Despite the regular cadence of ransomware attacks on unsuspecting victims, poor password practices are still very much alive. This is of increasing concern, as many ransomware attacks are the result of poor credential and password management practices, as well as a lack of using multi-factor authentication (MFA). Although many SMEs regard MFA as costly and technically challenging, MFA is now table stakes and a key component to achieving zero trust.
While there are easily accessible open-source alternatives to MFA that don’t require any
investment, there are other affordable and practical alternatives that can help SMEs secure
their business operations, Ryan Weeks, CISO at Datto explains.
When are passwords necessary and are there affordable alternatives?
When discussing passwords from an identity and access management perspective, there are
three factors that comprise authentication and identity. The first being ‘something you have’,
the second ‘something you know’, and the third ‘something you are’. Since a password is
something you know, the question for SMEs is “what are the areas where ‘something you
know’ is absolutely necessary in securing your business operations?”
From a user perspective, programmes and systems are more accessible through the use of
passwords. Typically, usernames and passwords are required for most SaaS applications, unless
users have a single sign-on platform like Azure AD or Okta for example. When using single sign-
on platforms, passwordless technology can be used if it’s native to the platform, otherwise it
can be easily integrated into the single identity found in the access management layer.
What’s more secure: passwords or passwordless technology?
Like a password, passwordless technology still has to protect the underlying biometric
information. For example, if a malicious user is able to modify or swap biometric information,
they will be able to change the criteria for the user that is able to authenticate. While
passwordless technology is more complex, a breach is still a possibility that SMEs need to take
into consideration.
To create a more secure operation, the combination of hardware-based MFA and biometrics is
recommended. SMEs need to keep in mind that it’s possible to implement passwordless
security either securely or insecurely – remember it’s just technology. However, by adding
biometrics instead of a password and keeping a user’s multifactor authentication workflow,
SMEs will be in a position to gain access to a world where zero trust security models are a
possibility.
Is zero trust the most secure option?
Zero trust encompasses more than just user authentication, it includes the device, as well as
the user. To illustrate, in today’s world when a machine enters a secure network, it may only
authenticate the user, not the device itself. However, zero trust strives to authenticate both.
This type of authentication is similar to certificate-based authentication using a public key
infrastructure. With zero trust, the idea is that there is a continuous revalidation of trust. What
this means is that implementing passwordless access in a zero trust mode is easier for users and
more secure for the operations since the ‘something you have’ and the ‘something you are’
factors are much more difficult to attack.
When implementing zero trust security measures, SMEs need to remember that passwordless
is not synonymous to zero trust. Users can have zero trust with passwords and MFA tokens, an
SMS one time password, time-based one-time password (TOTP), or a hardware token. The
reality is that passwordless accessibility will reduce friction in a zero trust model since the user
only needs to touch the hardware token, touch a fingerprint scanner, or glance at a camera.
This can be challenging for people whose fingerprints can’t be read or their face can’t be
recognised, as they will encounter access difficulties. When difficulties with passwordless
technology occur, password-based workflows will help them gain access. The most important
point for SMEs to remember is that there needs to be a layer of multiple factors, meaning using
two of ‘something you know’, ‘something you have’, and ‘something you are’.
Building a zero trust security model in the SME environment
While zero trust security models aren’t new, the ongoing and increasing security breaches are
highlighting their significance. It’s important for SMEs to continuously seek to revalidate and re-
trust the operational state of assets and individuals, which means that users shouldn’t have an
asset that is implicitly trusted all the time.
There is a lot for SMEs to consider when building a zero trust security model. Building and
implementing it on their own can be a daunting task; this is why managed service providers are
actively working with SMEs to help them adopt a zero trust security methodology and improve
their operational security.
Ryan Weeks, CISO at Datto