A Cloud Access Security Broker (CASB) is an on-premises or cloud-based security policy point-of-enforcement. Originally, asset security was simpler since all assets were located on-premises and on the same network, but with time and with an increasingly mobile workforce, security requirements evolved and CASB rose to meet them.
A CASB offers an integrated security management solution to security enforcement such as multi-factor authentication, single sign-on, credential mapping, encryption, tokenization, malware detection, and so on.
What is CASB and how it works?
CASB, a policy enforcement center, consolidates security regardless of device, including unmanaged smartphones or personal laptops. It works through a three-step process that involves Discovery (to compile a list of all third-cloud services and users), Classification (of risk levels of each application), and Remediation (to set security requirements and take action in case of a violation).
A CASB comprises three pillars.
1. Identity and Access Management (IAM)
Gartner defines IAM simply as ‘the discipline that enables the right individuals to access the right resources at the right times for the right reasons.’ IAM solutions help maintain a database of all organization identities and restrict access to org assets based on user identity.
2. Identity Governance and Administration (IGA)
This is a policy-based approach to IAM. IGA serves to support overall IT security and regulatory compliance as well as automate workflows for provisioning and deprovisioning users.
And yes, there is a difference between IAM and IGA. IGA allows organizations to not only define and enforce IAM policy but also connect IAM functions to meet audit and compliance requirements.
3. Privileged access management (PAM)
This is a critical security control that enables organizations to simplify how they define, monitor, and manage privileged access across their IT systems, applications, and infrastructure. It helps control who has access to sensitive systems and protected information. Most employees, for instance, shouldn’t be given access to all critical systems such as production, backup, and financial at the same time.
Privileged accounts can access valuable data and perform special actions, often with low tracking or control. PAM solutions centralize the management of administrator profiles and enforce a least privilege access policy.
To better understand what the CASB concept really means, and how you can adopt it as you secure your SaaS, PaaS, or IaaS environments, contact Akku today.
In this new world of remote working and cloud enterprises, Identity and Access Management (IAM) has been thrust to the fore. It’s almost as if the economy now relies on agile and automated IAM systems to enable rapid and seamless digital transformation.
Okta is the leading player in the area of IAM, and has made major strides forward in the field by harnessing artificial intelligence, and thus going beyond merely using the password and other multi-factor authentication options.
Okta has several advantages such as its security, scalability, and simplicity. But cost-wise, Okta works better for larger enterprises and can prove to be quite expensive for smaller organizations.
Though Okta is a popular choice, that doesn’t mean it is your only option. There are several other options out there for enterprises looking to go the IAM way, each with its own advantages.
Some of these alternatives include Active Directory Federation Services (ADFS), OneLogin, and Akku for instance and we’re going to give you the lowdown on each of them.
1. Active Directory Federation Services (ADFS)
Developed by Microsoft, ADFS is a Single Sign-On (SSO) solution and is a component of Windows Server operating systems.
ADFS is preferred by many enterprises as it is perceived to be more stringent on privacy issues when compared to other tech majors; and more convenient as most enterprises use Windows Active Directory (AD) for user management already, meaning there is no environment change if you are adding on ADFS.
But like with Okta, initial costs are high, and there are hidden infrastructure and maintenance costs as well. For instance, commissioning ADFS requires a Windows Server license, which comes at a cost.
Also, ADFS tends to be complex and needs substantial technical know-how to use properly. Commissioning, configuring, and maintaining an ADFS solution is time-consuming and customer support too, though free, is not very user-friendly.
OneLogin, another market leader, brings to the table secure, one-click access, through all device types. Advantages are that OneLogin comes pre-integrated with over 4000 apps, offers multiple language options, and integrates with popular directories such as Active Directory (AD) and G Suite, thereby offering flexibility for growing businesses.
But like with Okta and ADFS, here too, pricing can be steep for smaller enterprises. It is also complex to use and though it integrates with AD, it offers limited analytics on the admin console, user support time is not ideal, and adding new apps can be tricky.
Akku (yes, that’s us) is an emerging player in the Asia Pacific region. While it comes with all IAM features, it has been developed specifically keeping the needs of small and medium sized businesses in mind. It is therefore ideal for teams of 10-300 people and companies looking for high ROI and responsive support.
