It’s 2018. Password Journals are a Still a Thing.

By Optiv ·

I was in a store the other day and saw something that, being in cyber security, stopped me fast: A Password Journal. Seriously. A place to write down passwords. The book even recommended using pencil so that when you change them, you can erase the old one.  

It’s 2018. While I have not seen a password journal in an organization (yet), I have seen for myself at various companies (regardless of size), passwords on a sticky note, kept in a drawer or (gasp!) stuck to a monitor as solutions employees resort to, to remember all their logins and passwords.  

password-journals

There’s a better way.  

I mean there has to be, right? For personal use, I wholeheartedly recommend a password manager like LastPass or Dashlane. I use the former but still occasionally run into trouble when I am on a different device (in a house of seven computers, three iPads, four Kindles, and five iPhones this can happen).  

In an organization, however, the answer is more complicated: identity and access management (IAM). And with insider threats (that’s your employees) becoming one of the biggest vulnerabilities, IAM chatter is ubiquitous. From employee onboarding to updating to termination, access must be managed in a way that’s secure but easy enough to not get push back from that weak link.  

What is it? Is it really necessary?

According to Wikipedia: “Identity management, also known as identity and access management is, in computer security, the security and business discipline that "enables the right individuals to access the right resources at the right times and for the right reasons."”  

IAM used to be just a supposedly simple IT ops function: Getting new employees access and removing that access when they leave or changing access if they transition roles. But that landscape has changed: 

  • It’s become more important: The majority of breaches are related to compromised credentials (insider negligence or intentional).
  • Compliance and regulations require it: If your organizations has compliance requirements companies (HIPAA, PCI, SOX, and GDPR to name a few), IAM is probably mandatory.    

Let’s put IAM in layman’s terms. Joe Smith is an employee at company X who works in the HR department. He needs to access his email, spreadsheets, write documents and reference some folders in HR (but only certain ones). From his perspective IAM lets him get to what he needs, quickly after entering one password once. From a company perspective, Joe’s access is restricted to only what he needs which leads to more secure data. Plus, if Joe leaves the company, his access it cut off immediately, not weeks or months later (there’s another weak link). Sixty percent of internal data breaches were caused by privilege abuse where internal actors misused their level of granted access.  

What’s the plan? 

With all of the business drivers facing organizations today, IAM is becoming more and more important, and yet there are major hurdles. 

  • Organizations are implementing IAM technologies tactically (one application, one project, one user type).   
  • Ownership for identity still seems to be a hot potato – HR vs. Operations vs. Business vs. Security. Without a single owner that has alignment with all of the key stakeholders across the business, it will be a challenge for organizations to create a single cohesive strategy.  
  • Don’t have the expertise (in architecture and implementation). As with security professionals, experienced IAM professionals are few and far between, creating recruiting and retention problems for organizations. 
  • IAM is shifting - need to consider more than just employees, but incorporate customers and partners. 

How do you start? Fight to own IAM.

IAM plays a critical role in solving many issues keeping CISOs up at night. Here are just a few questions to ask.  

  • Focus on what you already own today and how to integrate that. Find the holes. 
  • How would your team respond when finding that a former user has accessed the network or that an employee leaving is accessing sensitive information? 
  • What safeguards do you have in place to ensure only the right people have access to critical information? 
  • How do you define as privileged users today? 
  • How do you manage privileged users accounts? 
  • What compliance requirements do you need to meet? 
  • Do you know what files can be accessed by whom today? 
  • How do you control file sharing today? 

IAM isn’t a one size fits all endeavor. It’s about lining up what you have already from personnel to hardware and software (some of it sitting on a shelf) and designing a path for integrating existing cyber security technologies putting IAM at the core of the strategy. It’s daunting but leads to better security at a weak point.