Intelligent CIO North America Issue 5 - Page 33


There are two things we can do to secure our

corporate assets ; get rid of users or eliminate passwords . I say that tongue and cheek , but there ’ s truth to half of that statement .
Ok . We obviously need users but employees are on the front lines in a cyberwar over corporate and consumer data , battling myriad cyberattacks . Most data breaches are caused by credential theft . That ’ s why , our most important endpoints are users . They are the most likely to unknowingly give away the ‘ kingdom keys ’.
I ’ m not being flippant about passwords . I ’ d like to see them gone . The best way to eliminate nefarious activity from stolen passwords is to eliminate them . To secure employees , systems , applications , corporate secrets and consumer data , we must rein in repetitive and weak passwords that expose organizations to attacks .
Time to shift away from passwords
A password replacement must be pervasive
Our smartphones are almost another appendage . They ’ re with us constantly and are ubiquitous in our personal lives and business . While there are many methods and strategies for avoiding stolen and misused passwords , there is one that scales and permeates our personal and business activities . We can harden endpoints , like smartphones , tablets , smart speakers and laptops , with standards-based public key cryptography .
How it works
Secure key-enabled user devices remove the need for passwords , eliminate user registration and login friction , and globally scale . To initiate the process , users authenticate with the website using their device ’ s private key , which responds to the website ’ s security challenge .
Everyone recognizes password weaknesses . We ’ re frustrated with having to create and remember them , and where we stored them . So , we repeatedly use the same weak passwords , that are easily memorized . We know this creates a security risk but do it anyway .
Security teams are overwhelmed managing , storing and protecting credentials . They may not have the budget or resources for the most up-to-date systems . They might lack the processes and policies to consistently update software , and don ’ t have the domain expertise to keep up with the latest technologies to protect their business . They know hackers can acquire user credentials and move laterally across their network to access anything they want . They ’ re also challenged to keep up with evergrowing privacy regulations .
The private key can be used only after the security code has been unlocked by the user , by swiping a finger , entering a PIN etc . The device creates a new public / private key pair , unique to the online service , and the user ’ s account . The public key is sent to the online service and associated with the user ’ s account . The private key and local authentication information never leaves the device . Passwords require human interaction which is a formula for disaster . We must automate and secure the authentication process . This means removing people from the equation . While there are many approaches to eliminating the password conundrum , standards-based public key cryptography provides strong authentication that scales and can be deployed on devices we use to register and login to online applications and services .
www . intelligentcio . com INTELLIGENTCIO NORTH AMERICA 33