Identity-Based Security: Best Practices for Protecting Your Users and Customers

Is Identity-Based Security Hopeless?

We all know it’s important to keep both consumer and business data safe. We’re instructed to uphold certain identity-based security procedures to keep ourselves and others safe. These include creating complex passwords — both for professional and personal accounts — and following certain device login and authentication procedures in the workplace according to our IT, legal, and compliance departments’ policies. 

Despite this, 81 percent of breaches use stolen or weak credentials. How can this be when there’s so much emphasis on cybersecurity and the processes around it? It seems that despite companies’ best efforts to keep security measures fresh and employees educated, it’s never enough. The answer isn’t that surprising.

Phishing continues to be a prevalent attack method. In fact, it’s discovered in more than 90% of incidents and breaches. Attacks via web applications are also extremely prevalent, with users’ credentials and personal data used to gain access and wreak havoc. And ransomware — the malware that has brought global companies and even cities and governments to a standstill — is only increasing in use (and is frighteningly easy to acquire).

Is it hopeless? Are we all supposed to just “do our best” until our inevitable turn for a ransomware attack or other security breach comes our way? Not at all. While your organization will never truly be 100% safe from a cybersecurity incident, taking a few proactive steps now can help you stay one step ahead of potential cybercriminals looking to ruin your day.

It All Starts With Effective Administration

Consider how your IT and information security teams currently manage identity-based security within your organization. This includes access levels and other user privileges. Often, companies set up certain administrator permissions and supporting policies only to forget them — leaving their passwords, platforms, and important business and consumer data open to attack because they’re not being monitored or managed as often as they should be.

It’s important to understand that security cannot be left to manage itself. It’s not just a matter of periodically requiring employees to update their passwords, either (more on this shortly). While that should be one tactic in your identity-based security toolkit, there must also be a consistent effort in IT security administration to cyclically change the way security is managed — and by whom. 

Administrators, administrator groups, and data storage solutions should be rotated and audited on a frequent basis to prevent any account from having too much access for too long. Along with new policies on password creation and where (and how) passwords are stored, this can help to ensure the access points into your data and network aren’t allowed to remain with a single person or in a single place for an extended period. Doing so puts them at risk of being discovered and used to access and potentially harm your network, which is just the starting point for even greater damage potential.

Much of this occurs in Active Directory (AD) — the center of your network and the storehouse for everything from user accounts and passwords to all of your organization’s devices. There are a number of account types that can be set in AD — especially at the administrator level. Ideally, administrators will understand and employ security best practices. However, the reality is that organizations can no longer trust that these important identity-based security practices will be carried out consistently. Thus, it becomes necessary to audit, randomize, and rotate responsibilities — sometimes without administrators knowing it — to protect company data.

Having A Strong Password Is Never Enough

A common perception is that if we update our passwords frequently, we’ll be covered. The issue with this is that 86% of passwords are outright terrible. In numerous breaches, most of the passwords that were in use at the organization (whether by employees or customers) already existed in databases of breached passwords. Examples include passwords that we all know shouldn’t be used but apparently are still in use — 123456789, password1, and qwerty. 

While many companies have developed strong password policies and require employees to change them every 90 days or less, this still isn’t enough. Making employees and customers exchange basic passwords for another basic password doesn’t make your network safer. And because so many basic passwords are still in use, it can also mean a greater risk to your network if a decent password is changed to a weaker one. 

Microsoft isn’t helping the situation, either. The minimum password character limit is currently 14 characters. This isn’t enough. Passwords need to be longer, and more importantly, they need to be passphrases — not passwords. A passphrase adds numbers, symbols, and even spaces and will be significantly longer than a password. This added complexity and length ensure that logins and other credentials are more difficult to predict or replicate by hackers.

But how can businesses expect employees and customers to remember such long, complex passphrases? A passphrase like jb9h*&T!@#&uah\^FGy}8vb[ouGVG&G)*bh(H*1 is vastly more difficult to remember than the simple, memorable passwords so many people are likely to create. Password vaults are one option, but even the use of these helpful tools doesn’t guarantee security. It’ll be important to include password vault administrator access in the rotation discussed earlier. But don’t stop here. Get more password policy best practices and put them into work at your organization.

Remember, Multi-Factor Authentication Is Your Ally

It’s frightening how many organizations aren’t using multi-factor authentication (MFA). According to security awareness training firm KnowBe4, only 38% of large companies use MFA. This is a problem. MFA offers identity-based security that goes beyond the more common two-factor authentication (2FA) that many will be familiar with by requiring factors from multiple independent sources. 2FA, while fast and user-friendly, is still vulnerable to outside threats like SMS interception, in which the text sent to your phone with a login code is redirected or sent to another phone in addition to yours.

MFA offers another layer of identity-based security on top of the recommendations above, ensuring that even at the highest levels and with fully randomized and rotated passwords, there’ll be a final protective measure to prevent cybercriminals from harming your organization and customers.

Our Identity-Based Security Experts Are Here to Help

Inversion6 provides a number of security solutions that include access control and identity management to deception-based threat detection. Our chief information security officers (CISOs) partner with your organization to advise leadership teams on security strategy and educate employees on best practices for day-to-day operations. A best-in-class security program isn’t impossible to achieve — and it all starts with a conversation with one of our CISOs. Fill out the form below to get in touch with us.