So, if you are a smaller enterprise, a fast-growing start-up, or a business in any industry where value for money is an important consideration, Akku presents a sensible option. Another advantage here would be that it provides enterprises with complete control over data access and privacy on the cloud while staying compliant with statutory standards.
Akku isn’t a one size fits all option and because of the bespoke nature of the solution, it takes more time than Okta to purchase and set up. But once you are all set up, it is simple to use, and offers all the IAM functionalities you will need at a fraction of the cost of the other options listed here.
So, there are options out there for IAM beyond Okta. And while a strong IAM strategy is integral to productivity and security, you’ve got to choose one that fits your requirements and your budget. If you are a small or medium-sized business looking for an IAM solution, with an eye on customization, contact Akku today.
The synergy between Identity and Access Management (IAM) and IT, cybersecurity, and admin departments of an organization is obvious, but another department in an enterprise that is equally advantaged by IAM is Human Resources. You see, IAM doesn’t just help keep the bad guys out. It works to make life easier for the good guys as well.
HR is already challenged by large and scattered workforces – a scenario accelerated by the pandemic – and therefore having a framework of business processes, policies, and technologies can facilitate better management of employees. To a large extent, this is exactly what an IAM does.
Here are four ways IAM can help with Human Resources.
1. Seamless Employee On-boarding/Off-boarding
IAM facilitates automated and monitored on-boarding and off-boarding of employees in several ways. An important part of how this is achieved is that during the provisioning process an IAM creates a single account for each user, to which you can assign access to all necessary apps.
What would otherwise take HR days can now be done in minutes – which means that employees can hit the ground running on their first day, turning new hires into productive members of the team faster than ever. Also, IAM ensures employees only have the permissions they need, helping maintain security.
The off-boarding transition too is faster as deprovisioning is automated by IAM, and keeps the organization safe from unauthorized access to applications and data by former employees. This can go a long way in ensuring privacy and security.
Without a centralized IAM system, provisioning and deprovisioning need to be done manually, which means a longer time for employees to gain productivity, and also longer before employees are removed from the organization’s system, leaving the door open to security risks.
2. Efficient Learning and Development
IAM is all bringing all users onto a common platform for easier management. This basic concept lends itself perfectly to also delivering communication and training to all employees across the organization through the same system.
It is easier to roll out mandatory training content through the IAM dashboard to employees who are registered on the IAM, and track progress. Content too can be tailormade for employees based on their function or department. The IAM can therefore replace a Learning Management System in the roll-out of several types of communication or training.
3. Improved Employee Relations
Human Resources today are dealing with an increasingly distributed workforce – this has its upsides, but also cuts employees off from a traditional office setting. So, how do you work on improving those relationships, maintaining a consistent experience for employees connecting to corporate resources from across the country or world, and without sacrificing security?
Just as with the roll-out of mandatory training, an IAM is an ideal platform to also roll-out messages, announcements and notices to employees across the organization. New members can be assisted with orientation and find their feet faster with the smooth onboarding process that an IAM enables. And even little things like simplifying admin issues – such as forgotten passwords or a simple, pain-free addition of required access permissions – can make operations much smoother for every member of the team.
4. Comprehensive Documentation and Compliance
A strong IAM solution can support compliance with regulatory standards, automate audit reporting and simplify processes for regulatory conformance. Detailed and comprehensive logging is a big part of this.
Maintaining verifiable proof of consumption of critical communications and mandatory training by employees plays an important role in demonstrating compliance to standards. Additionally, custom-built forms for maintaining up-to-date documentation on team members ensure appropriate and accurate data on record at all times, while automated deprovisioning helps support an employee’s right to be forgotten.
Security, productivity, and compliance – the right IAM, like Akku, can build and enforce both of these organization-wide for HR departments across industries. We’d love to tell you more about it. Contact us today for a consultation.
Identity Access Management (IAM) is a collective term that covers processes and policies to manage user identities and regulate user access within an organization. It works on the principle of zero trust.
While security is critical, adding too many security measures also hampers productivity. So, as an organization, you need to find that fine balance between security and productivity, while keeping pace with digital transformation.
How does an IAM solution help you with that balance? Here are four important ways that an IAM increases productivity.
