Why Credential Management Is Key to Your Cybersecurity Strategy
As modern organizations and their workforces continue to grow, the job of ensuring that countless identities have the right levels of access to enterprise resources is one that appears daunting. Yet, it has been proven to be critically important by recent cybersecurity attacks involving vulnerable user access. A prominent example is the SolarWinds Orion platform update that was subject to a highly sophisticated attack compromising sensitive customer data. Despite a lot of controversy and questioning into the attack, the specific ways in which malicious code was inserted into the system are still somewhat unclear. Among research, it was found that hackers created new accounts with elevated privileges to access data, a compromise that is involved in around 80 percent of hacks. Shockingly, internal accounts were reportedly found on the dark web for sale. Here, the importance of complete visibility of user identification and credentials based on a Zero Trust architecture is highlighted.
The same risk of user access arises from how a past SolarWinds intern was blamed for a weak update server password - Solarwinds123 - being publicly accessible on their GitHub for more than a year. This begs the question; if the intern implemented this password, or even if they did not, why did they have this level of access to crucial systems and why was the password so weak? Using secure credentials is a key element of any organization's security strategy, but what about the suitable perimeters that can be accessed by these credentials?
End-to-End Credential Solutions Answer the Call
Security errors such as weak passwords and system access oversights illustrate the importance of managing the complete credential lifecycle with a secure, end-to-end solution. When valuable IT resources are accessed by such credentials, it is essential that they are efficiently managed from start to finish – covering the creation, management and revocation.
This is key to mitigating IT supply chain risks by reducing threats to integrity and organizational confidentiality through a Zero Trust culture and configured suitable access – for both on-site and remote users.
A credential management solution gives organizations the power to efficiently manage both hardware and software based credentials that access digital and physical resources. After all, even if credentials are strong, attackers may discover a way to jeopardize the system that initializes such credentials and thus give them to the wrong people. This results in an organization’s whole security system being side-stepped.
Identity Establishment and Credential Creation
The life of a credential starts with establishing the identity of the individual that will be receiving it and securing the root of trust. Credential lifecycle management solutions can adapt to an organization’s individual security and compliance needs, allowing admins to configure and customize their solution to only utilize the steps they need. Organizations in highly secure industries with stringent user enrollment workflows may start the process with someone having to verify the user’s need for access through software such as WorkforceID™ Credential Manager before issuing any credentials. This added security helps organizations to achieve complete control over who is gaining access and who supports the need for their access.
When it comes to enrollment, it is important to verify the identity of the individual receiving the credential through passport or ID capture. Alternatively, the user's fingerprint can be enrolled to create an even more seamless identity establishment process. If necessary, an organization may configure their process to require users to complete additional training or vetting through external background checks. Once the user has been verified, the credential can be issued for physical or IT access.
While facilitating all possible security steps is key to protecting an organization with very sensitive IT enterprise resources, it is not necessary for every organization. Still, credential management solutions like WorkforceID support organizations in implementing authentication that meets best practice standards such as NIST SP-863 (which are tailored to risk level). No matter the size of an organization, it is still fundamentally important to confirm and identify an individual who is receiving a credential.
Though secure issuance of a credential is fundamental, security best practices don’t stop there. Ensuring that a credential is being used securely throughout its life, including any changes or adjustments that occur, is critical. Issued credentials are used for strong authentication to enterprise IT resources as well as allowing users to digitally sign, encrypt and decrypt sensitive materials using their credential. A solution such as WorkforceID Digital Credential Manager enables the issuance and management of credentials that provide these services.
Credentials, and the resources they secure access to, will face changes and adjustments throughout their lifecycle. From devices or passwords being lost or stolen, to an employee needing updated access or simply leaving the organization, credential changes can bring about security vulnerabilities. Therefore, efficient credential management of these changes is essential, and should cover every stage of the lifecycle from resetting and revocation, to replacement and access updates.
Credential management solutions can further streamline the revocation process through integration with a corporate directory, reducing admin load and securing IT systems from unauthorized or expired users. Tight credential security must be implemented until the very end of the life cycle and executed with efficient deactivation. After all, you would not let an ex-employee keep a key to your office, so why would you leave your digital assets open to that same risk?
The Ideal Management Solution
Managing the credentialling process can be done both on premise or in the cloud and simplifies the issuance and management of authenticators and digital certificates. Solutions like WorkforceID Digital Credential Manager and WorkforceID Credential Manager can enforce policy-based management of access rights and changing needs, all whilst ensuring compliance and boosting security. Without a complete solution, devices or credentials are essentially provided with free access – a cybersecurity nightmare.
Creating, managing and revoking these credentials at a large scale is a challenge for any organization. HID’s solutions offer security, efficiency and scalability – all from a single source. We offer a comprehensive selection of management solutions to securely issue and manage user credentials. Explore them here.
Yves Massard is responsible for the product marketing effort in HID Global’s Identity and Access Management (IAM) government business. While at HID, Yves assisted in creating the US DoD Common Access Card, ActivID™ CMS—the market-leading PIV credential management system—and ActivClient™, market-leading middleware. Yves received a Masters Degree in Computer Science from the Institut National des Sciences Appliquées de Rennes and an MBA from Saint Mary’s College, California.