The End of an Era: Passwords Byte the Dust
By Paul Christman, VP-Public Sector, Dell Software
Nearly every major data breach can be traced back to a compromised user-name and password that is exploited to gain unauthorized access to sensitive data. The pattern of most cyber breaches is similar—bad guys hijack credentials, escalate access privileges, and go where they want. A user-name and password was once sufficient for user authentication. Now hackers can easily decode passwords, infiltrate secure networks, and access confidential data.
Simple user names and passwords can no longer be the primary or sole authentication technique to grant secure and appropriate access to systems and data. Authentication that requires two-factors (password plus another factor) can and should be implemented across all government agencies. The US federal government has invested millions of dollars in ‘smart cards’ for physical access to facilities, but the integration of this additional authentication token in information technology access is still incomplete.
Additionally, privileged access of systems administrators and super-users demands heightened security of multi-factor authorization. As revealed in the Verizon 2014 Data Breach Investigations Report, 58 percent of public sector breaches were caused by insiders or misuse of privileged access rights.
“The US federal government has invested millions of dollars in ‘smart cards’, but this additional authentication token in information technology access is still incomplete”
Privileged account governance should be unified, automated, secure, and business-driven to ensure that only limited and appropriate access is granted. Privileged user accounts are the best first place to start when implementing multi-factor authentication systems.
Beyond the insider threat, the frequency and complexity of external cyber threats makes single-factor authentication an inadequate technology to protect the nation’s most sensitive data. In 2013 alone federal agencies reported nearly 50,000 cyber incidents. A recent Dell survey found 42 percent of federal employees reported their department or agency is the target of a cyber-intrusion multiple times each week and these attacks come in varying forms such as phishing or spear phishing (66 percent) and email embedded with malware (63 percent). Government agencies need a more robust, integrated, and comprehensive approach to security. As IT struggles to combat cyber threats, downward budget pressures and upward user demands have further stressed the system.
Data, equipment, and user account movement is no longer an occasional event. Migrating, consolidating, and optimizing IT infrastructure is an ongoing, iterative process. Providing coexistence during infrastructure consolidation and, at the same time, maintaining highly secure access to critical resources, is a complex task that many IT leaders are unprepared to accomplish. Government agencies must implement security practices that protect both the original and consolidated environments to ensure the integrity and security of data, no matter where it came from or where it ends up.
End-user demands for mobile data and apps have extended the ‘attack surface’ to new and unfamiliar platforms. Federal employees are now reading email, downloading documents, and sharing information on phones, tablets, and even watches—not just on traditional computing devices such as desktops and laptops. This trend has agencies struggling with the security implications of expanding, heterogeneous endpoints. Government security experts need to consider the integrity of each end point and ensure that each device is protected from cyber compromise.
Defending the organization from the data center, to the cloud, to all endpoints, old and new, and everywhere in between, is critical to maintaining a strong security posture and preventing cyber breaches. Existing security practices are not sufficient in an increasingly complex information environment. Traditional single-factor authentication—passwords only—must be extended and improved to safeguard critical data and systems.