1. IAM offers efficient and easy access
IAM eliminates tedious and repetitive tasks, including logging in to multiple applications every day. The single sign-on feature of IAM is an employee’s single-point access to several applications.
Once users create their single sign-on (SSO) credentials, they’ll no longer have to waste time logging in over and over, saving time and ensuring a seamless work experience regardless of device or domain. That means fewer times that you need to log on and off; fewer passwords to recall; most important, stronger passwords that follow company-specific password policies can easily be set.
2. IAM results in simplified admin and IT processes
Single sign-on reduces IT help desk escalations and centralizes admin tasks like password updates and resets, which means there is no longer a need to manage access and authorizations in-house, or scramble to secure new applications that enter the cloud environment.
IAM tools manage all user identities and access permissions across internal systems, employee devices, and cloud-based technologies through one easy-to-use system. This means faster, more efficient provisioning and de-provisioning with fewer errors; automation of managing user identities and related access permissions, which saves time and money otherwise required to manually manage them; and greater compliance with government regulations and prepping audit-ready reports and stats.
Akku also has two additional features which not every IAM offers, which make IT administration much easier: seamless integration with Active Directory and other applications, and easy dissemination of messages and circulars through the SSO login page.
3. IAM offers better security
IAM security features are designed to enhance productivity. The multifactor authentication (MFA) feature, for instance, provides an extra layer of security while allowing employees to seamlessly transition between approved devices.
MFA requires the user to authenticate login with two or more types of identification before gaining access, offering flexibility and secure access anywhere, any time.
The right IAM also makes it easy to blacklist or whitelist access within and outside the firewall, on company-owned devices. The user therefore does not need to worry about whether or not he or she is permitted to visit a particular website. Efficiency is thus almost a guarantee.
4. IAM results in improved focus
Using an IAM means reduced distractions for your users. Employees can leverage the Internet for learning and growth, but the right IAM automates authorizations by setting rules that define user requirements and limit access to unsanctioned applications.
Specifically with Akku, you can go a step further and whitelist appropriate channels and video categories on YouTube. This means that users can still view relevant content on YouTube, without losing focus and being distracted by irrelevant videos.
Akku also allows you to block personal email and only allow professional email, even if they are accessed by the same email client.
Akku delivers a powerful cloud Single Sign-on (SSO) solution that can be integrated easily with almost any cloud or in-house application, making user provisioning, management, access control, and de-provisioning seamless. Opt for a more productive experience with Akku today. Do reach out to us and let’s get started together.
IAM plays an important role in regulatory compliance. To achieve certifications like ISO and meet standards such as the European General Data Protection Regulation (GDPR), an enterprise needs to ensure strong documentation and process standardization, provided for by a robust IAM program. With live data and analytics from the IAM, you can confirm you are standards-compliant, any time. You don’t need to scramble for documentation at audit time.
The right IAM provides availability of information and automated security measures result in faster processing, compliance with legal regulations, fewer violations, and reduced vulnerability. Here’s what to look for when selecting your IAM solution provider.
Are the access logs being maintained?
Maintaining logs ensures that no one accesses the server without being accounted for. With the right IAM, such as Akku, every entry to the data host server, and every server activity, is accounted for with timestamps.
Akku ensures double security and accountability. If an Akku executive needs server access, your IT admin will receive an OTP for authentication; both need to be logged on simultaneously for access by either. It applies the principles of ‘zero trust’ or ‘least privilege’, wherein all traffic is authenticated, authorized, and continuously validated at all times.
Are you receiving instant alerts?
The GDPR requires that any information that can identify a person be protected – from their personal and contact details to their bank accounts and health records and even their political views. GDPR requires that all data breaches be reported within 72 hours. Your solution provider must enable you to do this. Akku, for instance, sends instant alerts upon encountering any suspicious activity.
Is your solutions provider enforcing password policies?
Passwords are integral to cybersecurity; they are an organization’s first line of defense. However, according to the 10th edition of the Verizon Data Breach Investigations Report, 81% of hacking-related breaches leveraged stolen and/or weak passwords.
That’s why you need documented proof of strong passwords, and enforceable policies in place to make sure the passwords are indeed strong and secure. One solution is when the IAM’s default password policy is itself compliant with industry standards, as is the case with Akku. It can be further customized based on your organization’s compliance needs. If you need more information on this, do get in touch with the executives at Akku.
