Practical Password Protection (PPP)

One ever-increasing threat your business faces in the cloud and remote work climate is the threat of data loss and exfiltration. Breaches are increasing along with their perpetrators resulting in data loss and ransom attacks exposing costly and embarrassing regulatory violations. It’s the world we live in. All you have to do is check today’s news, perhaps even in your own industry.

In the age of Personal Protective Equipment (PPE) and Paycheck Protection Programs (PPP) I want to invent another “protective” acronym… Practical Password Protection (PPP.) Yes, I want to suggest there are some practical things your organization can and should be employing to prevent surprises published in next week’s headlines.

Well known in the Security and Risk Management domain, and just a matter of good cyber hygiene is the use of at least two of the 3 following authentication types.

Type 1 – Something you know

Type 2 – Something you have

Type 3 – Something you are

Let me give you some simple examples. Something you know is your password. Keep that as strong and random as possible. Something only you know and not broadcast over social channels like your birthdate or phone number which are readily available to any opportunist hacker. Also, don’t tempt every skilled passerby at the office to impersonate you having snapped a photo from the sticky note password you left brightly visible on your monitor. Now if someone happens to break through that authentication layer 1, that’s where the next two layers of defense enter the scene. Something you have is your cell phone, access badge, or Fido 2 USB Key. Something you are is your face, thumbprint, or other biometric such as a retina scan.

Let’s face it, most small businesses don’t need retina scans, nor do they need 3 factors of authentication. Two is plenty to prevent the “impossible logins” where you’ve signed in from Phoenix and then 2 hours later from China, right? The idea is that while your data is accessible over the internet and in the cloud, it should only be accessible by authorized users from specific places and not someone outside of your organization in another time zone while your entire team is sleeping.

You may have heard some other acronyms that should be a normal part of your life by now, whether or not you can recite them. Two Factor Authentication (2FA,) Multifactor Authentication (MFA) or One Time Password (OTP.) These are all Authentication type 2’s which employ a secondary password protection with something that only you have in your pocket.

Back to Facial recognition. Don’t think it’s “tinfoil hat” stuff as many entities employ it actually to simplify hardened security measures in high stakes, regulatory compliance environments. In other cases just to simplify the authentication process altogether.

How about removing passwords altogether?

You may want to remove passwords altogether and sign in with just your face. In a Microsoft stack, for instance, you can have your data in Office 365, devices compliant through Intune, on-premise data synchronized using Azure AD Connect and conditional access rules hardened with Azure allowing your Surface or compatible Windows Hello device log you in with “passwordless authentication” simply by using your face. How cool is that?

Single Sign-On (SSO) and Password tools such as Azure Active Directory and Lastpass can also help federate access to all your portals with one simple login. And you thought all this authentication stuff was going to make your life harder? It’s actually quite exciting how both security and convenience are converging in the Cloud.

Reach out to Cloudience to find out how you can simplify access and employ the best password protection for your growing business.