Life for IT leaders increasingly grows more complicated managing end-users and accessing applications that live in multiple places (on-premises, hosted, or that reside in the cloud) is equally complex. There are distinct advantages for mobile workforces to mobilize data, including cost advantages, vendor choice, and data accessibility. Being able to access data from anywhere, anytime, and from any device is a necessity in today’s business. Now more than ever, we can work with greater flexibility and share information more freely with granular accessibility controls.
Superior interconnectivity has its benefits, but as the old adage says “with reward comes risk”. In fact, according to a poll taken by Intel Security®, the average user today has 27 distinct usernames and passwords. It’s likely that in most cases, these passwords are not all discrete in practice and most of us are guilty of using the same password across multiple services. This common mistake further weakens an organization’s security posture across the threat landscape, which might look something like this:
Most data breaches involve a human element, and a significant portion of breaches involve compromised user credentials (in many cases with multiple platforms). According to the 2019 Verizon Data Breach Report, over 50% of data breaches involved hacking into a database, 18% involved stolen credentials, and 12% involved a backdoor entry.
Furthermore, an investigation of 1,800 data breaches concluded that 90% of the hacks involved human error with mail and desktops. See below:
|Action||Asset||Count||Credentials Exposed as a %|
|Hacking – Using Stolen Credentials||Server – Mail||340||18%|
|Social – Phishing||Server – Mail||270|| |
|Social – Phishing||User – Dev Desktop||251|| |
|Malware – Backdoor||User – Dev Desktop||229||12%|
|Malware – C2|| User – Dev Desktop||210||11%|
|Hacking – Use of Backdoor or C2|| User – Dev Desktop||208||11%|
|Malware – Slyware/ Keylogger|| User – Dev Desktop||103|| |
|Malware – Adminware|| User – Dev Desktop||91|| |
|Misuse – Privilege Abuse||Server – Database||90||5%|
|Malware – Capture App Data ||Server – Web Application ||83|| |
| || || ||57%|
Source: Verizon 2019 Data Breach Report
What is the solution?
Password enforcement alone is not enough. Bad actors will use a number of methods to hack passwords. Here some examples:
|Credential Stuffing||Also referred to as “list cleaning”; a means of testing databases or lists of stolen credentials |
|Phishing||Social engineering trick which attempts to trick users into supplying their credentials to what they believe is a legitimate site or vendor|
|Password Spraying||Technique that uses a commonly used password – i.e. “123456”, “password123”, “letmein”, “batman”, etc.|
|Keylogging||Record of strokes on the keyboard and can be a particularly effective means of obtaining credentials|
Preventing these attacks is almost impossible, so you need to be proactive in managing access to applications and from your devices. Managing an average of 27 logins per user becomes an administrative nightmare. This is where Identity as a Service (IDaaS) can help alleviate these challenges. The goal of IDaaS is two-fold:
- To ensure users authenticating are who they say they are
- To grant users access to applications, files, and resources through a single and secure set of credentials
All of this can be neatly encapsulated into IDaaS. Let’s examine some of the core components of this service.
Multi-factor authentication (MFA) includes devices, biometrics, personal information, QR codes, one-time password, SMS, and other popular ways that validate a person’s identity. Typically, two or more methods of identification are required to be considered 2-factor authentication. These methods involve:
- Something you know (such as a password)
- Something you have (such as a smart card)
- Something you are (such as a fingerprint or other biometric method)
MFA secures sensitive information and fully safeguards devices via token-based protection. However, MFA requires expertise to configure and manage. Set up can be time-consuming and costly if solutions are inconsistent across an organization.
Single Sign On (SSO) is the ability to allow a user to use one set of credentials (a username and a password) to access multiple applications. SSO allows the user to manage fewer passwords, lowers the chance of phishing attacks, and reduces the number of password-related IT calls. SSO is based on a growing number of open standards including SAML, OAuth, and LDAP. Since SSO can easily grant users access to multiple systems with one set of credentials, SSO should always be used in conjunction with MFA and never used as a standalone solution. Similarly, if a user loses the main credential for SSO, then the user is simultaneously locked out of all systems that are linked via SSO.
In summary, a good IDaaS solution focuses on user experience and provides seamless and secure access to applications and data. IDaaS provides support and management services to maintain identity management and ensures it’s highly available and functioning properly.
Interested in learning more about our managed cloud solutions? Check them out here: https://rapidscale.net/services
To discuss further, contact us today.