Common Mistakes in Enterprise Password Management Policies 

password-wallBy Dean Wiech
 
The most common problem with enterprise passwords is that there are just too many of them for the average person to remember. The average employee needs to remember 12 different sets of credentials to access applications to perform their daily work, according to studies. That quantity, coupled with a wide range of complexity requirements, results in a common practice of writing them on a sticky note or storing them in a document for easy retrieval.
Of course, this sends shivers down the spine of most security officers— there’s no value in providing security protocols if users are simply writing passwords on paper and placing them next to the desk. This says nothing of the troubles for the helpdesk manager whose staff is inundated with calls from frustrated users who can’t access an application that they need ASAP.
 
So what can an organization do to alleviate these issues? Eliminate passwords, of course – at least all but one of them.
Web access portals are currently a go-to in access governance. In essence, a web portal is all of the applications a user needs, grouped together in one easy place to access. If the user is on the network, their Active Directory authentication grants them access to the portal. If they are off the network, on a smartphone, for example, they enter their one username and password to gain access to the portal and can then access their apps from there without the need to enter individual credentials.
 
There are many security advantages to using a web access portal over providing the individual credentials to users. First, it is possible to set up a user with access to dozens of applications without providing them the actual URL or credentials for these applications. By using a proxy server and pre-loading the username and password into the portal, the end user never actually knows where they are accessing the application or what the credentials are. Considering that a recent survey showed end users might be willing to sell their credentials for as little as $100, this can be a serious risk aversion practice.
 
Secondly, it is possible to add multi-factor authentication to either the portal itself or individual, particularly sensitive applications. The use of one-time password (OTP) codes or personal pins, can be an easy way to establish another layer of security beyond the credentials needed to access the portal. A third area of security involves the use of access control rules or profiles. These can be set up for a group or individual and can apply to all or some specific applications. Restrictions include items such as time of day, IP address, device type, whether they’re on or off the corporate network and the user specific authentication providers, such as Security Assertion Markup Language (SAML) or Google.
 
Ideally, the elimination of passwords in their entirety will happen in the very near future. However, until we arrive at a cost-effective and technologically viable alternative, we can work on reducing the number of passwords needed down to one. Then secure that one password by making it more complex – possibly even a passphrase – and anchor it with a second factor of authentication.
 
Dean Wiech is managing director of Tools4ever.
Follow Jeff

Jeff Edwards

Editor, Cybersecurity at Solutions Review
Jeff Edwards is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large.He holds a Bachelor of Arts Degree in Journalism from the University of Massachusetts Amherst, and previously worked as a reporter covering Boston City Hall.
Jeff Edwards
Follow Jeff