Category: Workforce Identity & Access Management (IAM)

6 Password Policy Management Best Practices for a more secure IT environment

Remote working has impacted the world of cybersecurity in multiple ways. Remote workers are often not protected by enterprise-level security and so are more prone to cyberattack. The FBI reported a 300% increase in cybercrimes since the pandemic began, and remote work has increased the average cost of a data breach substantially. 

Employees working from home are also distracted – 

“47% of remote workers cited distraction as the reason for falling for a cyberattack.”

In other words, if you do not have a plan in place to mitigate these risks, you are setting yourself up for a potentially devastating cybersecurity breach.

One simple way to protect your organization from breaches is to apply a strong password policy at all levels of the organization, and enforce it by implementing a secure password policy management solution (PPM).

Here are some password policy best practices you may find useful.

1. Increase password length and strength

Brute force attacks try all possible combinations of characters to arrive at the password. A 6 string password with only upper or lower case letters can be cracked in 8 seconds. An 18 character password with upper and lower case letters, numbers and symbols can take 1 quintillion years to crack! By adding a special character, combining both upper and lower case letters or adding numbers, encryption can be much more secure.

 

Image Credit: ghacks.net

The full strength of the Advanced Encryption Standard (AES) comes to bear when users create passwords of 32 characters for 128-bit encryption and 64 characters for 256-bit encryption. However, passwords of around 10 characters are strong enough for most applications.

2. Simplify as much as possible

A password made of only numbers has 10 options for each character in the string, one made of numbers and letters has 36 options, and if you include special characters that adds another 32 possible characters for each spot in the string. This makes it more challenging for brute force attacks to be successful. Complexity in terms of the kind of characters that can be used in the password is, therefore, an advantage.

However, do not mandate the usage of these different kinds of characters. This can lead to frustration and reuse of the same password with minor character substitutions (P@ssword or Passw0rd, for example). This is especially the case when the policy also demands frequent changes of password. If the old password is compromised, such minor variations will be relatively easy to guess, too.

To mitigate this risk, don’t mandate the use of special characters and reduce the frequency of mandatory password reset to approximately once a year. A long password using only lowercase letters is more secure than a short one which is a variant of an older password.

3. Do not allow password reuse

Do not allow reuse of earlier passwords during periodic password reset to increase security. Train your staff not to use minor variations of their earlier passwords, and instead look for completely different passwords.

Also train staff on the risks of reusing passwords across home and work accounts. Password reuse results in a huge surge in credential stuffing attacks. If any service is compromised and your password and username are stolen, hackers could use the same credentials to try and hack your other accounts. Each account must therefore use unique credentials to maintain security.

4. Reinforce passwords using multi-factor authentication (MFA)

Multi-factor authentication uses a combination of things you know, such as a password or PIN; things you have, such as a badge or smartphone; and things you are, such as biometric data, to authenticate your right to access a particular system, data or application.

Enabling MFA ensures that even if a password is stolen, the system is not compromised.

5. Use a secure password manager

Many users find it difficult to remember their passwords for multiple online services, and so either use a single password for all, or, worse, save all their passwords to an unreliable password manager. 

If you do opt for a password manager, choose one that is highly secure, in order to mitigate the risk involved. Most IAM solutions will include a password manager or, with Single Sign-on, completely do away with the need for multiple passwords. A single secure password is enough to log on to your IAM and access your applications and data.

6. Use an IAM application for Password Policy Management (PPM)

It’s one thing to lay down rules for password policy across the organization. It’s quite another to enforce the policy. An Identity Access Management (IAM) application can help you ensure that all your users consistently comply with a high standard of security while setting their passwords, without the need for a separate password policy enforcement tool.

Administrators can customize and define password policy for all users in the organization. You can also specify upon whom the policy should be enforced, based on the users’ access level. Password policies can of course also be defined as blanket rules.

A common perception is that the risks associated with breached passwords do not apply to your organization as you have secure systems. But your organization’s data security is only as strong as the weakest password of your users. In 2020, 770 million credential stuffing attacks occurred. That means that if your employee’s personal passwords are compromised, and they have reused the same password at work, your data is compromised too. Worse, 17% of all sensitive files are accessible to all employees, and about 60% of companies have over 500 accounts with non-expiring passwords.

Implementing a robust Identity and Access Management (IAM) solution brings you several steps closer to protecting your user credentials and corporate data. Worldwide, cybercrime costs will hit $6 trillion annually this year. Don’t let your organization succumb to a Data breach! With these simple steps, you can stay safe with multiple layers of data protection. Allow our team at Akku to help you secure your systems.

IAM as the Solution to Healthcare Sector Challenges

Healthcare organizations are unique in the volume and sensitivity of information that they hold. Reports say that healthcare is among the 5 most cyber-attacked industries over the past 5 years. 

The 2020 Breach Barometer published by Protenus reports that in 2019, more than 41 million patient records were breached, and around 40% of the respondents surveyed in Europe and the U.S. were concerned hackers would breach their digital data.

The importance of bolstering cloud security in such an environment is therefore vital, and deploying an Identity and Access Management (IAM) system can play an important role in this process.

Here is a look at some of the key challenges facing the healthcare sector, and how an IAM could help to overcome them.

