Passwords: Necessary, but Insufficient for Network Security

The First Form of Security

In the beginning – or at least near the beginning – there was the password. This rudimentary method of security pre-dated computers by at least two millennia, and was commonly utilized by militaries like the Roman Legion to maintain secure access to bases, resources and other high-ranking officers across a wide swath of newly conquered territory.  

As we fast forward to the 20th Century and the advent of the computer, passwords became the primary method of personal identification and access to systems, applications, networks…you name it. As computers became increasingly integrated into the daily lives of people both at work and at home, passwords became even more prevalent and served as the de facto method of security. 

Password Management Today

Today, much to our chagrin, we all juggle passwords across our laptops, tablets and phones in work and personal lives. Remembering the multitude of passwords needed to access different areas of our digital existence has become an onerous, often screen-punching task. It has also become a task rife with security vulnerabilities – particularly at the corporate level. Everyone is now required to remember so many passwords that they resort to insecure practices like writing them down, using easy-to-guess passwords, or using the same password over and over again. 

Most security experts see passwords as one of the weakest links in the security system, but many of the procedures that IT teams undertake with the intent of improving security – like requiring frequent password changes – makes the problem worse. If a hacker guesses a password or gains access to a password from one breach, they can try it again across other applications. Such tactics became household names in IT. For example, inputting a bunch of common passwords is known as “password spraying,” and reusing previously breached passwords is known as “credential stuffing.” 

Password-focused attacks are extremely common. For instance, in the well-publicized campaign of attacks on SolarWinds and many other vendors in 2019, the US  Cybersecurity and Infrastructure Security Agency (CISA) noted that “incident response investigations have identified that initial access in some cases was obtained by password guessing, password spraying…” 

The Move to Single Sign-On (SSO)

As corporate employees found themselves needing to log into more and more different devices, applications and network types, IT teams began leveraging SSO technology to help simplify the process and eliminate the need for people to remember every single password use. At its core, SSO intended to allow employees to have one password that provided them access to all necessary corporate resources.   

For several few years, while most applications still resided inside of a local IT datacenter, many organizations turned to tools like Microsoft’s Active Directory (AD) to manage user identity and access policies. The rise of AD adoption pushed other application vendors to support AD, further supplanting SSO as the then go-to method for password management and access security. 

Then along came Software as a Service (SaaS), and the game changed. SaaS apps went from novel to common incredibly quickly thanks to the simplicity, efficiency and cost effectiveness they promised. As cloud services like Amazon Web Services (AWS) and Microsoft Azure made it easier to build SaaS apps, these tools went from common to ubiquitous. Today, most companies have so many SaaS applications in use that their IT teams need to subscribe to other SaaS apps to help them discover and manage their active SaaS app portfolio.  

Every one of these new SaaS apps now in use utilized passwords. While early on some of these apps supported MS AD or its successor, Microsoft Azure AD (Azure AD), most did not at first. A such, it quickly became clear that successfully rolling out SSO universally was a daunting undertaking for most mid-sized businesses with complex IT environments and limited internal IT resources. After all, a company-wide password manager doesn’t eliminate the proliferation of passwords, and compromised SaaS apps can serve as gateways into the larger corporate network. 

The Rise of Multi-Factor Authentication (MFA)

The explosion of passwords and password-based attacks has created a market for password management software. There are a plethora of vendors who deal solely with simple passwords (e.g., LastPass, Keeper Security, Dashlane), SSO (e.g., Okta, SailPoint, One Identity), or the third and most recent phase in the evolution of the password: MFA (e.g., Cisco Duo).   

Out of SSO emerged MFA, which compliments and strengthens password management and network security efforts by introducing another means of identity verification on top of a person’s username and password. Most MFA vendors today provide mobile-based authentication, which can include methods such as push-based, QR code-based, and one-time password authentication (event-based or time-based), as well as SMS-based verification.  

MFA, like SSO, has its own shortcomings. Mobile-based authentication is particularly vulnerable as mobile devices can be cloned, and apps often run simultaneously across several mobile devices. Advanced hackers can, in theory, intercept an MFA code sent via SMS or email. While this added layer of security raises the necessary skill level to execute a successful attack against a company’s network, critical vulnerabilities still exist. 

The Gold Standard: Network Access Control (NAC)

With enterprise SaaS adoption and corporate networking eco-systems expanding and becoming more complex, MFA alone simply isn’t equipped to provide the secure access and authentication functionality needed to maintain an effective network security posture or to pass a network security audit. 

As we enter a period of unprecedented device proliferation, network expansion, and increased threat sophistication, NAC has emerged as the gold standard for establishing secure access and authentication to corporate networks, applications and other internal resources. NAC, for lack of a better word, has raised the bar and left hackers with their work cut out for them.  

NAC systems evaluate whether a user and their device should be allowed onto a network, based on a series of security checks, MFA included. NAC combines MFA with other unique data points, such as the location of the device or the MAC address of the device to either grant or block their access to the network. Once connected, a NAC goes a step further by continuously measuring the security posture of each device, taking steps to either quarantine or boot the device off the network should it surpass the organization’s desired risk threshold. Additionally, a NAC can control which segment of the network a device can access, further limiting any impact of an intrusion.  

As such, a NAC is a strong addition to tighter password management and MFA because its security controls are complimentary rather than overlapping. NACs were once thought to be powerful, yet complex and hard to manage. With the advent of cloud-native NAC such as Portnox CLEAR NAC-as-a-Service, however, companies can access that power without the hassle of on-site network access control hardware.

The Future of Password Management

While there are efforts to eliminate the need for passwords altogether, most business software will continue to require a username and password to gain access. Therefore, businesses must do more to secure their environments in the face of so many passwords.  

No combination of security controls can guarantee protection, but if an organization operates with a limited IT budget and staff, a combination of password management, MFA, and cloud-native NAC will substantially reduce its risk of cyberattacks.