Petteri Ihalainen

Resolved: Username/Passwords Alone MUST Go

Username/Passwords MUST Go

New Year’s Resolution #1 for any cloud IT deployment manager in 2015 ought to be that the user name/password alone must go.  High-profile breaches that exploit username and password-only authorization systems are becoming all-too-frequent events.   The Syrian Electronic Army's attack on the Associated Press’s Twitter account that caused a 136 Billion dip in the stock market used a spear phishing scheme where employees enter their user names and passwords onto a fake Web site to obtain passwords. So, too, did an eBay intrusion in May 2014 that was also attributed to spear phishing.  And while the details about the November 2014 Sony breach are still unclear, multiple reports indicate that system access ultimately occurred via compromised admin accounts.  (Having a file folder titled Passwords clearly didn’t help either.)

password

What can cloud IT teams do to minimize the risk of careless disclosure of access credentials to a spear phishing attack?  One answer is to make it impossible for the user to divulge that information, unless the gun is pointed at the users head.

Confidential resources or high level access privileges should have an authentication method associated with it that is impossible to disclose by accident.  Typically these approaches involve multi-factor authentication (MFA) and range on a continuum from one-time-passwords to PKI.  The concept received a boost recently when Microsoft baked multi-factor authentication directly into the Windows 10 operating system, making it as consumer-friendly as possible in hopes of encouraging users to move beyond passwords.

If an enterprise is running a service containing confidential information, with administrators spread all over the globe, and where end user ease of use is required,  it’s best to implement adaptive authentication, where authentication strength matches the confidentiality or access level of a resource.

For applications where payment or high-value information is exchanged, such as in banking,, One-Time Passwords (OTP) are an option enabling a single transaction or entry into a session.  They’re certainly better than weak passwords, but you can still fool a user using a fake web site and using the OTP acquired from the user to access the legitimate resource.

Is Certificate Based Authentication a possible key?

One solution that has been around for almost as long as the password, is a certificate based authentication. The private key is impossible to memorize, and therefore disclose even by mistake. A clear improvement over OTP is a certificate based system, which can include either software-based certificates that are created and installed on the user’s computer, or hardware-based certificates that are created and installed on  a secure element –the chip of a smart card, or a mobile phone’s SIM card.  Both provide improved risk mitigation, even with software based certificate stores.

At the other end of the spectrum is mobile PKI.  If users’ credentials are stored in a tamper resistant environment (Secure Element), even the user can’t view them. When the authentication process begins, the request is sent to the secure element using a second channel (mobile network), and the request includes a clear text part to be signed “Sign in to salesforce.com.” The request is signed by the private key residing in the secure element using a PIN code associated with the key (not the mobile phone PIN).   As a result the system cannot divulge this information, even by accident.   Should someone wish to compromise the whole chain, they would have to have access to your computer, mobile network operator systems as well as your mobile phone OS core functions. Or steal your phone and ask for the PIN code at gunpoint.

It’s time we retire the 50-year old username and password-alone approach to cloud security and move to better approaches to identity relationship and access management.   They exist, they’re readily deployed and proven, and they represent perhaps the best lesson of recent hacks for organizations of all sizes.

By Petteri Ihalainen, GlobalSign

Petteri Ihalainen

Petteri Ihalainen is a IAM product manager

10 Ways The Enterprise Can Prevent Data Leaks In The Cloud

10 Ways The Enterprise Can Prevent Data Leaks In The Cloud

Prevent Data Leaks In The Cloud More companies are turning to the cloud for storage. In fact, over 60 percent of organizations store sensitive information in the cloud, according to a recent Intel security survey ...
How Artificial Intelligence Is Revolutionizing Business

How Artificial Intelligence Is Revolutionizing Business

Artificial Intelligence Revolution 84% of respondents say AI will enable them to obtain or sustain a competitive advantage. 83% believe AI is a strategic priority for their businesses today. 75% state that AI will allow them to ...
How Leading Organizations are Leveraging Big Data

How Leading Organizations are Leveraging Big Data

Seeing The Big Data Picture “Data will talk to you if you’re willing to listen”— Jim Bergeson. Few can dispute that. However, the challenge comes when data transforms into bundles and stacks of unorganized and unstructured ...
Open APIs Alone Won’t Change Banking

Open APIs Alone Won’t Change Banking

Open Banking API's Most people think of banks as one monolithic entity, but they are actually made up of hundreds of independent, pseudo-integrated systems. When a bank wants to make any kind of change, it ...
As Enterprises Execute Their Digital Strategies, New Multi-cloud Landscape Emerge

As Enterprises Execute Their Digital Strategies, New Multi-cloud Landscape Emerge

The Multi-cloud Landscape The digital universe is expanding rapidly, and cloud computing is building the foundation for almost infinite use cases and applications. Hence, it’s not surprising that of the Fortune 50 enterprises, 48 have ...

CLOUDBUZZ NEWS

Facebook Joins FIDO Alliance Board of Directors

Facebook Joins FIDO Alliance Board of Directors

Aligns with other leading global technology, financial services and e-commerce companies in effort to reduce world’s reliance on passwords MOUNTAIN VIEW, Calif., May 15, 2018 (GLOBE NEWSWIRE) -- The FIDO Alliance announced today that Facebook has been appointed ...
Rackspace Launches Kubernetes-as-a-Service with Fully Managed Operations

Rackspace Launches Kubernetes-as-a-Service with Fully Managed Operations

SAN ANTONIO – May 16, 2018 – Rackspace today announced Rackspace Kubernetes-as-a-Service, a highly-available managed service that transforms the way enterprises can utilize new container technologies, accelerating their digital transformation. Rackspace is focused on delivering true transformation ...
Security in the Cloud—A Little Known Advantage, Actually

Security in the Cloud—A Little Known Advantage, Actually

Okay, I’ll go ahead and say it: Public cloud infrastructures are more secure, and the security is more cost-effective, than the majority of on-premises data centers. That should get the blood flowing. With the word ...
The Lighter Side Of The Cloud - Fear Of Heights
The Lighter Side Of The Cloud - Techwear
The Lighter Side Of The Cloud - Car Troubles
The Lighter Side Of The Cloud - Easter Egg Hunt
The Lighter Side Of The Cloud - Hydro Cancellation
The Lighter Side Of The Cloud - Day 5
The Lighter Side Of The Cloud - Playing It Safe
The Lighter Side Of The Cloud - Dial-up Speeds
Comic