A recent CTE Research survey confirmed what is already widely known: weak passwords continue to be a serious problem that most organizations haven’t done enough to address. The survey found that about four out of five data breaches involve weak or stolen passwords. Nearly half (47 percent) of survey respondents believe their company’s employees use simple or weak passwords, while 31 percent believe employees reuse business passwords for personal applications.
When stolen credentials provide access to privileged accounts, the damage can be devastating. Hackers specifically target privileged accounts so they can move through networks undetected and access sensitive data and applications.
Because of the weaknesses of the conventional username-password method of authentication and the severe consequences of breaches involving privileged accounts, security experts recommend multi-factor authentication (MFA) to reduce risk. In fact, many industry regulations require MFA for remote administrator access.
MFA uses two forms of authentication from two categories to authenticate users before logging into a network or completing a transaction. Typically, MFA involves a combination of something the user knows (such as a password), something the user has (such as an ID card, an OTP FOB or a certificate) and something the user is (such as a fingerprint or other biometrics). Even if hackers steal privileged account credentials, they still won’t be able to access the second factor.
Of course, adding MFA to privileged accounts can be challenging. You’re likely to hear complaints from users, even if MFA adds only a few seconds to the authentication process. If you have multiple users accessing a shared account such as a domain admin-level account, incorporating MFA can be cumbersome. Also, costs can run high when adding MFA to multiple devices and both on-premises and cloud environments, many of which don’t lend themselves to MFA. Similarly, MFA has to be integrated with existing security tools that might have compatibility issues.
A centralized solution like the CyberArk privileged account management system can help you overcome the complexity of adding MFA while minimizing the impact on the user experience. The first step is to place MFA in front of existing security solutions to strengthen the weakest security links.
Keep in mind that MFA is relatively simple to implement for individual users. Each account has its own token. However, one admin account could be used by multiple admins. When enforcing MFA on shared accounts, look for ways to audit individual access and activity back to the main user. CyberArk’s Privileged Session Manager, coupled with MFA, allows you to add MFA to a shared account without losing track of exactly who is doing what.
MFA should also be extended to legacy systems, each of which has a privileged account that can be managed through CyberArk. When you put MFA on the front end, all disparate systems will use MFA, regardless of the MFA solution. Access to disparate systems should still go through the isolation framework as required by regulations. During this process, the user authenticates CyberArk with MFA.
For Privileged Session Manager, this could happen from the browser or the user’s native tools. Privileged Session Manager becomes the jump server into an environment that’s isolated for compliance purposes. CyberArk will then handle session routing, connect users, and provide a full audit trail.
Clango’s team of CyberArk-certified engineers and security experts can help you integrate CyberArk with your existing tools and incorporate MFA to boost security and satisfy compliance requirements. Let us show you how to combine CyberArk with MFA to minimize the risk of data breaches involving stolen privileged account credentials.
For more information about CyberArk, please send us an email at (firstname.lastname@example.org).