By Rajat Bhargava Posted July 12, 2016
We now live in a world where our most valuable assets are digital.
We also live in a world where there are people out there trying to digitally steal these assets. For example, read about the recent hack of Facebook Chairman and CEO Mark Zuckerberg.
No one seems to be safe, just take a look at this blog post on recent megabreaches thanks to Microsoft Regional Director Troy Hunt. However, there are some steps you can take to make sure you and your company are secure. You can even go as far as Zuckerberg recently has in an attempt to not make another critical error with his security.
How to Avoid the Getting Credentials Hacked
Credentials hold the keys to your entire world.
You may not have as many assets as Mark Zuckerberg, but to you the assets you possess are priceless – for you and your entire company. All it takes is a single set of credentials to be compromised for your assets and future to be at risk.
Here at JumpCloud, we have actually seen top managers and IT admins scoff at the risk of credentials within their companies being compromised…until it happened to them. This is the exact reason why they came to us, asking what we could do for them in regards to Multi-Factor Authentication, automatic password rotation, and one-way salting and hashing of passwords.
We understand that hindsight is 20/20. However, we are here to let you know that you can prevent a credential compromise from ever happening by just focusing on security now, rather than later. It is a lot easier to cut off the head of the snake first!
Getting to Know Identity Security
Security for an identity management program is a lot like an onion, it is comprised of numerous layers.
At the center is how the credentials are safeguarded when within the identity solution. The following layer focuses on how to shelter the actual system within the network. Finally, the last layer is deciding how to inform end users on how they can protect their individual credentials.
Ultimately, after all these layers are formed and implemented, the final line of defense is a hawk-eyed observation of the entire identity system.
But, let’s not get ahead of ourselves, let’s dive back into each layer of security we introduced above.
We understand it has always been a little difficult to store credentials inside a user directory. Generally, doing so leaves your system a high value target for a hack.
In the past, the central user management system would live on-premises and be secured by a trench of internal systems created by IT. With the emergence of the cloud, the internal defensive perimeter is being broken down so IT admins can’t rely on the trench safeguarding their credentials. Moving forward the main goal is to guarantee that the credentials are stored in the safest possible way.
On the forefront of securing credentials is the method of a one-way hashing and salting mechanism. The result of this method makes it virtually impossible to dismantle the password. In the case where you are not able to one-way hash a password, the strongest of encryption mechanisms should be implemented while the data rests.
Patently, when one-way hashing is used, you will have no need to fret about private keys being open to compromise.
No matter what identity management platform you select, whether it‘s internal or SaaS-based, there should always be a strong security presence around the system.
Furthermore, traffic to and from the system should be heavily encrypted with strong in-flight security mechanisms. Ideally, if Mutual TLS security is an option that would be far better than simple SSL security.
Standard traffic to and from the system should be blocked via a firewall over all ports, minus what is necessary with your secure tunnel. The hardware and software should always be up-to-date and patched to guarantee that common exploits can’t be used against you. In addition, while it is ironic, access to the identity management platform itself needs to, of course, be tightly controlled.
End User Protection
Even if IT has covered all the bases in protecting their systems, mistake on the user side can still result in a compromise.
The most common mistake we see takes place when a user repeats the same credentials across several applications or sites. Hackers isolate one set of credentials from a single site or app, then they go around and try other locations until a match is found and further access is gained.
If a minor site or app is compromised people do not think much of the ramifications. However, what they don’t realize is the hackers who have gained the credentials are then selling them on the black market so others can try to use them to sign into critical sites/apps like bank or business accounts.
This is what frightens and frustrates IT organizations, because even after they covered all the bases their systems could still be compromised as a result of a user lapse. As a result of this, there are protective measures specifically created to safeguard systems from a password reuse breach.
Robust identity management systems will implore the rotation of passwords, construction of complex passwords, and the blocking of users who attempt to login too many times. One recurrent mechanism is password vaults, which can be used mutually with the core user management system to assist in bolstering the security.
Beyond this, the most potent mechanism that can be implemented to expand security is to add in multi-factor authentication (MFA). The action of asking a user for both something they have and something they know makes a compromised credential only half the equation in an attempted breach.
Overall, end users do not mean any harm, but they can still be one of the biggest security threats to your organization.
After the three layers of security we mentioned above are implemented, your work is not over. In a sense, the quest to secure your identity management platform is never complete.
The final step is a crucial one: to ceaselessly monitor your systems and applications.
In doing so you can always know who is logging in, when they are doing it, and from where. Ultimately, when a deviation is noticed, you can be one step ahead and able to stop a problem before it starts.
You may be thinking about how time consuming this sounds, but you can rest assured, because part of our mission here at JumpCloud is to help automate admin monitoring. With hackers growing smarter every single day, a constant strong monitoring program is crucial, even when all of the above layers are in play. Think of it as the icing on the cake.
The Key to Better Securing User Credentials Is Right in Your Hands
There is nothing more important to the modern business than the security of your individual identities and your identity management platform as a whole. Only the right users should have access to your vital assets. This is not important for solely compliance reasons, which is important in its own right. If the right credentials are compromised, the end result can be cataclysmic for any organization.
The tall task of protecting the identity management platform has been handed off to the IT department. Our hope is that the four keys above will be helpful for you in comprehending how that is possible. Of course, if you have questions you can pay a visit to our Knowledge Base or contact us directly right here.
Many of the measures we discussed above are made easier thanks to JumpCloud’s own Directory-as-a-ServiceⓇ. Our fully-featured, cloud-based directory can automate password rotation, set stringent password requirements, enable MFA, and store credentials securely with one-way hashing and salting. We are eager to help you bolster your identity management security and we are free to try for your first ten users.
Learn more about Directory-as-a-Service here.