It was only a matter of time before the headlines changed.
We’ve been reading “Megacorp Hacked – Millions of Passwords Stolen” for years – and savvy consumers have taken notice. Those folks have moved away from reusing a single username and password across multiple applications and have started using password managers to store unique passwords for each site and app they use, locked up with a single master password.
Featured Download: Social media access at work. Do your employees know the rules?
Now we read, “Password Managers Targeted by Citadel Attacks.” I can’t say this is much of a surprise.
What does this mean for SMBs?
It means the bad guys know that our passwords are the route to our money. It means businesses should be keenly aware of the risks associated with employees storing their work credentials in password managers like Dashlane, LastPass, etc. Once an employee’s master passwords gets breached in these types of apps, criminals have the keys to unlock any business app, thereby providing a direct path to sensitive corporate data.
Rather than relying on consumer solutions, companies can invest in a corporate-grade identity management solution like Centrify that provides single sign-on to all corporate apps as well as multi-factor authentication to ensure work data stays on lockdown. Employees will no longer need a password manager because they’ll have secure SSO access to everything they need for business. This means no more passwords to store or remember, all the benefits of multi-factor authentication, app access policy that’s context-aware, and reporting and management for business-level visibility.
In addition, solutions like Centrify enable businesses to manage privileged access to (and within) apps. That way IT can provide access to only the specific apps and data a given employee needs in order to work effectively, limiting the attack surface and the risks that come from over-privileged access. And best of all, thanks to forward-thinking app vendors and enterprise identity solutions, app passwords can often be eliminated entirely. Instead of transmitting passwords that can be stolen, enterprise identity solutions like Centrify use SAML and other standards to authenticate users with one-time secure tokens that can’t be re-used.
While cloud-based apps typically do a good job of encrypting data in motion, many don’t provide any further security or access policy above the simple step of using HTTPS when accessing the app. While that’s critical for minimizing snooping and unauthorized access, it can’t stop malicious actors from accessing data if they can steal the password to the app.
But we’ve seen enough breaches in the cloud (just ask Jennifer Lawrence) to understand that protecting your cloud apps requires more than just traffic encryption. Businesses, even smaller ones, require something much more industrial in strength.
If your employees are potentially storing work passwords in consumer password management apps, consider warning them of the risks and providing them with a better option. Better options are out there and are surprisingly affordable.
I look forward to the headline that reads, “Passwords are Dead. SAML, OATH, OAUTH, and MFA Adopted Everywhere.”
By Chris Webber, Security Strategist, Centrify
About Centrify
Centrify provides unified identity management across data center, cloud and mobile environments that deliver a single sign-on (SSO) for users and a simplified identity infrastructure for IT. Centrify’s unified identity management software and cloud-based Identity-as-a-Service (IDaaS) solutions leverage an organization’s existing identity infrastructure to enable single sign-on, multi-factor authentication, privileged identity management, auditing for compliance and mobile device management. Centrify customers can typically reduce their total cost of identity management and compliance by more than 50 percent, while improving business agility and overall security. Centrify is used by more than 5,000 customers worldwide, including nearly half of the Fortune 50 and more than 60 Federal agencies.
For more information, please visit http://www.centrify.com/.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.