In Managing Security in the Age of Zero Trust, NetCraftsmen introduced Zero Trust as a data-centric approach to security, but it’s much more than that. Who you are, where you are, and the type of device you use can be critical in evaluating the risk of a user having read or write access to your firm’s data. Taking a data-centric approach leads to different thinking about identity, locality, and privilege levels, but change is often met with resistance.
We can start by examining the difference in thinking with respect to logging in to an Enterprise’s IT systems and password use, which is where the resistance often starts.
Why the resistance?
In the Identity and Access Management (IAM) space, we started with simple passwords, moved to complex passwords, frequent password rotation, Privileged Access Management (PAM), Two Factor Authentication (2FA), and more recently to Multi-Factor Authentication (MFA).
While we moved to complex passwords and frequent rotations for passwords to improve security, human nature has shown that most people use some variation of a password across multiple systems. The result is that complex passwords are often difficult to remember, but studies have shown that they are surprisingly easy for computers to guess.
To fight this issue, the U.S. National Institute of Standards and Technology (NIST) upgraded its recommendations in 2017 to use a grouping of random words in conjunction with MFA. This technique has proven to create passwords that are very difficult for computers to guess and can be very secure when used in conjunction with MFA. Unfortunately, many firms are still using outdated guidelines that require passwords with upper- and lower-case characters, numbers, and special symbols – the very practice that led to password re-use, making such passwords easy targets for cyber-attack.
To the typical user, all of this is a significant hassle that leads to poor practices. IT inadvertently sends the message that improved security equals more friction.
A Path Forward
A typical iPhone or Android device can be set up to use biometrics (such as facial recognition or fingerprints), so to avoid the pitfalls of SMS (where phone numbers can be cloned or stolen), several applications exist that can support MFA on mobile devices. These include Microsoft Authenticator, Cisco DUO, Google Authenticator, Okta, and others. This type of technology provides a significant step in the path toward achieving Single Sign-On (SSO) and MFA.
As NetCraftsmen started its own journey to Zero Trust, we emphasized SSO with MFA and de-emphasized password complexity and rotation. Today we have all our application access front-ended by this type of technology. This means user access is through an application that has been validated with biometric signatures on an enrolled device.
Carrots and sticks
Today CISOs are issuing edicts on passwords, MFA, PAM, and SSO. This is essentially the ‘stick’ approach. Such edicts add friction to provide security associated with users accessing data to get work done. This makes the security team the bad guys who are always adding to the employee workload.
So, what can your organization do to get user buy-in to improve the situation? What would be a ‘carrot’ to attract people to the necessary changes?
At NetCraftsmen, our carrot was our Okta MyApps page (where all the applications that a user needed were documented and available). This established users with a SSO for all their work applications – simplifying their access. In addition, the process for adding or requesting a new app is a simple click away.
If that isn’t enough of a carrot, what about taking a page from Microsoft and removing passwords altogether?
Microsoft has been making a long-standing push in the information security business for improving passwords and has elevated the discussion with a very vocal and public call for getting rid of them altogether. In pursuit of this goal, they have already relaxed long-standing internal standards on changing passwords and enabled password-less access on several of their products.
The internal Microsoft conversation moved from the complexities of implementing SSO with MFA to a very popular discussion on removing passwords. This method has also turned out to be very popular with client CISOs.
Combined with all the pressures to increase security efficacy and the recent Presidential Executive Directives on Zero Trust, enterprises are still struggling to get to SSO and deploy MFA. Achieving SSO and removing the friction associated with passwords has been a much more enticing goal for getting buy-in from users and application managers.
Does this mean you have to remove passwords?
Not at all, but it does remove onerous requirements for complex passwords and frequent rotation. Removing passwords or following NIST guidelines for passwords (that are easy to remember and hard for computers to guess) is now a choice once SSO and MFA are fully deployed.
However, many CISOs are still getting push-back to changes required for SSO/MFA. Dropping passwords may be the necessary carrot to attract folks to accept MFA.
As previously mentioned in our blogs, Zero Trust is a journey and it involves an ‘All of Enterprise’ approach to security. As a result, a lot of enterprises struggle with knowing where and how to start the process. Security teams working in isolation probably won’t succeed.
We recommend starting at the beginning and accessing to your data begins with a user logging into your systems. Simplifying that process with SSO and MFA is a great place to begin your Zero Trust journey.