Are you “forgetting” employees the right way?
To comply with GDPR, you need to respect ex-employees’ “right to be forgotten”. Employee data can be stored only for a specific purpose. For instance, if you use an employee’s information for a seminar in April with their consent, you cannot use it again in December without their explicit consent. Also, there may be contractual or self-employed workers, and data protection regulation requires that you delete their data once they have left the organization. Since IAMs like Akku manage the entire user lifecycle, one-point deprovisioning and deletion of records makes this easy.
What about managing internal communication?
Certain employee training programs and surveys are mandatory for compliance with the various norms and laws. While it isn’t a standard feature in all IAMs, some solutions like Akku offer an internal messaging feature. Using this, videos and other content can be rolled out seamlessly for continuous learning.
Can you check app usage?
Does your IAM solution provider allow you to track all aspects of activity on your server environment? They ought to, as this gives you a better understanding of patterns of usage, actual utilization, and other useful information. Using this data, you can make decisions like whether you need to upgrade the server, increase or decrease the number of app licenses, and so on. Akku is one of the IAMs that provide this facility.
If you are looking at improving audit compliance and making standardization easier, it’s important to roll out an effective Identity and Access Management solution that works for your unique needs. Connect with Akku to learn more.
In any enterprise, it is a given that employees will come and go, and many will switch roles within the organization as well. At the same time, the same is true for the applications that the company uses – new apps will be deployed, old ones will be retired, and changes are constant.
What this means is a continuous churn – in identity management for users, and service providers, by means of the SaaS applications in use. Ensuring data and app security across the organization depends heavily on ensuring secure communication between your identity provider and service providers.
Deploying a robust Single Sign-On (SSO) solution represents the best answer to this challenge. An SSO allows an enterprise to manage the identities of employees in one place, and delegate access and privileges from there.
Most SaaS providers support SSO integration as it is the most efficient route to centralized identity and access management. The SSO authentication method also enables users to securely access multiple apps and websites with a single set of credentials, which reduces issues like password fatigue, which boosts security, lowers IT help desk load, and increases organizational efficiency.
How SSO works
To get your SSO in place, you need to find the right identity provider. The identity provider is essentially a service that securely stores and manages digital identities. An SSO works based on a trust relationship between the app and the identity provider.
Organizations establish a trust relationship between an identity provider and their service providers to allow their employees or users to then connect with the resources they need. Such a trust relationship is established by exchanging digital certificates and metadata. The certificate carries secure tokens which contain identity information like email address and password, to authenticate that the request has come from a trusted source and to verify identity.
Although SSO can work with as many apps as the organization wants, each must be configured with a unique trust relationship.
How the Service Provider-Identity Provider relationship works
Once an identity provider is onboarded, every time a user tries to connect to a service provider, the sign-in request is sent to the central server where the identity provider is hosted. The identity provider validates the credentials and sends back a token. If their identity cannot be verified, the user will be prompted to log into the SSO or verify credentials using other methods like a TOTP. Once the identity provider validates the credentials it sends the user a token.
The token confirming the successful authentication is validated by the service provider against the certificate initially configured and shared between service provider and identity provider, after which the user can access the application.
The identity provider verifies the user credentials and sends back an ‘authentication token’ (almost like a temporary ID card) to the service provider. And, of course, all this happens in a fraction of a second.
Advantages of using SSO
Simplifies credentials management for users and admin
Improves speed of app access
Reduces time spent by IT support on recovering passwords
Offers central control of password complexity and MFA
Simplifies provisioning and de-provisioning
Secures the system as information moves encrypted across the network
Completely seamless/transparent to the user
Easy to add on new service providers
Akku is a powerful identity and access management solution that can enhance data security, efficiency, and productivity across your corporate network through its robust SSO feature. If you would like assistance on ensuring secure access for all your users to your organization’s applications, do get in touch with us.
Single Sign-On (SSO) is a session and user authentication service where one set of credentials – typically a username and password – can be used by an organization’s users to access multiple apps.
SSO delivers tighter control for admins, helping to keep an organization’s data more secure by providing access only to users who really need it. At the same time, it makes operations more secure at the user level too – when users don’t need to remember a large number of credentials, they would be more willing to use stronger passwords.
