Once More Into the Identity and Access Governance Breach

Once More Into the Identity and Access Governance Breach

An access governance breach.

Another breach… more lost passwords. The recent LinkedIn and eHarmony security breaches once again remind us that our online information and cyber security is always at risk of compromise. While this blog could focus in on a number of different IT cyber security threats relating to both company reactions (such as Incident response, breach notifications, general system security, security monitoring, the list goes on…), today’s topic highlights an old favorite… passwords.

Both corporate and personal system security are still heavily dependent on a username and password combination to protect access to information. This still holds true even though other methods such as multi-factor authentication and biometrics have been around for years. Unfortunately, these other identity and access governance methods cost money to implement and often have poor adoption rates by end-users who continue to be content with just relying on a username and password to access their critical data. Until more robust identity and access governance mechanisms are accepted en masse, individuals and organizations must utilize intelligent password management capabilities to protect themselves.

While the hackers in these breaches may or may not have used complex techniques to actually gain access to the password database itself, the core underlying issue is that common password cracking tools that have been around for years easily cracked the passwords in the databases. This underscores the fact that people continue to use simple passwords to protect access to their information. The only way to prevent this at the organizational level is to create identity and access governance procedures that balance Password Management “Simplicity” and “Complexity” in your environments.

The “Simplicity” component applies to standardizing your password management practices and policies across systems. This means aligning system password strength through automated password reset policies and concurrently implementing self-service password reset and synchronization technologies so users do not have to think about multiple passwords and password formats. The “Complexity” component relates to establishing and enforcing the proper level of password complexity (length, character types, etc.) so password crackers cannot easily guess your passwords. Your enterprise password management system should manage all of this for you.

By simplifying your identity and access management landscape along with enforcing password complexity, you protect users from themselves while simplifying operations.

Follow Ryan Ward, Avatier Chief Innovation Officer and Chief Information Security Officer, on Twitter at https://twitter.com/ryawarr

Watch the Group Enforcer production introduction video to learn how organizations can have a critical group management software element in place for a strong overall identity and access governance initiative.

<

BP_access-governanceGet Your Free Top 10 Access Governance Best Practices Workbook

Learn the top 10 Access Governance Best Practices for successful implementations from experts. Sidestep the challenges that can derail GRC software and compliance management projects.

Request the Workbook

Written by Ryan Ward

Ryan Ward is CISO at Avatier, responsible for security initiatives as well as strategic direction of IAM and security products. A sixteen-year veteran of the security industry, Ward comes to Avatier after five years with MillerCoors where he served as Enterprise Security Manager of the brewing company and USA Information Security Officer for the public company SABMiller. In those positions Ward was responsible for all Information Security initiatives for MillerCoors. Prior to MillerCoors, he served as Senior Information Security Leader at Perot Systems while supporting the Wolters Kluwer account. He previously held the position of Vice President of Information Systems for Allscripts. Ryan is also a Certified Information Systems Auditor (CISA) and a Certified Information Systems Security Professional (CISSP).