Password Management

Firms suffer an identity crisis via compromised credentials

The following is a contributed article by Andy Heather, VP and General Manager EMEA at Centrify


Two-thirds of organisations experienced an average of five or more security breaches in the past two years, and hackers compromised more than one billion identities in 2016 – that’s 2.74 million identities a day, according to a recent Forrester report which examines the identity and access management (IAM) maturity model.

The reason? Compromised credentials. We have reached something of a tipping point in cybersecurity when it comes to passwords. With all those we have to keep track of, be it personal banking app, emails, and social media, through to the copious business uses. Best practices tell us that we should use a unique and complex password for each and every service, but unfortunately users lean toward convenient and risky password practices. 

In any organisation, users can have multiple identities for various corporate resources and web applications. As the traditional network boundary is changing, and companies adopt more and more cloud-based and mobile applications, it is rapidly being replaced by a new perimeter that is largely defined by users’ identities and passwords. But many companies are still relying on traditional endpoint devices and firewalls that are not protecting this new way of doing business. Then there's the more than 50 billion internet of things (IoT) devices that will wipe out any remaining outdated security practices, especially the password. With all of this combined you have a burgeoning organisational identity crisis.


Password perils

Nearly two-thirds (63%) of data breaches involve weak, default or stolen passwords, according to Verizon. Password fatigue has introduced many bad management practices including using simple, easily guessed passwords, writing passwords down, or, arguably worse, password re-use, which can have several repercussions in a breach scenario, as one single password could provide an attacker with access to multiple applications and sensitive data. Passwords are susceptible to compromise, and if organisations want to stand any chance of avoiding a breach due to poor password practices, they need to rethink their approach to security.

According to the Forrester report commissioned by Centrify, more mature companies (using IAM best practices) experience 50% fewer security breaches and spend 40% less on technology, ultimately saving $5M in costs associated with cyber breaches. Unfortunately, only 17% of surveyed companies are deemed ‘mature', suggesting that 83% are not, highlighting that there is a real need for IT leaders to focus on improving the maturity of their IAM programmes.


User privilege

Identity management involves keeping a user’s identity information consistent across the network and ensuring that each user has the right amount of access to various applications. Privileged account credentials, in particular, those that belong to IT admins are extremely valuable to phishers and hackers as they can provide access to stores of highly sensitive IP and customer data. It is estimated that 80 per cent of security breaches involve what is known as 'privileged credentials' that typically belong to IT professionals who administer systems, databases and networks.

Privileged identity management means organisations can consolidate identities, deliver cross-platform least privilege access and control shared accounts, securing remote access and auditing all privileged sessions. By implementing IAM, organisations introduce two key processes; authorisation and authentication. The authorisation process allows organisations to set and grant permissions for access as above. By limiting lateral movement across the network and enforcing a “least privilege” approach by granting users limited privileges, can make it harder for attackers to access secure data.


IAM who I say IAM

The authentication process enables users to prove they are who they say they are. By eliminating multiple identities and passwords, and incorporating multi-factor authentication (MFA), organisations can prevent attackers from gaining access to critical resources. MFA can improve IAM as it adds an extra layer of security at log-in. This is usually achieved through biometrics or a one-time generated passcode.


By identifying the user, their device, location, and credentials through MFA, businesses can establish if their requests are all valid and appropriate in order to safeguard enterprise systems and data. These controls can allow businesses to detect and revoke access when inappropriate activity occurs. If an unapproved third party is accessing credit card data for example, red flags would be raised.

Combining this with single sign-on (SSO), to consolidate access across multiple systems, SSO will also help reduce identity siloes and therefore improve visibility and compliance efforts. With the SSO approach, end users are relieved of having to memorise numerous, complex passwords and have the capability to log into different applications using one single identity. This maximises efficiency, productivity and translates to a more secure computing environment.

The report highlights that IAM maturity generates 90% more productivity and efficiency benefits. In addition to reducing risk, more mature organisations note that their IAM technology contributes toward improving end-user productivity and increasing privileged activity transparency.

IT security decision makers must be mindful of how the security procedures and technologies they pursue affect the business. By employing IAM approaches that work with the flow of business and not against it, they can limit data breaches, reduce down time, increase end-user productivity, and ultimately prevent the damaging consequences of a data breach.


« Quotes of the week: "The phone is already dead. People just haven't realized."


SuiteWorld 2017: Oracle CEO promises to support NetSuite, not stymie »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?