By Steve Brasen
It seems extraordinary that in this age, when enterprises are hypersensitive about security, passwords are still most commonly employed as the sole method of establishing a user’s identity. The practice dates back to the early days of computing when a simple environment, such as a self-contained mainframe, employed logins and passwords as a low-friction method of granting users access to their accounts. Of course, this was long before the internet and wireless communications enabled multiple pathways of potential security breaches. Today’s more dynamic environments require increasingly robust and reliable forms of identity management.
The advent of the mobile revolution began more than a decade ago, and resulted in the establishment of broad accesses to business applications, data, and services from any device, at any location, at any time. That same timeframe also saw the accelerated adoption of cloud services to support business operations. Today, sensitive business IT resources are distributed across internal and external storage environments, cloud services, web applications, virtual environments, and software as a service (SaaS) platforms, and devices that operate outside of the confines of local business networks access all of these. Most organizations had to implement these radical departures from traditional IT management practices with little time to architect more robust security practices, relying on antiquated password solutions that expose the business to extreme risks.
Passwords rely on fallible human beings as the sole arbiters of enterprise security. Most people are simply not effective at performing proper password management practices. In order to be easy to remember, users often use weak passwords, and the same password is typically utilized for many—if not all—accounts. Additionally, passwords are rarely changed and are sometimes written down or shared with colleagues. Of even greater concern today is the fact that phishing and ransomware techniques have become so refined that they can convince almost anyone to voluntarily handover or expose critical passwords. While it has become commonplace to hold users accountable for their password practices, it is not their fault that password breaking tools and techniques have far surpassed their management capabilities. Human brains are simply not designed to be complex encryption services, and organization should not rely on users to maintain enterprise security protocols.
The time users spend maintaining, updating, and resetting passwords can have a profound effect on job performance. In fact, recent EMA primary research, Orchestrating Digital Workspaces, indicated that password management was the most impactful challenge to end-user productivity. Anytime a worker is distracted from accessing business resources to perform a password management task it takes, on average, ten to 20 minutes for them to refocus back on the task they needed to perform in the first place.
Single sign-on (SSO) greatly reduces the impacts and risks of an overreliance on passwords for access management by substantially reducing the amount of effort users must perform to access business resources. However, this should only be considered a first step in enabling robust identity and access management that ensures the security of an organization’s most critical data and IT services. EMA favors the use of multifactor authentication that employs a number of methods for confirming a user’s identity, including device authentication, user behavior detection, and biometrics. The more layers of identity protection are dynamically applied to authentication process, the more challenging it will be for malicious attackers to exploit imperfections.
Access and identity management is a critical concern for enterprises. Security risks are real and SSO strategies can help reduce the reliance on passwords.
Nov2017, Software Magazine