March 08, 2018
Effective Authentication Is a Human Problem, Not Just a Technology Problem
Passwords remain a challenge because IT teams have no easy solutions to replace them.
The intense interest in cybersecurity among IT professionals reflects its growing importance to just about every organization in every industry. I talked with many people who attended the CDW SummIT on Managing Risk in Las Vegas last month, and I was really impressed with the number of attendees and their level of engagement.
One of the most common concerns I heard from customers involved passwords. Brian Krebs, a security expert and author who delivered a keynote address at the SummIT, posed a pointed question: “It’s 2018, why are we still using passwords?” But attendees were frustrated. “Stop telling me what is wrong, and start telling me what to do,” one CDW customer told me during a chat between sessions.
Solving the Password Problem
There aren’t any simple answers. Passwords have been in use for decades because access to systems needs to be restricted to authorized users, and relying on something the user knows has been an effective way to keep out intruders. But for many reasons, passwords are no longer very effective, and they pose a lot of problems for users and organizations. They’re often easy to guess. They can be stolen. They’re hard for users to remember, especially when the users have multiple passwords for multiple systems.
In many ways, this isn’t a technology problem; it’s a human problem. Many of the challenges associated with passwords can be attributed to human nature. Some of these challenges can be addressed with policy changes:
- Prohibit users from reusing passwords. This prevents one stolen password from giving an attacker access to multiple systems.
- Select better passwords. Requiring users to employ passphrases that cannot be easily guessed increases the difficulty that attackers have in breaking into systems.
- Audit adherence to password policies. Finding out which users may not be following password policies can help IT teams shore up these weaknesses in enterprise defenses.
Technology solutions can also help organizations deal with the challenges that passwords present. Multifactor authentication, which relies on additional factors such as biometric identifiers or security tokens to confirm a user’s identify, can shore up the weaknesses of passwords. Organizations can also use password managers to reduce the burden on users who are required to have multiple passwords to access multiple systems.
No Magic Bullet
Another observation I made at the summit was that vendors keep coming out with new security products with powerful features. Obviously, greater security capabilities benefit the organizations that deploy them, but there can be a hidden danger. Some organizations think that the latest tool — with its amazing features — is all they need to secure their IT environment. They can get rid of all the other solutions they’ve deployed.
This is a dangerous line of thinking that chips away at one of the core tenets of information security: defense in depth. Having a single solution to protect your IT environment may sound great, but it also represents a single point of failure. Having a number of tools that can protect your organization in a variety of ways is a much better approach. It’s a great idea to implement a new solution that delivers innovative defense capabilities, such as machine learning or artificial intelligence. But these tools should be a part of your overall security strategy — not a replacement for that strategy. They should strengthen the whole security environment.
Further, IT leaders need to understand how a new solution will protect their valuable systems and data. There is absolutely good stuff from these vendors, but it has to fit in with a security strategy that’s tailored to your organization.
This blog post brought to you by: