Intelligent CISO Issue 35 | Page 29

While we may be moving to a world where passwords are no longer the weakest link , the reality is that as one issue is addressed , another might take its place .

? editor ’ s question

M y short answer is ‘ it will help , but it ’ s certainly not a panacea ’. My longer answer is somewhat more nuanced .

We believe the real benefit of a passwordless future will be to provide a better user experience and in turn organisations will be more inclined to reinforce cybersecurity protocols .
Working backwards , we all know that although business users are told to use strong , complex and individual passwords , many reuse existing passwords or create weak and easy to remember passwords – all of which are a gift for cybercriminals . Multi- Factor Authentication was introduced to overcome these limitations , asking users for both a password and a code from an app on their phone or some form of biometric authentication like a thumbprint .
The problem with this approach is some organisations worry that the additional steps can impact productivity , particularly for developers and cloud architects who rely on speed and agility . But these same developers and architects are often the most privileged users within an organisation and therefore the most attractive shortcut for attackers .
In this respect , passwordless solutions which grant access according to permission or something that can ’ t be obtained by anyone other than the correct user ( such as biometric identification ) can encourage stronger cybersecurity practices as they don ’ t get in the way of agility . It also reduces the risk of passwords being stolen via sophisticated cyberattacks involving credential harvesting , which commonly start with phishing attacks or using a weak or reused password . After all , if a user is never exposed to the password in the first place , passwords can ’ t be stolen .
Despite this , passwordless solutions aren ’ t a panacea for several reasons .
First up , when it comes to securing access to extremely sensitive assets ( like access to the root account of a newly provisioned machine or a service account running mission critical services ), stronger security controls than ordinary passwordless tools are needed .
Access to tier 0 and tier 1 systems , which contain the most critical assets in an organisation ( for example , a tier 0 would be a core banking system of
THOMAS FIKENTSCHER , REGIONAL DIRECTOR ANZ , AT CYBERARK

While we may be moving to a world where passwords are no longer the weakest link , the reality is that as one issue is addressed , another might take its place .

a major bank and a tier 1 an asset like a core database which supports a Tier 0 system ) should be protected with a comprehensive Privileged Access Management ( PAM ) solution . These solutions can vault and isolate credentials so users never know them – making them passwordless – but also provide additional layers of security like session monitoring , recordings and analytics-based threat detection .
Secondly , the world of cybersecurity is a constantly evolving and transforming space . While we may be moving to a world where passwords are no longer the weakest link , the reality is that as one issue is addressed , another might take its place . In a passwordless world , organisations then must consider how they manage the security of biometric data in a way that is privacy compliant . This then has its own complexities and challenges .
Any true passwordless solution has to rely on strong cryptographic standards such as certificates , and combine user identities with contextual information such as device fingerprints and security posture . A topic for another day perhaps . www . intelligentciso . com
29