Time to Fix What’s Broken
Zero Trust Security & Identity and Access Management need to be updated for the modern workplace.
The days of Castle-and-Moat security for the organization – where everything was considered secure inside corporate perimeter walls – are over. Today, users are seldom in one place, so security must consider every identity – wherever they are.
Zero Trust Security requires that every user verify their identity every time they attempt to gain access to company resources. A Zero Trust framework has been shown to prevent data breaches, the cost of which averages over $3 million worldwide per incident. It’s no wonder organizations want to adopt a Zero Trust model.
But where to start?
In a recent talk, Dr. Chase Cunningham got it right when he said that IAM (Identity and Access Management) should be the first thing addressed for Zero Trust Security.
“Because IAM is the gear around which Zero Trust revolves,” said Cunningham. “You can have the best firewall on the Planet. The moment an administrator logs into it, that firewall is a screen door with a bunch of holes in it. Stuff goes back and forth. It shovels electrons. If you cannot take care of identity and access management – at speed and at scale across infrastructure in a globally dispersed environment – you will never achieve a better state of security. Period. Point blank. End of story.”
But what does that mean?
Simply put, Identity and access management (IAM) is the company watchman. It identifies who users are, whether they are permitted access and what privileges they have been granted. Within a given organization, IAM may be a single product, or perhaps a combination of processes, software, cloud services, and hardware that give admins control of how data is accessed.
We’ve discussed the importance of eliminating “Phishable” factors in the authentication process. Basically, that includes anything that must be remembered or typed in or can be shared. And we’ve determined that passwords are the #1 Phishable threat vector behind successful cyberattacks.
As a Passwordless Multi-factor Authentication (MFA) and IAM solution provider, despite the urgent need for change, we have seen slow adoption of modern technology to address the issue of legacy IAM solutions based on usernames and passwords.
One of the issues we have encountered is that many policies that were created to enhance security are now a hindrance to addressing the current level of cyber-attacks.
In a recent example, TraitWare was working with a legal firm with a major bank as a customer. The bank had set password policies such as length, character requirements, and reset times. These requirements were included in the firm’s contract with the bank and then incorporated into the legal firm’s corporate policies. Using our technology, passwords can be eliminated from the time of account creation, making any password policies obsolete. The legal firm asked TraitWare to help the bank update its policies to reflect the latest innovations in secure authentication. Although we contacted an individual at the bank who we thought might be able to help, he had not been brought up to speed on the needed change.
The reluctance of organizations to make the shift to modern IAM approaches, will not only mean continued reliance on more cumbersome legacy systems, but it also comes with a far greater risk of attack, and the potential for enormous cost, with devastating effects on organizations and individuals alike.
As enterprises increasingly rely on their employees’ access to mobile endpoints to be productive, the phishing ground for attackers has widened. Recent attacks such as the Okta breach earlier this year also illustrate the trouble with relying on the human to avoid social engineering and phishing attacks. It’s critical for businesses to acknowledge the vulnerability of attack surfaces and modernize with simpler more secure solutions that remove the burden of password-based login from the employee.
The time for change is Now.
We hope that those with the right contacts or who are on cybersecurity and SOC2 policy boards and committees will look closely at the policies of businesses, organizations … and government. Ask if the procedures and policies in place today for cybersecurity are still valid and effective. Or are they a hindrance to moving forward with new methods and technology to improve cybersecurity and simplify processes?
We recommend the following IAM policies to help your business, organization, and government move forward to reduce your cyber risk AND make life easier for all users:
- Right from the time of account creation, eliminate all shareable secrets, passwords, pins, and push codes … anything that is Phishable from a user.
- Require multi-factor authentication (MFA) 100% of the time for 100% of your users.
- Require the use of MFA that reduces friction for the user – NOT adds it.
- Use biometric authentication where the user controls access to the authentication process at all times.
- Create policies to determine when it is necessary to know the actual identity of the user or where an anonymous identity is acceptable, followed by procedures to identity-proof users and register to an identity device when needed.
A shift to modern Zero Trust IAM may appear difficult, expensive, or time-consuming. But it doesn’t have to be any of those things. Solutions like TraitWare – where MFA is built in – will simplify the process, and save on costs. TraitWare can even help with Shadow SaaS discovery – determining which apps are being used by whom and whether they are protected. …
In any case, the first step is to explore what options are out there.
We’d like to help.
Please get in touch with any questions or to request a personalized demo. See it in action. No commitment required.