Some security service providers have already recognized this trend, such as Bechtle. Sören Wielewicki, head of the Privileged Access Management (PAM) competence center at the Bechtle IT system house in Weimar, has very clear ideas: “Our customers should move away from traditional password management.” Because in his opinion the password alone is not secure. Systemhuset therefore increasingly reverses its customers’ passwords after each access.
Bechtle uses various PAM (Privileged Access Management) systems for this. They ensure that users who have logged on to the company’s network with their Windows passwords (stored in Active Directory) can access the various applications with automatically rotating passwords. “Login to the respective target system is performed in the background of the PAM solution – users never see a password,” emphasizes Wielewicki. This is exactly where the advantage of a PAM system lies: “It rotates the passwords in a targeted way and audits the secure use of the actual account behind them,” the Bechtle manager continues.
The IT service provider CT Cloud Design, which specializes in cloud security, continues to rely on “classic” password management solutions – currently these are the open source software “Passbolt” and the MFA (multi-factor authentication) solution “AuthPoint Total Identity Security” from WatchGuard.
Christian Priske, Head of General Presales at MCL Group, places particular emphasis on compliance with security guidelines: “Customers for whom the attributes of security and trust are only partially compatible like to rely on open source tools like Keepass.” In his opinion, one should always be aware of where passwords are stored – locally, on the server or in the cloud – how these passwords are protected against loss and how often they need to be renewed: “Services can sometimes fail or be unavailable”. , warns the MCL manager.
Jan Eike Carstens, CEO at CT Cloud Design, thinks the same way: “Passwords are one of the most sensitive things that need to be protected. That’s why our customers set very high security requirements when it comes to storing passwords.” And that’s why Carstens ensures that customers’ systems are always brought up to the latest security standards in good time and offers software updates as a managed service.
The already mentioned multi-factor authentication is well accepted by all customers these days, many users are already familiar with this procedure from their private lives (e-commerce, online banking, Paypal and so on). Bechtle AG uses various passwordless user identification methods such as facial recognition, fingerprint or FIDO authentication (Fast IDentity Online) for its customers.
In addition, the system house also controls access to sensitive systems of its customers very precisely, so that privileged rights are only granted to system administrators after consultation with the supervisor. “By changing a password on the PAM platform – after every administrative activity – the life cycle of the password is significantly shortened,” Wielewicki describes the procedure. In addition, access can even be recorded. According to the Bechtle manager, the password can be considered secure under these conditions. “Recorded passwords can also be examined for irregularities and these can be reported to management if necessary.”
However, multi-factor authentication does not seem to have caught on everywhere, as Jan Eike Carstens notes: “Not all manufacturers still support standardized login procedures such as SAML or Radius authentication for secure multi-factor login to systems.” In customer projects, the head of CT Cloud Design has often experienced that one or the other problem arises when implementing single sign-on registrations – especially when you encounter solutions from several different security providers at the same time. Here, Carstens would like a wider selection of authentication systems.
At this point, Christian Priske pleads for the mobile phone as an authentication device: “Users are familiar with fingerprint sensors, PIN entries and face recognition systems from their smartphones. A combination of identifying the user on the mobile phone with a secure static password would, according to MCL, make it very difficult for potential attackers to gain unauthorized access to the company’s network.
And this is where the managed service provider can also score: “With our locking systems, including camera technology, we can not only biometrically secure password-free access to the office workplace, but also access to the campus and data center,” argues. Pricey.
However, the MCL manager does not consider it realistic to do without passwords at all. In this connection, he is primarily concerned with the non-personal “superuser” accounts, which are not normally needed. However, if you wish to maintain access to your systems in the event of termination, illness, or even death of the system administrator, you should know the “superuser” password. In this case, Priske recommends keeping this special password in a physically safe place, e.g. a safe – written down the old-fashioned way on a piece of paper. You know such a procedure from using your own mobile phone: Anyone who has entered their PIN code (Personal Identification Number) incorrectly three times in a row to activate the SIM card must then use the “Super PIN”, the PUK, ie the personal unlock key, unlock again.
But how easy or how hard is it to get customers excited about passwordless, or at least low password, IT security systems? For Bechtle manager Wielewicki, the first contact is always important: “Because it is important for us to find the right solution together with our customers, our cooperation always starts with a standardized questionnaire and a workshop based on it.”
Based only on the requirements and possible application scenarios specified therein, Bechtle proposes the two solutions that best suit their needs and then creates a proof of concept for them to demonstrate the basic feasibility of the project.” In this way, we can offer our customers to convince them to move away from traditional password management,” continues Wielewicki.
The Bechtle manager recommends above all such privileged access control solutions for operators of critical infrastructures, i.e. energy and water suppliers, logistics companies, hospitals and all customers aiming for certification according to ISO 27001: “We often find that customers, above all, are very open to this topic after a cyber incident.” If the customer is then ready to invest in PAM systems, Bechtle defines a roadmap together with them. The system house always starts with the most sensitive systems at the customer, after which the expansion takes place step by step. In principle, Wielewicki sees privileged access management solutions as a sensible investment for all customer segments and industries – of course only from a certain minimum number of critical IT systems.
Christian Priske argues similarly. The presales manager at MCL has also experienced that companies often only address the IT security issue after a “successful” cyber attack. But there are also interested parties who seek an IT security service provider due to certification requirements or before taking out cyber insurance. “Due to a lack of time and resources, the customer’s own IT departments cannot carry out these tasks,” says Prize. In his opinion, it helps to have a partner with experience in implementing such measures.
In addition, the MCL manager considers it essential that the security solution offered to the customer must be easy to use, otherwise it will not be accepted. However, Priske also insists that customers must be “forced” to use certain tools to truly comply with security guidelines once they are defined. Customers were often won over by practical examples of how easily passwords can be “stolen” and misused, and how far-reaching the damage can then be. “We can simulate such attacks on customers, which often impresses them greatly,” reports the MCL salesperson. After all, such simulations in the customer environment often provide the best sales arguments.
For Jan Eike Carstens from CT Cloud Design, the need to invest in password management systems is obvious: “No one can remember the many passwords anymore.” And since complex passwords must be used according to specifications, there is no way around a management tool for those passwords. “Otherwise, these passwords would be lying around in plain text somewhere, and that would increase the security risk to the customer tremendously,” continues CT Cloud Design’s CEO.
More on the subject:
The 200 most used passwords in 2020
Access key: This makes passwords redundant
Forgotten or lost: Cracking passwords is easy
“admin”, “root” and “1234” are still in the top spots
LastPass investigation: Poor password handling