Intelligent CIO APAC Issue 07 | Page 34

EDITOR ’ S QUESTION
THOMAS FIKENTSCHER , REGIONAL DIRECTOR ANZ ,
AT CYBERARK
While we may be moving to a world where passwords are no longer the weakest link , the reality is that as one issue is addressed , another might take its place . the way of agility . It also reduces the risk of passwords being stolen via sophisticated cyberattacks involving credential harvesting , which commonly start with phishing attacks or using a weak or re-used password . After all , if a user is never exposed to the password in the first place , passwords can ’ t be stolen . Despite this , passwordless solutions aren ’ t a panacea for several reasons .

My short answer is ‘ it will help , but it ’ s certainly

not a panacea ’. My longer answer is somewhat more nuanced .
We believe the real benefit of a passwordless future will be to provide a better user experience and in turn organizations will be more inclined to reinforce cybersecurity protocols .
Working backwards , we all know that although business users are told to use strong , complex and individual passwords , many reuse existing passwords or create weak and easy to remember passwords – all of which are a gift for cybercriminals . Multi-factor authentication was introduced to overcome these limitations , asking users for both a password and a code from an app on their phone or some form of biometric authentication like a thumbprint .
The problem with this approach is some organizations worry that the additional steps can impact productivity , particularly for developers and cloud architects who rely on speed and agility . But these same developers and architects are often the most privileged users within an organization and therefore the most attractive shortcut for attackers .
First up , when it comes to securing access to extremely sensitive assets ( like access to the root account of a newly provisioned machine or a service account running mission critical services ) stronger security controls than ordinary passwordless tools provide are needed .
Access to tier 0 and tier 1 systems , which contain the most critical assets in an organization ( for example , a tier 0 would be a core banking system of a major bank and a tier 1 an asset like a core database which supports a Tier 0 system ) should be protected with a comprehensive Privileged Access Management ( PAM ) solution . These solutions can vault and isolate credentials so users never know them – making them passwordless – but also provide additional layers of security like session monitoring , recordings and analytics-based threat detection .
Secondly , the world of cybersecurity is a constantly evolving and transforming space . While we may be moving to a world where passwords are no longer the weakest link , the reality is that as one issue is addressed , another might take its place . In a passwordless world , organizations then must consider how they manage the security of biometric data in a way that is privacy compliant . This then has its own complexities and challenges .
In this respect , passwordless solutions which grant access according to permission or something that can ’ t be obtained by anyone other than the correct user ( such as biometric identification ) can encourage stronger cybersecurity practices as they don ’ t get in
Any true passwordless solution has to rely on strong cryptographic standards such as certificates and combine user identities with contextual information such as device fingerprints and security posture . A topic for another day perhaps .
34 INTELLIGENTCIO APAC www . intelligentcio . com