We have met the enemy and it’s us. That’s a feeling many cybersecurity professionals well know. Most security breaches today have a lot more to do with misappropriated credentials than they do with hackers that have found a way around an organization’s defenses. It’s not that hackers don’t have the skills to accomplish that. It’s just a lot easier to accomplish the same goal by stealing credentials using, for example, a phishing attack that tricks unsuspecting users into giving up passwords.
That issue is front and center this week following the publishing of the first ever magic quadrant report specifically address privileged access management (PAM) software. The report forecasts that by 2021 a total of 40 percent of organizations that use formal change management practices will have embedded and integrated PAM tools within them to reduce the overall risk surface. That’s up from less than 10 percent in 2018. The report also notes that by 2021 over 50 percent of organizations that have adopted DevOps will be employing PAM-based secrets management technologies to better protect applications and the infrastructure they run on.'It's a lot easier for cybercriminals to steal credentials than it is for them to find a way around a company's defenses.' ~@MVizardClick To Tweet
The report also forecasts that by 2022 more than half of the enterprises using privileged access management (PAM) tools will emphasize just-in-time privileged access over long-term privileged access.
That all represents significant progress over what right now is a sorry state of affairs. But it also suggests that three years or more from now many organizations expect they will still be relying on existing flawed manual processes for managing passwords. As the Gartner report notes, that’s especially problematic given the explosion in the number of cloud services that are now being regularly accessed. The simple truth of the matter is manual password management processes are not going to effectively be able to keep pace with all the passwords that need to first be remembered by end users and then protected by IT organizations.
The one ray of sunshine is that advances being made in other forms of authentication technologies. For example, Delta Air Lines at the Atlanta Hartsfield-Jackson International Airport has begun using face recognition. The software matches a traveler’s face to a copy of the passport file on file the Customs and Border Protection Agency of the U.S. government. Microsoft, meanwhile, earlier this year declared a war on passwords. As a first step, Microsoft is adding a Microsoft Authenticator application for mobile devices to an instance of Active Directory (AD) running on the Microsoft Azure cloud. The latest versions of Windows 10 also employ two-factor authentication to manage authentication.
But as significant as those advances are there will be millions of existing applications that rely on passwords in use for a decade or more. Most organizations are not going to rip and replace the authentication mechanism inside legacy applications that they are also loath to replace given the time, money and effort that went into deploying them. The Gartner report identifies CyberArk, BeyondTrust, Centrify and CA Technologies, now a unit of Brocade, as the leaders in the PAM field. But there is no shortage of vendors in the category so IT organizations should check with their peers to see what approach really works best for their specific use case.
In the meantime, cybersecurity professionals need to keep pushing their organizations to adopt zero-trust models to computing because right now it’s almost impossible to know for certain anyone accessing IT resources really is who they say they are.'Most organizations are not going to rip and replace passwords in favor of advanced authentication mechanisms.' ~@MVizardClick To Tweet
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.