The main tool used for access control and authentication has been since the advent of machines, usernames, and passwords. However, as post mortem review shows in most data breaches, compromised identities have become the main attack point for today’s cyber adversaries. Nonetheless, a recent Identity Defined Security Alliance (IDSA) study shows that credential-based data breaches are both omnipresent (94% of survey respondents encountered an identity-related attack) and highly preventable (99%).
Nevertheless, many businesses still lack essential security controls related to identity and the few forward-thinking companies that have started applying proper access controls typically focus on human users. Faced with reality, that flies. The sheer number of non-human identities greatly outweighs human users with digital transformation initiatives that span DevOps, cloud computing, the Internet of Things ( IoT), etc. So, what does this mean for the future of passwords and how do companies handle their sensitive resources in managing access?
For decades, users used static passwords to sign in to different accounts and services. The typical password remains unchanged from the moment it is formed, unless it is enforced by legislation, personal preferences or in response to a data breach. This makes it extremely vulnerable to threat actors, since a static password has a low likelihood of checking a user ‘s legitimacy and can be a compromised credential obtained on the Dark Net since easily as that.
A stolen password can provide unrestricted access to the compromised account, the ability to move laterally within the network and disrupt business processes or exfiltrate sensitive information once in the hands of a cyber-attacker. The effect is much greater if the account is held by a privileged person who owns the “keys to the throne.” However if an enterprise has strengthened its security posture by introducing multi-factor authentication (MFA), this additional defensive layer does not resolve non-human identity threats.
Go Over Static Passwords
Today, identities not only include individuals but also workloads, resources and computers. In fact, in many organisations, non-human identities represent the majority of “users.” Computer identities are often synonymous with privileged accounts, which usually have a much greater presence within modern IT infrastructures than traditional human privileged accounts. This is particularly true in DevOps and cloud environments where automation of tasks plays a dominant role.
These often pose a blind spot, as when creating security checks, system, IoT, service account, and client identities are not always considered. In addition to underestimating the importance of non-human identities in the sense of a data breach, many companies are rapidly realizing that the conventional static password model, which often includes manual and time-consuming modifications, is not appropriate in fast-moving multi-cloud and hybrid environments, where access needs are often transient and changes are frequent.
Authentication ‘s Future: Ephemeral Tokens
Rather of depending on a static password model , companies should switch to a fluid approach to passwording. These ephemeral, certificate-based access credentials tackle major security issues that plague static passwords in increasingly digitalised IT environments without compromising usability and agility.
When introducing ephemeral certificate-based authorization, the target systems are accessed without the need for permanent access credentials, creating a “zero standing privilege” position that requires authentication , authorization, and encryption of all access to the services. The ephemeral certificate is issued by the Certificate Authority ( CA) for each session (whether for a person or machine) which serves as the trusted third party and is based on industry standards such as the temporary X.509 certificate. Regarding security purposes, it encodes the user identity and has a short lifetime, avoiding the risk of man-in-the-middle attacks.
Ultimately, the CA manages access to the target system based on rules-based user roles (including roles assigned to workloads, programs, and machines). The rules for specific roles are generated in accordance with the security and access requirements. The CA then gets the rules from the traditional enterprise directory for each role ( e.g., Microsoft Active Directory) and uses them to decide proper authentication. This strategy softens the setting up of access for each individual user and enables seamless updates to user groups.
Identity integration with security is still ongoing, with less than half of organizations having completely adopted key identity-related access controls according to the IDSA research report. To make things worse we simply can no longer trust static passwords. In addition, they are unfit for today’s machine identity dominated IT environments that are built for agility and rapid change. A simpler solution is to incorporate a dynamic password model, which minimizes the likelihood of identity-related breaches when paired with a least privilege solution.