Light Dark
December 27, 2017 By Neil Warburton 3 min read
Identity & Access
Data Protection
Incident Response

There have been countless cyberbreaches over the past few years in which personal data, such as user IDs and passwords, have been compromised. These range from attacks against government agencies, such as two recent incidents affecting the national identity systems in Spain and Estonia, to corporate breaches exposing data belonging to millions of customers.

In the aftermath of many of these incidents, affected organizations have been forced to prompt their customers to change their passwords. Many experts and major industry players have even called for organizations to cease using password protection altogether.

However, cybercriminals are after more than just passwords. As the aforementioned attacks against the Spanish and Estonian ID systems demonstrated, all types of credentials are vulnerable to compromise. It’s crucial for security professionals to establish a break-glass emergency plan for protecting user credentials in the event of a data breach.

Responding to a Breach of User Credentials

What should you do in the event of a data breach that exposes user credentials? The appropriate response will depend on the scope. If one user account is compromised, the security team can simply suspend it and ask the user to reset his or her password. In more extreme cases, security professionals can delete the compromised account and create a new one for the user.

If the scope is larger — say, 1 million users — the response can be more challenging. While the response to a breach affecting the entire user population is often straightforward (e.g., a sweeping password reset across the enterprise), an incident affecting just a portion of a large user base requires security professionals to distinguish those credentials from unaffected ones and revoke access to only compromised accounts. This is often impossible, requiring security teams to inconvenience the entire user base.

Intermingling accounts can also cause problems for security professionals in the aftermath of a data breach. If both customer and employee accounts are housed in the same directory, for example, an attack targeting customer accounts would require the security team to reset employee accounts as well, hindering productivity.

Overlapping normal employee accounts with administrator accounts can lead to even bigger complications. The best practice is to separate administrator accounts from others, creating an identity firewall, so to speak, and ensuring that a data breach would be contained to one set of credentials or the other.

Protecting User Credentials Through Segmentation

Identity and access management (IAM) and privileged identity management (PIM) solutions enable security professionals to configure separate directories and tenants to provide this necessary segregation. It is tempting to try to build a unified directory with all users and attributes managed in a single place. This target architecture will initially reduce costs associated with infrastructure and administration efforts, but it becomes unresponsive to change over time and tightly couples many systems together.

A more loosely coupled architecture can segment identities and their management into physically separate systems, or multiple tenants within a single system. These systems permit change, allow delegation and place management responsibility closer to the applications and systems they are running.

As an added benefit, security teams can meet some compliance mandates for data protection that prohibit cross-border movement of user data by putting the identity management in country while still allowing common functions, such as email and intranet access, to be managed at the organization level.

Cloud Considerations

Another important consideration is how to regain access to cloud-based assets in the event of a breach. Cloud systems have no physical consoles or components to secure, presenting a whole new set of challenges when it comes to protecting user credentials. This creates new opportunities for ransomware operators: Since the data is already encrypted, fraudsters only need to gain access to the administration portal and change the master credentials.

Two-factor authentication can help make these systems more secure. Other methods, such as certificate- and key-based access, may introduce new risks. If you somehow lose access to your keys, for example, you will be locked out of the system. Your security mechanisms should account for users introducing a single point of failure into the authentication process.

Establishing a Break-Glass Backup Plan

To prevent these issues from impeding data breach investigation and response efforts, security leaders should establish break-glass processes that enable them to access the systems storing user credentials so they can quickly start the process of resetting IDs and passwords when attackers strike. In today’s highly volatile threat landscape, additional layers of protection go a long way toward securing employee, customer and administrator credentials, and minimizing the consequences of a data breach.

Download the Ponemon Institute 2017 Cost of Data Breach Global Study

 |  |  |  |  | 
Neil Warburton
Security Architect, IBM

More from Identity & Access
October 23, 2023

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

September 13, 2023

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

August 1, 2023

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature