The era of password security in the modern enterprise is over. Passwords are dead.
Let’s be honest. Passwords in the enterprise were never really that secure in the first place. But in the absence of anything else, they were long the de facto standard. IT administrators first began by issuing passwords that required a minimum length of characters. This next evolved into requiring letters, numbers and special characters. But these were all variations on the same, largely ineffective and high risk theme.
Many employees, suffering from password fatigue, undermined any perceived increase in security with all-time popular – but extremely insecure – passwords, such as “password” and “123456.” Others still resorted to sticky notes, spreadsheets and emails to track passwords.
The result? Lost passwords, compromised security and major data breaches that continue to dominate today’s headlines. According to the Identity Theft Resource Center (ITRC), there were no fewer than 781 U.S. data breaches in 2015, resulting in millions of stolen usernames and passwords. In fact, ITRC called data breaches “the third certainty of life” after death and taxes.
And data breaches don’t come cheap. The Ponemon Institute’s 2015 Cost of Data Breach Study found the average total cost of a data breach increased 23 percent over the past two years to $3.79 million.
Departing employees also pose additional threats to the enterprise as they may be putting company data at risk whether they know it or not. If they use a device that still gives them company access they open a floodgate of risk—they can easily abuse the data and information made available to them. If access is not immediately revoked across all company applications, what is to stop them from simply logging in from a personal device? Additionally, when employees move laterally or vertically within the organization, they need to forgo access to information associated with their previous role. The hope is that employees are not malicious, but it’s always better to be safe than sorry.
People are using applications on-premise or in the cloud more than ever before. Years ago, employees only used a handful of applications to do their work. Today, with the best of breed applications being brought in by every function in the company, the number of applications has exploded. All of these need to be secure.
Password free world
It goes without saying that enterprises can no longer rely upon passwords as their primary defense against sophisticated cybercriminals who roam the Internet like modern day pirates. Today’s cybercriminals are smart, global, well financed and well organized in teams.
Enterprises not only face security and risk challenges from outside, but also within their extended employee, partner, and contractor ecosystem. Whether they are on-premise, in the cloud, or a hybrid of the two, today’s modern enterprises have moved beyond the password graveyard. They’ve began using Identity and Access Management (IAM) solutions that enable them to securely enable the right people to have fast and frictionless access to the right applications for the right reasons. Many of these solutions provide secure single sign–on (SSO), multi-factor authentication, integration with common directory infrastructures such as Active Directory and LDAP, user provisioning and more.
Solutions such as one-time password (OTP) push to the phone, or Microsoft’s recently developed Authenticator app that leverages Bluetooth technology to unlock the desktop from the phone, can provide a fairly frictionless experience for the end-user as a way to complement a strong SSO solution. Enterprises can leverage these SSO solutions, as well as complementary multi-factor authentication capabilities, to create a secure and auditable log-in process for their users whether they reside within the enterprise or in partner, contractor or channel networks.
When it comes to authentication, cloud apps have different levels of sophistication. On one end of the spectrum you have your simple plain text passwords, on the other end you have fingerprint scanners and facial recognition technology. There’s always a chance for a potential breach, no matter how complex your information security may be. Should security controls be breached, organizations are subject to information disclosure, potentially suffering a serious loss of credibility, which further adds to the total cost of a breach.
In summary, today’s enterprises need to control access, but they need to make it as frictionless as possible for people with the right privilege to use corporate resources and get the most utility out of them – without resorting to passwords – thus contributing to their individual success as well as the enterprise’s.