Top 3 things that enterprises can do to improve data security
Getting your Trinity Audio player ready...
|
Passwords have long been an imperfect IT security solution ripe for improvement. But their use persists, much to the annoyance of staff and delight of bad actors. However, the tide is turning, and now is the perfect time for organizations to consider the future of passwords and take major steps to improve their data security.
What’s wrong with passwords?
While it’s easy to point the finger at passwords as being the problem, there are contributing human factors too. Having to remember multiple passwords is a pain and the task gets harder with every additional account. And it’s a big reason why – contrary to cybersecurity recommendations – people reuse passwords, having the same (or very similar) secrets associated with multiple accounts.
Password managers make remembering multiple credentials much less onerous. And the use of such apps avoids other security fails such as having account secrets written on Post-it notes or listed in a shared MS Word document. But password managers, which unlock using a master password, are still vulnerable to attack if that secret is revealed. And – depending on the solution – users may be offshoring their credentials into the cloud, which extends the attack surface beyond the local machine.
Coming up with a password that’s unique, memorable, and difficult for an attacker to guess has pitfalls. And that’s arguably the biggest password fail. Password-cracking databases used to break into user accounts are bulging with credentials thanks to numerous data breaches.
Looking at the statistics gathered by Have I Been Pwned (HIBP) ? – a website set up by Troy Hunt, a cybersecurity trainer and author of a range of ethical hacking courses – illustrates the scale of the problem. Using HIBP, anyone can quickly see whether their online account details have been spilled across the internet. And the IT security resource totals up the number of verified data breaches to include more than 12 billion account entries.
The website also allows users to see whether their passwords have ever been circulated before by comparing hashed versions of the data with a dictionary list of 320 million secrets, which are no longer safe to use. Again, the service is a useful one in reminding people that all is not well in password land.
And because links in that security chain are no longer strong, it’s definitely time to move on from relying on usernames and passwords alone. Speaking with TechHQ on the topic of how passwords are becoming useless, Brian Alletto – Director of Technology at West Monroe, a global digital services consultancy firm – recommends that enterprises prioritize three steps in particular to improve data security.
Top 3 steps to improve data security
Top of the list is enabling multifactor authentication – for example, by using apps such as Microsoft Authenticator and others (see list of authenticator apps below). Multifactor authentication defends against compromised credentials by requesting additional information from users, such as something they have (a time-synced code, in the case of an authenticator app).
Authenticator apps have several advantages – they don’t require users to share their phone number and the process avoids using SMS channels, which can be spoofed by bad actors. Service providers may wish to avoid text messages for other reasons too – for example, Twitter’s recent announcement to end SMS-based MFA as a free service serves as a warning on the costs of SMS pumping fraud to developers.
List of authenticator apps for enterprises:
- 1Password
- Authy (Twilio)
- Duo Mobile
- LastPass Authenticator
- Microsoft Authenticator
- NordPass
- Yubico Authenticator
- Zoho OneAuth
Biometrics can also serve as other factors for authentication, which have been shown to be convenient for users and are now widely adopted on mobile devices. They do have technical wrinkles in that biometrics aren’t secrets – for example, fingerprints can be lifted from surfaces or even photographed and reconstructed. But developers are making progress in adding liveness detection to their systems to combat spoofing.
In fact, there are many signals that can be harnessed to validate users and grant them access to company systems. Smartphones are bristling with sensors, including accelerometers, GPS chips, and microphones. “All of these can be harnessed to bring an additional layer to judging authenticity,” Alletto told TechHQ.
Access control systems can incorporate a user’s location, their typing cadence as information is keyed in, and voiceprint identifiers. Voice data can combine hardware features such as the characteristics of the user’s smartphone microphone and how the signal is being compressed. Pindrop, a developer of voice-based security and identity solutions, has shown how voiceprints can dramatically outperform traditional knowledge-based authentication to drive down fraud rates in banking and finance, to list just a couple of sectors benefiting from the approach.
More broadly, telemetry can serve enterprises well in applying zero-trust principles to improve data security. And West Monroe’s Alletto encourages firms to make sure that they are leveraging telemetry insights when configuring security systems. For example, telemetry can flag when users are requesting access from locations that don’t match their typical behavior or are using unfamiliar hardware.
Legacy services gap
Many system providers will be able to offer such features straight out of the box, but security teams can still run into issues. “The big gap will be supporting legacy services that enterprises still use,” Alletto points out.
Here, organizations will need to carefully apply multiple layers of control and defense to protect network communications, including segmentation strategies to mediate data exchange. And the challenge will be acknowledging human factors. “Increased complexity just frustrates users,” adds Alletto.
A third area for IT security teams to consider – alongside the widespread use of multifactor authentication and benefiting from telemetry – is to look closely at the access that users and service principals have to business systems. Roles change over time within organizations. And reviewing information needs can improve data security by expunging unused permissions.