RSA Blog
Jun 17, 2024
Five Ways to Safeguard Against Hackers and Threats
If we’ve learned anything the past several years, it’s that traditional authentication methods requiring the storage of vulnerable secrets, "crown jewels", don't work. Taking aim against hackers and emerging threats like AI is a game of chess, and until we start developing new strategies to win, we’ll continue to be on the receiving end of a forced checkmate. In the past year, the breaches against MGM, AT&T, and UnitedHealthcare resulted in total loss of user identities for millions of people, not to mention the PR nightmare it created for these unsuspecting brands.
Rather than rehash the past, this article will look ahead at how to move forward from here. Taking the upper hand requires persistence, agility, and fresh thinking. We’ll explore several options for maintaining a strong front line while balancing what is both practical to implement and feasible given the reality of limited resources.
1. Build from the Base: With fixed budgets and the realities of leadership pressure, whatever identity investments get made today must provide immediate Return on Investment (ROI) and stand the test of time. Preventing future breaches requires solving how the collective we (users and security teams) currently store and secure authentication keys. Identity technology is difficult to change. For example, Active Directory and Kerberos aren’t going away and are likely to persist into the foreseeable future, so IT leaders must build from here.
2. Agile Foundation: When threats change, mitigations will change but shouldn’t require a complete rebuild of the foundation. The foundation of any security technology should be cryptographic key management, and the foundation of any identity technology should focus on authentication and account recovery. These credentials are simultaneously the most powerful, yet, require maximal availability.
3. MFA, Too Much of a Good Thing?: With the availability of adaptive Multi Factor Authentication (MFA), there is a natural reaction to increase the frequency of checkpoints in response to hackers. However, reactionary impulses to insert friction or additional MFA are often little more than prophylactic resulting in increased friction, poor UX, and little to no improvement in security or phishing-resistance. Such attempts lead to sunsetting of continuous authentication attempts 12-18 months later. Until the industry coalesces around best practices, these investments are unlikely to stand the test of time. In the meantime, instead of discussions around “continuous authentication” the notion of “continuous authorization” is gaining speed. This involves the practical implementation of adaptive authentication, continuous risk assessment, and advancements in machine learning.
4. A “Word” about Passwordless: As an industry, the promise of passwordless authentication is compelling, but far too often, vastly overstated. If passwordless approaches are being considered, we need to perform a thorough review to ensure they are not mere recreations of the existing wheel. Can they authenticate users on-demand for every application, on any device, without storing secrets or private keys anywhere? Do they leverage scientific breakthroughs in adjacent fields like cryptography? When the stakes are as high as they are today, solving fundamental key management problems, like authentication and account recovery, is critical and must ensure identity portability across devices.
5. Small Digital Footprints: Before implementing new technologies, remember that any product (identity, security, or otherwise) should be evaluated in part on how much debt it produces. Because identity touches every part of a business, not just IT, this debt compounds rapidly if left unchecked. It compounds rapidly even in the best of circumstances. For example, the creation and storage of powerful cryptographic credentials, the creation and storage of vast quantities of PII and credentials, and the ongoing maintenance of high-friction account recovery flows. Products that use outdated or inflexible authentication methods, and those that do not integrate with modern standards, also contribute to “identity debt,” a term coined by MIT-trained cryptographer Dr. Charles Herder.
Savvy CIOs and CISOs evaluating systematic risk know that future sustainability against hackers and emerging threats requires shifting to newer models and fresh thinking. One of the most widely reported weakest links in security is trusting the safety of crown jewels to a single provider to manage and store. This model requires the safety of keys/keychains and is just too great a burden— even for the most experienced tech giants. Now is the time for security leaders to assess newer durable high yield options for reducing risk, decreasing cost and improving user experience.
Dr. Tina Srivastava, co-founder of Badge is a featured RSA expert.