Cloud, mobility and porous perimeters
A number of trends impact all IT organizations:
- Cloud: Applications and infrastructure are generally migrating from on-premises to the cloud, where third parties deploy and manage critical systems and where applications are increasingly exposed to the public Internet.
- Mobility: Users increasingly demand access to critical systems from off-site -- they work from home, visit customers and require access from personal devices, such as smart phones.
- Disappearing perimeter: Traditional approaches to network security have depended on a (hopefully) strong barrier between the untrusted public Internet and the secure private network. This perimeter, built using firewalls, is increasingly porous, with connections established both inbound and outbound.
These trends all impact security:
- Applications exposed to a public URL can be attacked by anyone in the world.
- Users may connect from insecure or compromised devices or networks.
- The security of corporate infrastructure cannot be based solely on perimeter defenses, as these are porous and disappearing.
Why are passwords alone not enough?
Passwords are the oldest, lowest cost and best understood mechanism to authenticate users. Unfortunately, they are vulnerable to multiple types of attacks:
- If users pick trivial passwords, then attackers can guess them.
- Where users write down or share their passwords, there is no assurance that a user who types a correct password value is the same user whose account is being used.
- Endpoint devices are vulnerable to OS-level exploits, via phishing or zero-day attacks. An exploited OS may be instrumented with a keylogger, which will expose any password the user types.
- Hardware devices, such as keyboards, are vulnerable to hardware hacks (e.g., man-in-the-middle USB connectors) or RF-monitoring attacks, that also capture keystrokes, including typed passwords.
- Users can be fooled into signing into fake web sites, which capture their credentials.
- Help desks can be fooled by attackers into resetting legitimate users' passwords.
Despite all this, passwords are likely to remain the most common form of authentication for years to come. The solution is therefore not to eliminate passwords (unlikely), but to augment them with another, secondary credential.
The consensus in the IT security community is that stronger security can only be achieved through supplementing passwords with a second credential, which should not be vulnerable to these types of attack.