Updated Best Practices for 2022
Identity Management Day is a chance to bring attention and information about identity management to organizations of all kinds, especially as the digital landscape expands.
Presented by the Identity Defined Security Alliance and the National Cybersecurity Alliance (NCSA), it’s a much-needed opportunity to educate businesses and IT leaders on the importance of cybersecurity awareness and best practices.
What is Identity Management?
Identity Management (IdM) ensures that only authorized users have access to the technology resources they need to perform their work.
It involves hardware, software, applications, and permissions–anything related to access controls in a relevant situation.
Why is it important now?
In cybersecurity conversations about IdM, there is a special focus on the dangers of not properly securing identities and access credentials. User-specific information is a common entry point for account takeover, ransomware attacks, and other attack vectors.
Research by the IDSA reveals that 79% of organizations have experienced an identity-related security breach in the last two years, and 99% believe their identity-related breaches were preventable. According to the 2020 Verizon DBIR Report, as many as 81% of hacking-related breaches leverage weak, stolen, or otherwise compromised credentials.
What is the Issue with Passwords?
From one-time passwords to fingerprint scans, there are many authentication methods, but the reality is that passwords are still the backbone of almost all of them. They are the most ubiquitous authentication method by far, and are the most familiar to the average user.
Credentials can be used cross-device, operating system, and application update status with no compatibility issues, making them incredibly useful. Inevitably, passwords have become a security layer that most organizations rely upon but actually have little control over because users choose their own passwords.
While other authentication methods can be layered to reinforce IdM systems, we need to close the loop properly: securing the password with current best practices, before investing in other areas.
What are the Best Practices to Strengthen IT Security?
1. Understand Password Vulnerabilities
Due to the sheer frequency of credential-related data breaches, it would be easy to assume that passwords themselves are somehow intrinsically liable for most security issues. But the nuance of the issue is that individuals create weak passwords and then re-use those passwords all the time.
Once a user’s credentials have been stolen from one account, they are often leaked on the dark web and sold to other cybercriminals. Credential data is useful and tempting target, because cybercriminals know that many individuals re-use passwords across personal and professional boundaries, making it easy for bad actors to gain access to additional accounts.
While we can’t control user behavior, businesses can understand the reality of what’s happening, educate their teams, and put solutions in place.
2. Audit Passwords
A straightforward way to gauge the severity of the problem is to audit the passwords in use in your environment. There are several audit tools that make it easy for organizations to get a snapshot of their domain’s password security state, compared against the latest breaches and cracking dictionaries.
3. Follow NIST guidelines
The standards from NIST regarding password policies are an excellent resource for businesses to pull from. Among the most important are:
- Get rid of the password complexity requirements
Arbitrary requirements for mixtures of upper case letters, symbols, and numbers have been shown to result in worse passwords, reused passwords, and more IT help desk calls.
- Get rid of password length maximums
Like the complexity requirements, having password length maximums restricts users from creating more memorable, stronger, and more unique passwords for themselves.
- Get rid of periodic password reset
There have been multiple studies that have shown requiring frequent password changes to actually be counterproductive to good password security. Instead, having unique and memorable passwords is better for user security.
4. Screen for Compromised Credentials
This recommendation is also part of the NIST password guidelines, but it deserves its own emphatic bullet point. One of the best ways to protect your business and your users is to screen all passwords (as they are newly created and while actively in use) against dynamic lists of both dictionary words and known compromised passwords, on a continuous basis. Alerting users and IT teams to when full sets of credentials have been compromised is extremely useful in protecting the company from a breach, and has the added benefit of reducing friction for the user.
While cybersecurity problems, and solutions, should be discussed in all realms and levels of a business, experts are still working to disseminate the information and suggestions. The benefits of a strong defensive stance are myriad; following NIST guidelines allows companies to maintain regulatory compliance, and reduce IT costs across the board. Identity Management Day is a perfect opportunity to bring these common security problems, and solutions, to the front page.