#Challenge 1: Enabling easy but secure access

Very often, breaches of patient data occur due to a lack of caution on the part of patients themselves, with the use of easily compromised passwords. This applies equally to healthcare providers too, with the need to access multiple applications, and therefore, the need to memorize multiple passwords.

The IAM Solution: 

Enforcing a strong password policy can help ensure that patients and providers alike set strong passwords that are more difficult to breach. Additionally, by enabling multi-factor authentication (MFA), an additional layer of security is added above the password. And to make things easier for providers, bringing all applications onto a single platform to provide them with a single point of access means that just one set of credentials is all that they need to remember.

# Challenge 2: Compliance with regulations

Healthcare is a highly monitored industry and there are certain established regulations to follow. For instance, in the USA you have the Health Insurance Portability and Accountability Act (HIPAA), as well as newer industry-specific regulations like Electronic Prescribing for Controlled Substances (EPCS), for which compliance is non-negotiable.

These newer regulations call for adherence to certain prescribed standards of data security along with detailed audit capabilities.

The IAM Solution:

With an appropriate IAM solution, compliance requirements can be largely met through strong data encryption, implementing standards-compliant password policies across users, providing only the minimum necessary access to users, and comprehensive logging of every user action across applications and data points.

# Challenge 3: Driving digital transformation

COVID-19 has accelerated the speed of digital transformation, with the healthcare sector right at the center of the revolution. Telemedicine, Patient Access Management, and a host of other new requirements, each need control over a number of identities and access entitlements. 

The healthcare industry is under growing pressure to adapt to changing business models and technology innovation, as there is an ever-increasing need to protect access to sensitive data.

The IAM Solution:

With features like single sign-on, IAM offers an integrated approach to patient care, enforcing security and compliance capabilities to increase efficiency. In order to support the new digital-first world of healthcare, therefore, IAM has become a necessity rather than an add-on.

Clearly, IAM is the need of the hour in the healthcare industry. And Akku, the powerful and flexible enterprise cloud control solution created by CloudNow helps to facilitate identity and access management across your healthcare enterprise’s cloud environment. Talk to us today to discuss how Akku may be able to help with your compliance requirements.

Can IAM Improve User Experience and Efficiency on the Cloud?

When an enterprise migrates to the cloud, it essentially opens the doors to a range of new possibilities for its business to flourish. When cloud capabilities are utilized to their full potential, several aspects of management are largely simplified, various processes integrated, and employees empowered to focus on their core roles.

However, many of these benefits to efficiency and convenience are often rendered ineffective by the roadblocks that tight security systems bring into the mix. That is why it is important to take into account the impact of your user, data and application security set up on user experience across your environment.

Continue reading Can IAM Improve User Experience and Efficiency on the Cloud?

Access Management Across Different Devices and Browsers

In today’s technology ecosystem, a strong foundation for authorization plays an important role in the overall data security of a company. Controlling each user’s access to data, and monitoring this across devices and browsers is essential to your enterprise’s security. 

Implementing a strong device policy is an integral aspect of data security

With a strong device policy in place, it is possible to exercise highly granular control over which of the company’s applications, information, and data your employees can access– through the company’s devices, as well as through their personal devices. Continue reading Access Management Across Different Devices and Browsers

Exploring the Difference Between Identity Management and Access Management

Only a small percentage of people across industries understand the difference between Identity Management and Access Management. The two concepts are certainly related and intricately interwoven, but they are still distinct in meaning and function. 
Continue reading Exploring the Difference Between Identity Management and Access Management

Managing Identity and Access in the Workplace

Identity and access management, sometimes simply known as identity management, refers to the IT function of maintaining security through the management of digital identities. In a workplace, this includes provisioning employees with accounts to all applications and platforms they will be using for their official tasks, assigning them with the right kind of permissions to each of these applications/platforms, and making sure that the right people have the right access to the right resources and data. Continue reading Managing Identity and Access in the Workplace

Why an IAM solution is a Crucial Investment for Financial Services Organizations

Today, migrating to the cloud is a crucial stage in a financial enterprise’s growth and development. It is, quite simply, the most efficient way of running operations. With this in mind, financial services organizations are investing significant resources in cloud-based technologies, including infrastructure, platform, and software as a service. Continue reading Why an IAM solution is a Crucial Investment for Financial Services Organizations

Can an IAM solution prevent Credential Phishing?

The most common misconception regarding credential phishing is that it is people-driven and not organization-driven. Therefore, organizations tend to underestimate the impact it can have on them if even one of their employees is a victim of credential phishing. We suggest reviewing your entire security strategy to ensure that you are protected against phishing. 

Here is everything you need to know about credential phishing attacks.

Continue reading Can an IAM solution prevent Credential Phishing?

Enforce Device-based Restrictions with Akku

One of the biggest benefits of cloud computing is the level of accessibility it enables – from anywhere, and at any time. However, it is important to set up certain restrictions in order to protect your sensitive applications and privileged user accounts from being compromised.

One such important security measure involves setting up a device policy within your organization. Continue reading Enforce Device-based Restrictions with Akku

Myths about Multi-factor Authentication

When large organizations like LinkedIn, Twitter and Facebook report password hacks, it throws some light on how vulnerable current systems are, as well as the need for multi-factor authentication. However, multi-factor authentication is shrouded in myths that may prevent organizations from adopting it. 

Here, we have addressed a few of the most common myths surrounding multi-factor authentication. Continue reading Myths about Multi-factor Authentication