Besides its inherent security, SSO also simplifies provisioning and de-provisioning, which in effect also increases security by preventing unauthorized access to apps and data.
How secure is your SSO?
Some misconceptions also exist regarding SSO – key among them is that SSO leads to an increased security risk, almost like putting all your eggs in one basket. After all, with one system controlling access across all of an organization’s applications, what if that single system is compromised?
It is therefore important to understand that SSO functions through a system of secure tokens which do not carry any sensitive data, making it a very safe proposition. We’ll explore exactly how this works, and how these tokens ensure security, later in this article.
What are SSO tokens and how do they work?
SSO tokens are tiny sets of digitally signed structured information to ensure mutual trust between parties.
It’s like an exclusive club with select invitees, where guards at the entrance check, approve, and stamp each guest’s hand. Event staff will know the exact shape and color of the stamp used and therefore authenticate the entry. Similarly, in the digital world, the service and identity providers communicate via tokens.
Tokens don’t include sensitive data like user’s password or biometric information, ensuring that any interception or attack on the tokens does not reveal the information. The same token can be used to add on new services to the same SSO platform as well. It facilitates identity verification separately from other cloud services, making SSO possible.
Data Security through SSO
SSO improves enterprise security as it reduces the number of attack surfaces because users only log in once each day and only use one set of credentials.
It also significantly reduces the possibilities of password-related hacks. With SSO, users only need to remember one password for all their applications. So, they are more likely to create complex and hard-to-guess passwords. They are also less likely to reuse passwords or write them down.
Another reason SSO is popular among enterprises is that it allows scaling up. Both access to new apps and addition of new people can be managed without sacrificing security, because identity and access management are already addressed. And rapid provisioning and deprovisioning without needing to worry about human error means more reliable and secure access management.
For added security, SSO can also be paired with Multi-Factor Authentication (MFA), where additional factors of authentication are required beyond just the user’s password, to reconfirm the identity of the user.
Akku incorporates robust and secure token-based SSO functionality, helping to deliver greater security and efficiency. Contact us today for more information.
COVID-19 was a shock to the global economy. The pandemic aside, the enforced and voluntary closure of offices has dramatically changed the way businesses work. Overnight, employees were instructed to work from home, in many cases indefinitely. There are still tens of thousands of organizations around the world who are still unsure of when, if ever, they will resume a traditional office-oriented working environment.
Business Continuity Plan (BCP) challenges for enterprises
Even more than the longevity of office closure however, it was the suddenness with which it hit that was so disruptive. For businesses without a BCP to address such an eventuality, it took many painful weeks or more before they could resume operations.
When remote operations did begin, many businesses – especially in domains involving sensitive data, such as healthcare and BFSI – faced concerns and scrutiny from both their customers and regulatory authorities. With large workforces working from home, data and application security became a genuine worry.
A majority of global enterprises use on-prem Microsoft Active Directory (AD) to manage user identities across their organization. It’s an effective solution as long as all users are working from the same premises. When they are not, however, a cloud-based identity management solution is essential.
As a robust IAM solution, Akku can integrate with your on-premise Active Directory through a secure tunnel – by doing this, all the user credentials and identity stored on your AD can be accessed by your IAM from anywhere. This allows you to continue to use your familiar AD for identity management, while also eliminating the need to take up a complex and expensive migration of your identity management system to the cloud.
Once your IAM enables access to your user identities from your AD from any location, you can then progress to the Access Management functionality of the IAM platform, to grant due access to all necessary assets (files, platforms and applications) to only the specific users who require it.
Security during remote access
A major concern with the work-from-anywhere environment is security. To preserve the sanctity of your assets, you need to control the users accessing them, and ensure secure access for authorized users. Two key ways to achieve this are through device-based restrictions and multi-factor authentication.
By restricting asset access to only registered or company-owned devices, you ensure that the organization’s apps and data are not impacted by any malware or security vulnerabilities that may exist on non-authorized devices. Multi-factor authentication (MFA) reconfirms the identity of the user accessing the company’s digital assets by additional means beyond a password – such as time-based OTPs or push notifications, for instance.
