The identity crisis: Password managers and your business


Steve Cassidy

3 Apr, 2018

It used to be the case that when someone said they were having an «identity crisis», they would go on to tell you about their imaginary friend. However, this is 2018 and issues of identity are all over the news – and of the utmost importance to businesses.

If you’re the go-to person for an organisation of any size or scale, you’ll know that problems with passwords have gone from a quiet, almost academic bit of admin to a headline-grabbing, company-destroying risk. So every business should be asking: what are the potential hazards, and what can we do to protect ourselves?

The ID problem

Nobody can get away from the need for passwords these days. They used to be the preserve of the office network, but now you can’t even avoid them if you’re unemployed: benefit systems want you to log in and prove who you are to access your personalised view, save your data and so on. And as online security has become a growing burden, not just at work but in our personal lives, it’s been no surprise to see password managers gaining popularity all over the app and web service marketplace.

Great, problem solved – no? Well, that was the theory. But cynics such as myself weren’t at all surprised when it emerged that these services had security vulnerabilities of their own. In the summer of 2017 we saw a spate of accusations that one web password manager or another had been hacked or cracked.

Regardless of whether your precious identity data had actually been compromised or not, this was a painful wake-up call for customers. Many had entrusted their passwords to such systems believing this would allow them to stop worrying about security scares; now they found themselves forced to think about questions such as what happens when your password manager gets taken offline and you don’t have paper copies of all the passwords you’ve loaded into it.

And what if you get caught without a Plan B on the day when a hacker (or disgruntled staff member) changes all those passwords and locks you out of your own system?

Five years ago, one aspect of this discussion would have been what makes a good or a bad password. Today, that’s rather a moot point. First, due to the fact that folklore is the dominant source of advice on the topic for most people, your typical CIO – or, as it often is, an overstretched support junior – has to cope with all the possible levels of password quality across their whole organisation.

Secondly, it’s a fact of life that most companies are no longer in a position to fully dictate their own password policies, thanks to an increasing reliance on external service providers. Your company procedures may state that all passwords must be deposited in escrow, written in blood on vellum, or changed every leap year: the reality comes down to the cloud operator’s policy.

Security in the cloud

Ah yes, the cloud – the single greatest confounding factor when it comes to password security. At the start of this decade, it was still possible to talk about «single sign-on» and mean nothing more than granting access to the LAN plus Active Directory resources, and perhaps a few HTTP services.

Meanwhile, in 2018, we have to deal with much bigger challenges of scope. Your access security systems have to work inside the company office; in employees’ homes; with the third-party services that your business signs up to; with your smartphone apps, on at least two platforms; with physical tokens for building access; on networks where you are a passing guest; in IPv6 environments… well, that’s enough semicolons for now. You get the picture.

Needless to say, where there’s a technical challenge this confusing, there’s a proliferation of outsourced «solutions» that can help you get on. However, these are almost entirely aimed at larger businesses, where a dedicated individual is available to negotiate between what the business wants to do with identities – the usual staff join/move/leave lifecycle – and the demands made by regulations or relationships with third parties.

And even then, recent trends in larger business IT make things very complicated. Remember, both identity solutions and line-of-business services tend to live in the cloud, and a lot of their appeal to customers is down to their ability to interoperate with other services by way of inter-supplier APIs.

So if, for example, you’re logged into Salesforce and hit a button to switch to another app, it’s not your PC that forwards your credentials to the next host: Salesforce initiates a direct conversation, server to server. We’re very much living in the age of the business-to-business API economy – and good luck managing that.

Then there’s software-defined networking (SDN) – an idea that can deliver a great security boost for your network. SDN takes advantage of the fact that there’s enough computing power floating around now for even a humble network switch to actively isolate, monitor and manage the network traffic generated and received by each individual PC.

This is seriously useful when it comes to infection control: after all, in most company networks, PCs have next to no need to talk directly to each other – only viruses do that. SDN ensures that PCs only talk to the appropriate servers and routers, using rules that relate to the individual, rather than to the floor or department their computer happens to be in.

The thing about SDN is that it requires users to authenticate before they can have any sort of access to the network. No biggie, you might think – users these days have been schooled by Wi-Fi to expect a login prompt. However, if your identity broker is in the cloud, you need a way for users to access that before logging into the SDN-secured network.

From an architectural perspective, the answer is simple: just have a default access policy that lists the identity servers as always available, without credentials. But that’s not quite the same as saying that every cloud- based identity broker recognises the problem. Many businesses undertake big reorganisations in order to escape the «Microsoft Trap» of server-centric networking, only to fall into a maze of incompatible authenticators, each of which is sufficiently new to consider a three-year product lifecycle in this field as perfectly normal.

All of which brings me to another issue: portability.

Moving your users around from service to service

If you’re thinking of engaging a cloud-based password-management service, this is a key question: how easy is it for the administrator to do drastic things with the database of users and passwords? Is it possible to upload bulk lists of users (say, on the day your company takes over another one) and indeed, download and examine such lists, looking for issues such as duplicate passwords?

These aren’t unreasonable things for an IT department to want to do. Yet, online password managers, anxious about the potential for abuse, tend to rule it out completely. This is an unfortunate side effect of the influence of consumer security policies – everyone gets treated as a separate individual with no security crossovers.

But, if you think about it, that’s the diametric opposite of what most companies actually want. Your firm’s user database is built on groups and policies, not on hundreds of unique individuals.

There is another way. It might sound unfashionable in 2018, but what people are crying out for, in a forest of password-as-service cloud apps, is a return to the glory days of Active Directory. The simplest answer to bridging the divide between cloud identity and LAN identity is to focus on the lowest common denominator, namely an old-school Windows Domain environment. Don’t rely on the cloud for everything: use it to grant access to a Windows server, which can take on the traditional role of local service manager and gateway.

It’s an approach with numerous benefits. For a start, nobody in the old-school LAN world is going to hold your company user list to ransom, or make changes to pricing once you’re on board, or restrict your choices of IoT deployment to a limited roster of approved partner manufacturers. Indeed, the idea helps justify the high price of Windows Server licences – they’re steep if you just want file and print services, but if you look at the complexity and cost of managing passwords and user identities, it starts to make a lot of sense.

Crystal balls

Passwords have their benefits, but (as my colleague Davey Winder has frequently noted) a physical token can be a powerful alternative or supplement to a conventional password. Indeed, it remains a great puzzle that business hasn’t really embraced the idea. You can find products that use USB or Bluetooth to provide preset usernames and passwords, but these tend to exist only in specialised niches.

Notably, in the consumer sector, the idea of using a physical key has been superseded by two-factor authentication (2FA), where a login attempt generates a second single-use password that’s sent to the customer’s registered mobile number. This too has its strengths, but there’s an assumption of continuous internet access – or, in some cases SMS service – that isn’t always realistic. It’s fine if you’re sitting at your desk trying to log into your email, but less so if you’re standing in a snowy car park late at night, trying to get into the office because you’ve been called out to deal with a network outage.

In fact, if you’re going to rely on any sort of single sign-on system, there’s an almost inevitable requirement for defence in depth – that is, you need the same identity data to be accessible in several different ways, so it can remain available under most plausible scenarios. Again, this is certainly not a new insight when it comes to system design, but it’s one the always-connected generation finds easy to forget.

This doesn’t have to mean investing in layer upon layer of redundant infrastructure. What it might mean, however, is a «fog computing» approach – a model where cloud-based services connect directly to the perimeter of your home network and devices. In this case, you want systems that are reachable from that snowy car park, able to remember the last state of the security database – and just smart enough to let you in.

Image: Shutterstock