The increasing number of brute-force cracks, phishing scams and network eavesdroppers has been a cause for alarm for businesses, though many have shown an underwhelming response, such as increasing the minimum complexity of passwords, which have frustrated users more than protect them.
Regardless of how complicated passwords are required to be, the entire concept of trusting a string of characters to keep cyber-criminals away from a company's entire database is looking more old-fashioned with every data breach.
Indeed, businesses are putting huge amounts of trust in the simple password – a single data breach could yield disaster for any company. The potential risk grows as innovative hackers devise new ways to gain access to administrative passwords. Password dumps, documents containing extensive lists of usernames and passwords, are becoming a common item on dark web markets, and are increasingly appearing on the open web for anyone to download.
A government-commissioned PwC information security survey conducted last year revealed that 90 percent of large enterprises had been the victim of a data breach, costing them an average of £1.46 million to £3.14 million. The cost of a data breach goes beyond a company's financials, often resulting in irreparable reputational damage as well, if a hacker uses an administrative password to nab the private data of customers.
This reputational damage will only increase as the European Union prepares for the new European General Data Protection Regulation to come into effect next year. In addition to increasing the fines associated with companies failing to protect their customers' private data, the new regulation also threatens to publicly name companies should they suffer a data breach. This regulation is putting digital security even closer to where it should be: at the top of every large company's priorities.
The secure solution
High-profile accounts of cyber-criminals obtaining passwords, along with private data, have eroded many companies' trust in passwords. The main challenge in finding an alternative security solution has been to find a balance between security for the company and its customers and ease-of-use for users. Few solutions have been able to achieve this delicate balance.
The main solution poised to take the password's place is the Secure Shell (SSH) key. This technology has several key advantages over the simple password. As they don't require passwords to be sent through the network with each login, the threat of someone eavesdropping on network communications to obtain a password en-route is essentially neutralised. Brute-force attacks, the method of choice for many hackers thanks to consumer machines becoming more powerful, are also made much less effective thanks to the inherent complexity of SSH keys.
Users can also expect a much more convenient experience when using SSH keys, as they won't be required to memorise a separate password for each server they must connect to in their daily work.
Making security simple
As with any technology, SSH keys bring with them a unique set of challenges. They are often left unmanaged and unmonitored, which can leave companies open to hackers. Without using an automated system, building a list of all the SSH keys in use, defining and restricting the access privileges attached to each set and periodically rotating keys can be a supremely daunting task. With this in mind, it is essential for companies to find the right SSH key management system to take on these important tasks.
The proper SSH key management solution must offer companies a wealth of capabilities and features, including: the ability to consolidate all discovered SSH keys and store them in a secure, centralised repository for easy access and management; employ standard protocols to create new public and private key pairs and associate public keys with their users; rotate key pairs manually or automatically at periodic intervals through scheduled tasks in order to guarantee security; provide a holistic view of the key to user relationship across the organisation; associate specific resources to users, establish granular access controls, and proactively prevent access violations; audit and track all user activities and generate reports as required and comply with industry regulations such as SOX, FISMA, PCI, and HIPAA.
Those in-the-know within the world of technology have long been aware of the password's many flaws, though the lack of an alternative solution that is both secure and simple has kept it in use. SSH keys are the solution many companies have been searching for, offering a thicker barrier between cyber-criminals and private data, with a proper SSH key management ensuring simplicity for the user. With these essential tools, companies can move their workplace – and their data – into a safer place: the post-password world.
Contributed by David Howell, European director, ManageEngine