Your cell phone is more secure than 70% of enterprise architectures
In enterprises and government organizations across the world, cybersecurity teams need to bolster their defenses. According to the 2021 Data Breach Report from the Identity Theft Resource Center, organizations reported more data breaches in 2021 (1,862) than ever before. Combined with the growing audacity of ransomware attacks and the threat of attacks from state-sponsored organizations, corporations and governments have good reason to be concerned about the safety of their infrastructure and sensitive assets.
Ironically, many enterprise security leaders already hold the solution to their problems in the palm of their hands. Popular smartphones like Apple’s iPhone 13 or Google’s Pixel 6 use biometric attributes like facial recognition or fingerprint scanning to confirm the user’s identity. These consumer devices — widely adopted in every corner of the globe — point toward the future of enterprise cybersecurity. Teleport’s 2021 State of Infrastructure Access Report found that 70% of enterprises still use passwords to grant access to their infrastructure — the most common security method deployed by those surveyed. If biometric tools like Apple’s Face ID can be compared to a key that can only be used by its owner, password-based access is akin to leaving the key under the doormat and then forgetting about it until you come home to find your TV has been stolen.The Problem With Passwords
On a fundamental level, password-based architectures require each user to keep a secret. Every user is issued (or chooses) a set of credentials and the security of the system depends on each user’s diligence in maintaining good behavior with those credentials. If they share their password with someone else, store their password in a vulnerable place like an unencrypted Notes app, or even just choose a common password that can be easily guessed, they have effectively provided bad actors with an opening to access the system and then pivot to more valuable areas. What we now know about human behavior is that it’s unrealistic to expect every person using a system to maintain good password hygiene. Passwords and other forms of secrets do not scale. As organizations grow, the probability of a human making a mistake inevitably increases to unacceptable levels. A recent report compiled by email security firm Tessian and Stanford University professor Jeff Hancock found that “43% of people have made mistakes at work that compromised cybersecurity.” If you’re in an office right now, take a look around: nearly half of the people in the room will likely make the type of simple mistake that could lead to a dangerous breach.
Again, the irony here is that all of those coworkers that could leave your systems vulnerable probably have a stronger cybersecurity solution in their pocket or laying on their desk. We have the solution for secure infrastructure access, so why aren’t we using it?
A Better Definition of Identity
To bring enterprise cybersecurity in line with the state of the art in consumer devices, we need to reconsider the way we define “identity” in access management. While previous generations may have considered credentials or aliases to be a form of identity, the reality is that these were simply secrets. “EvKontsevoy1” or [email protected] are not my identity. Instead, my true identity consists of the physical attributes that make me who I am — my fingerprints, my eyeballs, my facial structure — and that cannot be lost or stolen.
In an enterprise environment, secure identity and access management must follow these three steps:
● First, the organization must abandon secrets and instead use biometric traits to establish each user’s identity. When access is secured using two physical factors, like a fingerprint scan and facial recognition, it becomes nearly impossible for a user’s identity to be lost, stolen or even shared.
● Second, the organization must issue an identity to the various machines and applications that can access their infrastructure. What good is it to have a secure identity for a human user if their laptop or phone can simply access the network without having to prove its identity? Modern devices are built with a Trusted Platform Module (TPM), a chip that conforms to international cybersecurity standards and can secure hardware with cryptographic keys. By connecting each device’s identity to its individual TPM, an organization can validate whether or not that device should be able to access its infrastructure.
● Finally, each human identity must be tied to the identity of their device or devices. Each time a user wants to access part of the enterprise’s architecture, they will be forced to validate their own identity as well as the identity of their device, creating a combined access protocol that is almost impossible to hack or steal.
This three-step process finally realizes the promise of zero-trust architectures. Users must constantly prove their identity in order to access sensitive systems or information, and that identity is defined using inalienable physical attributes. In our new world of distributed workforces and cloud computing, we must recognize the need for a real zero-trust solution. Establishing one biometric identity for every human, machine and application creates an airtight, scalable solution for the future of work and computing.
Our systems today are less secure than a cell phone — but that doesn’t have to be the case.