Credential Management Fail. Time to Reset.

Meme: I changed my password...SECURITY

Credential management as we know it is not secure and doesn’t work. How else would we explain that weak, default or stolen passwords were used in roughly 63 percent of data breaches in 2015, as documented in a new comprehensive report?

It is time to take the human factor out of the equation.

***

The Verizon Data Breach Investigations Report (DBIR) provides a great amount of detail on 2,260 data breaches in 2015. Web-based attacks were up 33% in 2015, with financial motives behind 95 percent of them. So what drives this trend?

The report shows that in most attacks, stolen or guessed credentials of legitimate users were entered in order to obtain unauthorized access. Malware, phishing and keyloggers ranked next (each of which is also related to the credential issue).

The reason is obvious. The web has evolved dramatically, while human nature has remained the same.

Today’s businesses rely on data resources, apps, collaboration services and business processes that are based in the cloud. With every one of those cloud services requiring user credentials, the crooks see an enticing target.  

But regardless of the high profile exploits, our bad habits are deeply ingrained.  We know that users

  • won’t follow best practices (or even good practices) when handling their credentials for cloud apps.  They’ll reuse them across apps, they’ll make them easy to guess, or stick them on a post-it note under the keyboard.
  • won’t differentiate between trusted and untrusted devices when accessing cloud apps. That means data is cached, downloaded or otherwise exposed to devices outside of IT’s control, potentially resulting in data leaks.
  • will connect from anywhere.  Since free WiFi can be considered a basic “human right”, users will sign on through whatever network they can, even through unsecured access points or rogue hotspots set up by crooks.

Countering the force of human nature by trying to enforce better “password hygiene” misses the broader picture. When users launch their local browser at work to access the web, they trust corporate IT to do its job and keep the company’s data safe. But with cloud services being accessible from any device over any network at any time, the whole concept of an IT-controlled perimeter has been destroyed.

Meme: I changed my password to incorrect

This isn’t a new phenomenon. Jakob Nielsen, co-founder of the Nielsen Norman Group and "perhaps the best-known design and usability guru on the Internet" (Financial Times), wrote this about users and web security back in 1995:

“Security experts often recommend that users select different passwords for each online service they belong to and that users change their password with regular interval.” Then he warned: “Good advice in theory, but in practice these experts have forgotten to consider the human factors of password security.”

Nielsen went on to describe how most security breaches happen because of various human nature shortcomings - “not because [people] are stupid or want to make their system easy to crack.”

If users weren’t able to adopt “secure behavior” back in the nineties when the web was still simple, how can we expect them to protect themselves in today’s complex Internet, with its ubiquitous web mail, cloud apps, and diverse content sources?

Crooks target web apps and credentials because it guarantees the highest success rate. IT keeps responding to the onslaught with a cocktail of endpoint malware protection, identity management solutions and application-aware firewalls.

As someone famously said, “doing the same thing over and over again and expecting different results” is the definition of insanity.  But what’s the solution, then?

How can you create a secure, end-to-end environment rather than proliferating risk, as documented in the Verizon report? How can you protect your applications and data in a comprehensive way  that covers malware, uncategorized web sites, credentials, DLP policies and more? 

It’s  simple: take away the ability for users to hurt themselves.

Instead of deploying a patchwork of disparate solutions, protect your users and your company’s data with a product that combines a secure browser, credential management and data policies.

The solution: a secure browser with credential management and enterprise data policies

When we started Authentic8 five years ago, nobody was combining these elements. IT and the analysts alike treated each as discrete components. We realized that the combination of these core elements would be stronger than the sum of the parts.

So we built Silo, the secure virtual browser in the cloud that has powerful credential management and enterprise data policy capabilities baked in.

Silo doesn’t allow any web code to reach the endpoint. It virtualizes the browser in the cloud, providing the same rich and fast web experience users are familiar with, while executing all web code on a remote server. This shifts the attack surface from the user’s device to our cloud, where malicious content can be contained.

Silo keeps credentials out of the hands of the user.  An integrated, admin-managed IDP capability lets IT provision and revoke access to approved cloud apps without revealing the credentials to individuals or teams of users.

Stated simply, if users don’t know their ID or their password, they can’t type that sensitive data into a fraudulent web form.  And if a user leaves a team or changes projects, Silo is a single  switch for turning off access.

Once users are in the secure browser, accessing cloud apps from only authorized devices, data policies can be established to enable or restrict core browser functionality like download/upload, copy/paste, and more. 

Silo is the all-in-one solution. It combines inherent security, managed credentials and data use policies. Silo puts the guardrails in place to keep users from hurting themselves - or your company.

InfoSec and IT teams at some of the nation’s largest law firms, financial service providers, law enforcement agencies, and across the armed services agree that our approach works.

They have deployed Silo because the isolation and credential management capabilities are unmatched by any other product.

Don’t be insane. Reset your approach to managing users and their credentials. Try Silo risk free at

https://go.authentic8.com/intro

###

About the author: Scott Petry is Co-Founder and CEO of Authentic8. Prior to Authentic8, Scott was the founder of Postini.

Scott Petry - Scott is Co-Founder and CEO of Authentic8. Prior to Authentic8, Scott founded Postini and served in a variety of C-level roles until its acquisition by Google in 2007.

Topics: Security