By Budiman Tsjin, Solutions Engineering Director, ASEAN, CyberArk
Despite the fact that attackers are increasingly targeting badly managed passwords for their campaigns, password management is often neglected. Most organisations fail to utilise enterprise-grade protection to safeguard themselves, preferring to rely on traditional and outdated password management tools that can lead to ‘password fatigue’.
Many of the apps used in the workplace do not leverage modern identity protocols. Even though most modern apps integrate with single sign-on solutions to sidestep password management woes, some apps still require a stand-alone username and password credentials.
Adding to the challenge is the fact that any user can become privileged in the right circumstances based on the resources they’ve gained access to, leaving companies vulnerable and in constant risk of security breaches. Employees now have a shocking amount of access to sensitive resources. Cybercriminals have been increasing their focus on exploiting lax practices to breach organisations’ networks and seek ways to expand their access. When considering the average employee has around 100 passwords, that’s a lot of opportunity.
Four of the common pitfalls when it comes to passwords are:
- Easy to guess and not in keeping with password strength requirements;
- Reused across corporate apps, personal apps and social media;
- Stored unsafely in spreadsheets, sticky notes and web browsers; and
- Passed from one user to another through email, messaging apps and more.
These issues can be addressed by managing workforce passwords and secure them properly through password complexity . Recognise that all workforce users’ passwords should be protected with the same security-first approach that organisations apply to privileged users’ credentials.
Overall, when frequently used business applications are accessed outside of an enterprise’s security controls, organisations cannot track access activity, control password complexity and revoke access to applications when no longer needed. As such, it is important to restrict the running of applications through an SSO portal which provides the necessary visibility and security controls.
There are five steps that any security team looking to improve how they safeguard workforce credentials should explore. These comprise a holistic, risk-based approach to Identity Security help companies apply privilege controls across the board – underscoring the fact that increased complexity of cyber attacks calls for stronger controls for sharing and transferring passwords.
- Intelligent Authentication: This first step is essential to blend intelligent authentication with an enhanced user experience. This calls for an adaptive form of MFA that can adjust the difficulty of authentication challenges based on real-time insights on user behaviour.
- Security-first storage: This step involves looking for ways to introduce vault-based storage for workforce credentials, with the flexibility to devise how accounts and credentials are stored, managed and retrieved. For example, an enterprise-grade tool could provide a security admin with options to automatically store new credentials in self-hosted vaults and allow users to retrieve them without connecting to a VPN first.
- Safe credentials management and sharing: This step enables users to securely share credentials without revealing passwords, but also grants the ability to: protect privacy by controlling who can share, view and edit credentials; impose time limits on user access to specific apps; and manage the transfer of credential ownership to new users.
- End-to-end visibility: This step requires security controls to continue past the point of authentication. Here, enterprises should employ an extra layer of protection that allows them to monitor and record all actions once a user is logged in – backed up by a full audit trail.
- Frictionless and secure user experience: This step requires enterprises to manage and secure workforce passwords that can: integrate easily with corporate directories and third-party identity providers; recognise when users are entering credentials and offer to save them in a secure, vault-based location; securely auto-fill credential fields for a smooth and quick log-in experience; and generate unique and strong passwords for users whenever needed.
