On Wednesday we discussed passwords and their contribution to the people security problem. At the end of the post, I asked what we could change to take weak passwords out of the equation. If having passwords is a requirement to doing business, what things could we add to the mix that might be able to reduce the risk of using them?
- Strong Authentication. Obviously, adding an additional factor of authentication can go a long way to improve the risk scores associated with data access. Positives include a significant number of solutions with a few leading their respective packs. Disadvantages can include cost to deploy and manage as well as poor integration with every technology you may use.
- Risk-based Authentication. Keep passwords but tie the authentication process to other available data points that can help the system understand the inherent risk in that specific transaction. Is the user supposed to be in the office in New York City, but instead is attempting to authenticate from a coffee shop in Dallas? Let’s up the risk score and figure out what to do next.
- Out of Band Authentication. Many large financials now do something like this whereby a code is emailed or SMSed to a device for entry. In some cases, these may be useful, but they should not be construed with strong authentication.
- Cryptography. Using PKI, certificates, or other cryptographic keys can add an element of security that can potentially be transparent to the user. These can be defeated depending on how they are tied to the systems in which they operate. For example, a certificate with no password that is tied to a particular computer and exportable could be used maliciously.
- Change your Data Flows. How does data move inside your environment? How do your users consume it? Could you change your business to allow people to access certain parts of the data/infrastructure with a password, and other parts with strong authentication? This could help with the cost issue above, and would certainly serve to reduce risk if the exposure surface is reduced.
Just like the concept of designing security controls with the assumption that your network is already compromised, look at the password problem from a “how do we reduce the risk of using them” perspective. Not only will you will find innovative ways to support your users, but you can be a good steward of your company’s finances and reduce the overall information security risk as well.
Possibly Related Posts:
- Selective Domain Filtering with Postfix and a SPAM Filtering Service
- Preventing Account Takeover, Enable MFA!
- Proofpoint Patches URL Sandbox Bypass Bug
- Improve Outbound Email with SPF, DKIM, and DMARC
- Life after G-Suite/Postini