Through implementation of an IAM solution along with increasing the security of your cloud assets, you can also manage highly granular access control. Each individual user can be granted access to only the files, platforms and software that they require, with easy provisioning and deprovisioning to quickly and reliably provide and revoke access.
Real-world benefits during disruptions
Through a straightforward implementation of Akku that integrates with your Active Directory and acts as the identity provider to all of your applications, you are geared up to manage remote working at a moment’s notice.
In a world of increasing uncertainty, this means business continuity, with uninterrupted, secure and efficient operations through any circumstances that may arise.
COVID-19 was a once in a century phenomenon, but large-scale disruptive events are not that uncommon. Allow us to help you create your BCP to address any eventuality by setting up Akku to enable a seamless and secure work-from-anywhere operations. Contact our team of experts to get started.
Many enterprises have built their cybersecurity around their firewalls. But increasingly, the firewall is losing favor in modern enterprises with apps and data on the cloud being accessed from devices and networks anywhere in the world.
The traditional cybersecurity tool is a network security device that monitors traffic to or from the network. It allows or restricts traffic based on a defined set of security rules.
Legacy firewalls: Blurring boundaries
The issue with this is that firewalls do not go far enough in securing your systems. By the nature of their operation, firewalls create boundaries around your network. Today, with enterprises using many interlinked networks, multiple IPs and cloud computing, boundaries are fading. As a result, firewalls are less effective.
Based on a recent study, businesses are increasingly mistrustful of firewalls. Over 60 percent of respondents stated that: (1) their legacy firewalls don’t prevent cyberattacks against critical business and cloud-based applications; (2) their legacy firewalls cannot contain a breach of their organization’s data center perimeter; and (3) their legacy firewalls do not enable enterprise-wide Zero Trust.
As Gartner puts it, Zero Trust is “useful as a shorthand way of describing an approach where implicit trust is removed from all computing infrastructure”.
In addition, legacy firewalls impact organization flexibility and speed to a large extent. It is hard to update security rules on the firewall, and the study found that on average, enterprises take as much as three weeks to update firewall rules to accommodate any update needed. This can have a crushing security impact. They also limit access control, with policies that are often not sufficiently granular.
For all these reasons, legacy firewalls are increasingly falling into disfavor with enterprises of all sizes.
Cloud Access Security Broker (CASB)
A traditional firewall stands between your network and a non-trusted network (for example, the Internet). However, cloud data and apps are hosted on the Internet and as a result, legacy firewalls are not very good at protecting apps and data on the cloud.
Just like a traditional firewall protects the trusted network against attacks, a CASB protects cloud assets (applications, data, platforms and infrastructure) against cyberattack. They act as a foundational cybersecurity tool and resolve many of the issues associated with legacy firewalls.
A cloud-hosted or on-premises software, a CASB acts as an intermediary between users and cloud service providers, and can secure SaaS, PaaS or IaaS environments. It provides visibility into application access, maintains logs of activity, and allows enterprises to modify and create policies that suit cloud infrastructure and assets. A good CASB brings together key elements of privilege access management (PAM), identity and access management (IAM) and identity governance and administration (IGA).
Identity and Access Management solution (IAM)
As many as 90 percent of businesses believe that an IAM is indispensable to their cybersecurity plans. An IAM offers device-level security. This helps plug the gaps left by legacy and CASBs. Through IAMs, enterprises can provide granular access control, with unique rules defined for each user and class of user.
IAM offers comprehensive password management support, in the form of password policy management and single sign-on (SSO) SSO allows users to create and remember just one set of credentials for a whole suite of applications. This reduces risk of password loss and noting the password in unsafe locations. With password policy management, businesses can define rules to create strong, secure passwords that are less prone to cracking.
User-friendly provisioning and deprovisioning makes errors less likely. IT administrators find it easier to remember to revoke access when employees leave the organization when deprovisioning can be done with a single click. This also secures cloud apps against unauthorized access.
In a very real way, identity is the new firewall. When the device is secure against unauthorized logins, business-critical apps and data are as well, whether housed on-premises or on the cloud. Secure identity and access with an IAM you trust – like Akku, the premier IAM. Contact our experts today to discuss how to get started.
Remote working has impacted the world of cybersecurity in multiple ways. Remote workers are often not protected by enterprise-level security and so are more prone to cyberattack. The FBI reported a 300% increase in cybercrimes since the pandemic began, and remote work has increased the average cost of a data breach substantially.
