May 15, 2019
Zero Trust

Passwords are Just One Piece of the Cybersecurity Puzzle

Corey Williams – Idaptive
Corey Williams Vice President, Marketing
Zero Trust Validate Devices

To achieve Zero Trust security, “never trust, always verify” must extend beyond users to their devices as well. In a previous post, I described the importance of the first step in Zero Trust — the verifying of every user who logs in.

Once you verified that people are who they say they are, then you must also consider the device from which they connect. Is it a known device that’s associated with the user? And more then, more importantly, is it in good security posture?

To ensure real safety, every device must be validated before granting access. To do that, we must first assess how users gain access through their devices today.

“What’s The Password?”

Today, nearly everyone locks their devices with some kind of password. That’s unequivocally a great thing, but it’s still important to keep in mind two universal truths about passwords: 1) they’re not all created equal, and 2) they’re just one piece of the cybersecurity puzzle.

In looking at the first, there’s tons of evidence supporting the idea that passwords are only as good as the user. I’ve said this before many times, but 81% of breaches involve weak and stolen passwords. So how does that happen?

A recent study found that millions of people are using easy-to-guess passwords on sensitive accounts. From popular sports team to musicians — and classics like “123456” and “qwerty” and the all-time great “password” — users do a terrible job of choosing secure passwords.

Now, this doesn’t paint the full picture, and it’s not entirely their fault. When you add the context that the average business user today manages upwards of 200 passwords, it’s not so hard to believe there might be some cut corners somewhere.

So, if not all passwords are created equal, then what are the other pieces of the cybersecurity puzzle needed to keep users safe?

Beyond Passwords

The first step to more secure access is ensuring that users are logging into their device with more than simply a password. Devices need to also have some kind of adaptive multi-factor authentication (MFA) to go along with that password.

An additional layer of security can be applied when these MFA-supported passwords are coupled with some level of device and app management to confirm the right policies and lock them in place. It’s even possible for Next-Gen Access technology to score the “riskiness” of that device under certain conditions — such as where it’s used, what browser it has, etc. — to make a safe (and more informed) access decision.

It’s the combination of these things that allows us to know that the device is associated with an end-user, and it’s in a trustworthy state. However, we’re not done there. For all of the pieces of a Zero Trust model to come together, we must intelligently limit their access. Our next blog will tackle how to make sure users only have access to what they need.  

Corey Williams

Corey Williams – Idaptive
Corey
Williams
Vice President, Marketing

Corey Williams is the Vice President of Marketing & Strategy and lead evangelist for Idaptive, leading all marketing functions, as well as market development and strategy. Corey served as the Senior Director of Products and Marketing for more than a decade at Centrify where he was the visionary behind, and the first product manager of, the set of products that were ultimately spun out of Centrify to become Idaptive, including leading SaaS services for Single Sign-on (SSO)Adaptive Multi-factor Authentication (MFA)endpoint and mobile context, and User Behavior and Risk Analytics (UBA).

 While at Centrify, Corey defined and brought to market seven net-new product offerings directly contributing to the growth of the existing customer base from less than 400 customers to over 5000 customers. He also led efforts with major industry analysts that directly resulted in Centrify being named as a leader in all of the major analyst reports including the Gartner Magic Quadrant and Critical Capabilities reports for Access Management, Worldwide; Forrester IDaaS Wave; KuppingerCole Cloud MFA Leadership Compass; and Network World Clear Choice Winner for Single Sign-on Solutions.

Corey is a frequent speaker and commentator on IT Security and IT Management. He has authored several publications, including “Zero Trust Security for Dummies”, a leading guide for enterprise managers.

Prior to Centrify, Corey led products and marketing for SpikeSource (acquired by Black Duck Software), Syndera (acquired by Tibco), and Journee Software (acquired by Initiate Systems). Earlier in his career, he managed pre- and post-sales consulting for Active Software (acquired by webMethods). 

Corey holds degrees in Mathematics (BS) and Computer Science (BS) from New Mexico State University, as well as an MS in Engineering and an MBA from San Jose State University. 

CHAMELEON-LIKE SUPERPOWER

If Corey could have any chameleon-like superpower, it would be the chameleon's tongue, which is ridiculously fast. Some of the world's smallest chameleons have the world's fastest tongues. In automotive terms, the tongue could go from 0 to 60 miles per hour in a hundredth of a second! “I would be able to complete webinars in 4.5 seconds instead of 45 minutes!”