Going Beyond Usernames and Passwords
Phil Turner, VP EMEA, Okta
As businesses increase their usage of cloud applications and services, security concerns are rapidly taking centre stage within IT departments. Today’s organisations not only have to maintain visibility over who has access to what in a time when more and more employees use phones and tablets to access both personal and work related information; they also have to protect a mix of on premises and cloud applications, most of which leverage their own identity store and security model to secure sensitive data, making it difficult for IT to enforce uniform control policies.
Subject to the significant security threat posed by users themselves — who tend to either use the same insecure password across all personal and professional channels, or leave passwords written on pieces of paper for all to see — both individuals and large groups of users are vulnerable to password theft. These acts of password theft can result in credentials being sold individually or in bulk on the black market to any criminal organisation that might want them. So how can businesses protect themselves from password breaches? The key is to efficiently manage the roles and access of individual network users within an enterprise — and supplement the insecure username and password with strong and easy-to-use second factors.
The danger behind passwords
Traditional web applications are protected with single-factor authentication: a username and password. In addition to being difficult to remember, these credentials leave sensitive data and applications vulnerable to a variety of attacks. Hackers are using increasingly widespread and sophisticated techniques to steal passwords to consumer, banking, and enterprise applications. Companies of all sizes, including the likes of Sony and Thomson have previously been at risk.
While individuals are more vulnerable to password theft via highly targeted phishing attacks, large groups of users can be compromised by an attack on a specific vendor holding their credentials. The effect of a stolen password is magnified by the fact that users frequently reuse passwords across multiple applications. This means that a stolen Facebook or Financial Times password may compromise users’ Salesforce.com or Active Directory accounts.
As enterprises adopt more cloud applications, addressing this threat will become increasingly critical. Unlike older on-premises applications, cloud applications are accessible to anyone on the public Internet. And while enterprise cloud software vendors like Salesforce.com and Workday go to considerable measures to ensure they run a highly available and secure service, their login screens are equally as available to attackers as to legitimate users.
What’s more, today’s cloud applications do not easily integrate with existing enterprise products used to monitor dangerous security events, which can make password breaches of enterprise cloud apps difficult if not impossible for most IT organisations to detect.
Enter Multifactor Authentication
Due to increased breaches, over the past two years businesses have begun to adopt new security standards that meet current enterprise needs.
To allow users to login to their applications, organisations typically leveraged one-factor authentication — a username and password — and verification like a security question to protect their applications. However, today a growing number of businesses are implementing multifactor authentication (MFA) to protect against the range of attacks that rely on stealing user credentials.
This highly secure authentication mechanism involves the use of two or more different types of authentication — such as a password plus a temporary key which is sent to a user’s phone, dongle, email address, or app to ensure users are who they say they are, reducing the risk of unauthorised access.
Using single-use, expiring tokens to exchange authentication and authorisation data between a trusted identity provider and an application, MFA eliminates the need for people using the service to remember their usernames and passwords. With MFA in place, even if a user’s password is stolen, the account is safe from unauthorised access.
Supplementing the password
Adding MFA one app at a time is simply not practical, as it would require administrators and users to juggle dozens of factor types across as many applications. What organisations need is a unified access gateway that applies equally to VPNs and on-premises and cloud based applications.
While traditionally, MFA solutions were purpose built for large enterprises, the cloud is democratising its use for companies of all sizes, so that smaller companies can benefit from this technology as well.
Businesses can choose from a variety of second factor options, balancing the needs of their user base, the sensitivity of the applications they are protecting, and overall ease of use. While some enterprises may choose to use security questions as an added form of protection, others may implement a text message option which will work with any SMS-enabled cell phone. Additionally, other companies may opt for a “soft token”— an app that is installed in smartphones which generates a single use six-digit number, which users can use to access protected resources.
With companies of all sizes going digital, the number of applications, access points and user types within organisations will continue to grow and diversify, creating an increasingly urgent need to gain visibility and control whilst also simplifying user access to cloud systems.
For any organisation looking to maintain control of their applications and data, having a holistic understanding of the network and its surroundings is imperative. By adopting services such as MFA, businesses can reduce concerns over visibility of users, devices and applications and realise the real benefits from operating in a cloud-first environment, giving employees access to the apps they need, when and where they want them.