FINAL WORD
“
FOR MORE THAN 10 YEARS,
THE INDUSTRY HAS AGREED THAT
THERE ARE CERTAIN CRITICAL
CONTROLS THAT NEED TO LIE WITHIN
IT SECURITY.
character. In recent years, there is a growing
trend towards more secure password policies
which state that there be more characters
and be non-sequential. The password
conundrum however is that length trumps
complexity and passphrases are becoming a
recognisable term in the industry.
Most formalised policies also address
user behaviour, rotation intervals and
consequences of reckless behaviour with
regards to passwords. Another important
fact to keep in mind when considering
passwords is the responsible use of password
vaults, as well as the futuristic approach of
single use passwords.
Corien Vermaak, Cyber Security
Specialist, Cisco
is within the customers (your) control versus
the Cloud Service Provider. The Verizon Data
Breach report of 2017 found that 81% of
breaches leverage weak or stolen passwords
thus again this issue is not new if we look at
the date of this report.
We are however still bound by our user base
and system limitations and mandated to
ensure user frustration is kept to a minimum,
meaning that there needs to be a balance in
place when policing passwords.
The second focus area is one that goes
hand in hand with password management,
and that being Multi Factor Authentication
(MFA/2FA). Multi factor authentication
has come a long way since they were first
introduced, people today have the ability
to use biometric identification from mobile
operating interfaces and generate OTP’s in a
matter of seconds.
Finally, we look at the principal of logical
identity management. This one is
probably the most concerning as most IT
departments cannot definitively identify all
the employees on their network. For more
than 10 years, the industry has agreed
that there are certain critical controls that
need to lie within IT security. These controls
allowed access based on the processes
and tools used to track, control, prevent or
correct secure access to critical assets (e.g.
information, resources and systems).
Yet, over time these controls are now
no longer solely in the hands of the IT
department, and that practices like Shadow
IT and BYOD (Bring Your Own Device)
have led to an increasing number of data
breaches. The only way around it is that
most organisations should now be moving
towards a zero trust architecture where
employees have limited or no access to
critical systems, applications and information
unless they meet the trust requirement.
If an organisation focuses on the three
mentioned areas, and implements practices
that helps them understand their risks and
they adopt remediation plans for such risks,
most risks become improbable. n
It goes without saying security incidents
and data breaches can occur due to
inadequate protection of credentials; a
lack of scalable and cloud-friendly identity,
credential, and access management
systems and/or access brokers; a failure to
use multifactor authentication; and failure
to use strong passwords. So, the above in
itself becomes the advice on addressing
this evaporation threat.
I would like to focus on the three main
areas to resolve the issue at hand – but
where does one start? I want to address
the process and/or policy portion of the
age-old security triad of people, process and
technology. I think it generally is accepted
that a password should be in excess of eight
characters including both lower and upper-
case alphabets, a numerical value and a
76
INTELLIGENTCIO
www.intelligentcio.com