Employees working from home are also distracted –
“47% of remote workers cited distraction as the reason for falling for a cyberattack.”
In other words, if you do not have a plan in place to mitigate these risks, you are setting yourself up for a potentially devastating cybersecurity breach.
One simple way to protect your organization from breaches is to apply a strong password policy at all levels of the organization, and enforce it by implementing a secure password policy management solution (PPM).
Here are some password policy best practices you may find useful.
1. Increase password length and strength
Brute force attacks try all possible combinations of characters to arrive at the password. A 6 string password with only upper or lower case letters can be cracked in 8 seconds. An 18 character password with upper and lower case letters, numbers and symbols can take 1 quintillion years to crack! By adding a special character, combining both upper and lower case letters or adding numbers, encryption can be much more secure.
The full strength of the Advanced Encryption Standard (AES) comes to bear when users create passwords of 32 characters for 128-bit encryption and 64 characters for 256-bit encryption. However, passwords of around 10 characters are strong enough for most applications.
2. Simplify as much as possible
A password made of only numbers has 10 options for each character in the string, one made of numbers and letters has 36 options, and if you include special characters that adds another 32 possible characters for each spot in the string. This makes it more challenging for brute force attacks to be successful. Complexity in terms of the kind of characters that can be used in the password is, therefore, an advantage.
However, do not mandate the usage of these different kinds of characters. This can lead to frustration and reuse of the same password with minor character substitutions (P@ssword or Passw0rd, for example). This is especially the case when the policy also demands frequent changes of password. If the old password is compromised, such minor variations will be relatively easy to guess, too.
To mitigate this risk, don’t mandate the use of special characters and reduce the frequency of mandatory password reset to approximately once a year. A long password using only lowercase letters is more secure than a short one which is a variant of an older password.
3. Do not allow password reuse
Do not allow reuse of earlier passwords during periodic password reset to increase security. Train your staff not to use minor variations of their earlier passwords, and instead look for completely different passwords.
Also train staff on the risks of reusing passwords across home and work accounts. Password reuse results in a huge surge in credential stuffing attacks. If any service is compromised and your password and username are stolen, hackers could use the same credentials to try and hack your other accounts. Each account must therefore use unique credentials to maintain security.
4. Reinforce passwords using multi-factor authentication (MFA)
Multi-factor authentication uses a combination of things you know, such as a password or PIN; things you have, such as a badge or smartphone; and things you are, such as biometric data, to authenticate your right to access a particular system, data or application.
Enabling MFA ensures that even if a password is stolen, the system is not compromised.
5. Use a secure password manager
Many users find it difficult to remember their passwords for multiple online services, and so either use a single password for all, or, worse, save all their passwords to an unreliable password manager.
If you do opt for a password manager, choose one that is highly secure, in order to mitigate the risk involved. Most IAM solutions will include a password manager or, with Single Sign-on, completely do away with the need for multiple passwords. A single secure password is enough to log on to your IAM and access your applications and data.
6. Use an IAM application for Password Policy Management (PPM)
It’s one thing to lay down rules for password policy across the organization. It’s quite another to enforce the policy. An Identity Access Management (IAM) application can help you ensure that all your users consistently comply with a high standard of security while setting their passwords, without the need for a separate password policy enforcement tool.
Administrators can customize and define password policy for all users in the organization. You can also specify upon whom the policy should be enforced, based on the users’ access level. Password policies can of course also be defined as blanket rules.
A common perception is that the risks associated with breached passwords do not apply to your organization as you have secure systems. But your organization’s data security is only as strong as the weakest password of your users. In 2020, 770 million credential stuffing attacks occurred. That means that if your employee’s personal passwords are compromised, and they have reused the same password at work, your data is compromised too. Worse, 17% of all sensitive files are accessible to all employees, and about 60% of companies have over 500 accounts with non-expiring passwords.
Implementing a robust Identity and Access Management (IAM) solution brings you several steps closer to protecting your user credentials and corporate data. Worldwide, cybercrime costs will hit $6 trillion annually this year. Don’t let your organization succumb to a Data breach! With these simple steps, you can stay safe with multiple layers of data protection. Allow our team at Akku to help you secure your systems.