Boosting security in the post-password workplace

The past few years have seen the password undergo a startling transformation, from a key factor in security to an outdated and ineffective liability.

The response from many companies to the growing volume of phishing scams, brute-force attacks and network eavesdroppers has been to increase the mandatory complexity for passwords, doing little to boost security and increasing frustration for users in the process.

The idea of relying on a set of characters – ranging from a six letter word to a larger string of random characters, for more careful users – between criminals and an enterprise’s entire database is looking more and more outdated with each successful data breach, regardless of how complex the password is.

A data breach can have catastrophic consequences for any organisation, and the methods available for hackers to obtain the passwords they need are far from limited. Mass “password dumps” are increasingly becoming a common occurrence, with huge documents containing thousands of usernames and passwords appearing on the open web.

In 2015, a government-commissioned PwC information security survey found that 90 per cent of large enterprises had suffered a breach, costing an average of between £1.46 and £3.14 million. In addition to the financial costs, organisations also risk severe reputational damage should a hacker obtain a password and use it to gain access to private customer data. With the new European General Data Protection Regulation, which will establish steeper fines and even publicly name companies who fail to protect private data, coming into effect next year, ensuring total security is becoming increasingly urgent.

Boosting security

Highly-publicised instances of hackers gaining control of passwords – and private data – have led many organisations to lose faith in the password, some through first-hand experience. In searching for an alternative security solution, there have been few contenders that can offer both security for the company and simplicity for users.

The most likely successor of the password is the Secure Shell (SSH) key. Utilising SSH keys brings several key advantages over conventional password authentication, because they eliminate the need to send a password over the network in order to be authenticated, they also eliminate the chance that a digital eavesdropper can intercept the password while it is in transit. Due to their complexity, SSH keys are exponentially harder to crack through brute force attacks, which continue to grow in popularity as personal computers become more capable, effectively neutralising this threat.

SSH keys also offer a higher level of convenience for users than conventional password authentication, by eliminating the need to memorise a list of complex passwords in order to connect to the necessary servers.

Reducing complexity

Despite the indisputable benefits SSH keys can bring to an organisation, they also carry their own set of unique challenges. Typically, SSH keys are left unmonitored and unmanaged, making organisations vulnerable to cyber-attacks. In the absence of an automated system, getting the list of all the keys in use, finding and restricting access privileges and ensuring periodic rotation can be a herculean task. Therefore, it is crucial for organisations to find a SSH key management solution that can carry the burden.

When searching for the right SSH key management solution, organisations should keep several features and capabilities in mind: the ability to consolidate all discovered SSH keys and store them in a secure, centralised repository for easy access and management; employ standard protocols to create new public and private key pairs and associate public keys with their users; rotate key pairs manually or automatically at periodic intervals through scheduled tasks in order to guarantee security; provide a holistic view of the key to user relationship across the organisation; associate specific resources to users, establish granular access controls, and proactively prevent access violations; audit and track all user activities and generate reports as required and comply with industry regulations such as SOX, FISMA, PCI, and HIPAA.

The password’s faults have been long known in the tech industry, and its fall from grace has been delayed simply because alternatives have fallen short in either security or ease-of-use. With SSH keys, organisations can be guaranteed their private data is well-guarded, with the complexity being handled by an SSH key management solution.

With these innovative tools, organisations can take their workplace – and their valuable data – into the post-password world.

David Howell, EMEA Manager, ManageEngine

Image Credit: Shutterstock/ Ditty_about_summer