It is a classic case of poacher turned gamekeeper. In his previous guise Jonathan Bennun was a hacker, now he is fighting against cyberattack as product strategy manager at access management provider OneLogin.
When he was attempting to breach systems, he found vulnerabilities like easy-to-guess passwords made his work much easier. “If that attack vector didn’t pan out, I could usually get around the authentication flow, or gain basic privileges and escalate them for admin access. We must accept that these vulnerabilities – imperfect authentication and passwords – are not going away anytime soon, and businesses must take steps to strengthen their security posture.”
A key challenge in eliminating passwords is that too many software as a service (SaaS) providers still don’t offer token-based sign-in such as with security assertion mark-up language (SAML) or authentication layers such as OpenID Connect. On top of that, many enterprises still have dozens – if not hundreds – of legacy applications that require passwords. “It will take some enterprises a long while to migrate off these legacy apps which use application-specific passwords, and do not support requirements such as password complexity or password expiration,” Bennun adds. “In addition, passwords make for only a small part of a strong security posture. Security is only as strong as its weakest link, and on some systems, passwords may be a good attack vector. Real-world attackers are more likely to use alternate attack vectors to get around passwords. Three of the most common are application vulnerabilities, spear-phishing and social engineering.”
Bennun explains that being a true password champion means applying password best practices while having a modern approach to access management that is more holistic than a password management tool or a password education campaign.
To explain what businesses are doing wrong and how they can fix it, Bennun uses the classic security triangle: people, process, and technology. “When it comes to people, enterprises invest in education like training for compliance reasons, but often overlook enabling people with self-service for password reset and self-registration of multi-factor authentication (MFA),” he explains. “In addition, companies combat shadow IT, but don’t offer an alternative such as faster onboarding of business apps. For example, your employees need to use LinkedIn and Twitter for business, so provide them with a safe way to manage passwords for those personal apps.”
When it comes to process, it is important to think marathon, not sprint. “Some SaaS providers still don’t offer token-based sign-in such as SAML-enabled login,” he says “Enterprises need to gradually consolidate passwords, ideally to a single set of corporate credentials for apps, networks, and devices. Similarly, access management should be unified and holistic across the entire organisation with user information and privileges.”
The final piece of the puzzle is technology. Password best practices are not hard to follow and apply, and they are an important part of any security practice. “Having said that, don’t stop there, and don’t look for a silver bullet,” Bennun concludes. “Look for a platform, not a tool, for the wide variety of use cases and for supporting complete authentication and access management scenarios across the enterprise. For example, a single platform can make it much easier to provide password reset self-service to your entire user base.”
In summary, being a true password champion goes well beyond password best practices. Enterprises that fail to deploy today’s front-line access management solutions across their organisation – enabling people, planning for a continuous effort, and seeking a full platform solution – are at serious risk and will lose out.