromised identities are bought and sold on the Dark Web, and they are then often used to breach organizations. An estimated 80 percent of hacking-related breaches in 2018 involved compromised and weak credentials, according to Verizon’s 2019 Data Breach Investigations Report.
Compromised identities are most often the key to bypassing the security gates we’ve established. Using stolen credentials, cyber criminals effectively walk in the front door and out the back with all our personal information.
If organizations do care about preventing this from happening in the future, their leaders should make protecting identities a priority—especially in the cloud era. Two essential steps can help protect an organization’s core identities, regardless of whether those identities are for internal employees or customers.
The Technical Step
The first step is to take precautions from a technical perspective. All passwords must be stored in a one-way hashed and salted format, if possible. This alone dramatically reduces the chances that if stolen, the database of passwords can be reversed and used.
Another important technical protection is to require multifactor authentication for internal and external users. Wherever people need to log in to your IT assets, require two pieces of information to gain access such as a password and a time-based one-time token. End users might grumble, but they will become comfortable with multifactor authentication and see its value when their credentials are not easily compromised.
Other technical protections to implement include encrypting all data at rest and in flight. Make sure it’s more difficult for an unauthorized person to see your information.
Consider, too, tracking who is logging into your assets—when, from where, and how. The more you know, the more chances you have to identify and rectify problems before they escalate.
The Training Step
The second step is to train internal and external constituencies on how they can protect themselves.
Humans are the weak link when it comes to protecting our own identities. We can be socially engineered, tricked, or simply careless. Regardless of why, the end result is the same: our credentials become compromised.
There are many areas to implement training in, but the basics are to encourage—where possible—users to leverage long passwords (16 or more characters), create unique passwords for accounts, use multifactor authentication, discourage sharing passwords, and limit social media exposure.
These protections, like those on the technical side, will not eliminate the chance your organization’s identities are compromised, but they dramatically reduce the likelihood.
Most organizations that are compromised do care about security. It is a difficult problem to address. And when the right stolen identity can bypass the security infrastructure in place, it makes it more challenging to protect against. With the right approaches, technology, and training, it is possible to lock down your identities and potentially prevent a compromise.
Greg Keller is chief strategy officer at JumpCloud.