17 Apr 2019
Password Management and GDPR Compliance
The General Data Protection Regulation (GDPR) represents the biggest shakeup in European data protection legislation in three decades for any organization processing personal data.
Whilst the legislation is timely, the ever increasing threat of data breaches means that the consequences and cost to companies of getting this wrong are severe.
A much over looked weak link is the password reset process. Passwords are the most common means of establishing a user’s credentials in order to access to corporate data. It is low cost and an easy to deploy method of authentication compared to many alternatives.
The IDC point out the weak link in any process will always be the one to be exploited. With respect to controlling identities and access, the weak link is the password.
Passwords have many critics, and the weaknesses of passwords are well documented.
Passwords continue to be a primary vector for compromised credentials. The most recent Data Breach Incident Report (DBIR) by Verizon states, that 63% of confirmed data breaches involved weak, default, or stolen passwords.
The Service Desk Institute reports that a third of support organizations expect password-related issues to take up more than 25% of their calls. 41% do not even use a password reset tool. While 35% of those have no defined password authentication process at all.
In fact, most of the breaches associated with passwords are a consequence not of any inherent weakness in passwords themselves, but in password management.
Password reset is a primary culprit here. The IDC spotlight on technology identifies two broad categories of concern
The first is related to process. In essence, the basics of password resets are straightforward:
Have a process for password resets, and document it.
Follow the process.
Document the fact that you follow the process.
But what process?
The password reset process is almost totally ignored by standard process definitions for IT service management and information security.
The trouble with the trivial password reset processes is that it is not trivial at all. At least, there are dozens of ways to implement password reset badly.
If the lack of a standard process is the first broad issue, the second according to IDC is that you need to prove absolutely that no-one unauthorized could know a user’s password.
Most users today call the service desk for assistance in resetting, changing or unlocking their passwords. Gartner call this process the facilitated password reset process (FPR).
The involvement of this second person introduces an important vulnerability, that of privileged user credential abuse. Many password reset approaches involve a second person, typically a helpdesk staffer. What stops such a person from exposing a user’s password to an unauthorized person (accidentally or otherwise)?
If a privileged user exposes the password to an unauthorized person the ability to compromise that account — untraceably — is unlimited. It also makes proving compliance under GDPR impossible.
The accepted alternative
According to IDC is to use a self-service facility. Self-service password reset offers relief from a manual reset process that consumes scarce and expensive resources. That is people performing a repetitive and menial task.
Service desks and security operations are under pressure to deliver better efficiency, effectiveness, and automation is a primary driver in both of these technology segments.
In addition, users like the idea of self-service. It can be tedious to navigate to a helpdesk by telephone or email. It is rarely a real-time or enlivening experience. Users generally feel frustrated or embarrassed at their loss of access.
Self service password reset ensures that this ‘second person’ can never expose the user’s password. Even though they facilitate the reset. This is done by disallowing service desk staff from directly accessing the password function (Active Directory or other native password directory). In reviewing the Fastpass self service solution, IDC pointed out, that the Fastpass Compliance Manager has access to the directory. This mediates between the service desk staff and the directory.
The authentication process
Rather than the service desk staff providing a new password, an authentication process is performed with the user. This results in a PIN being issued. This PIN can be transferred directly to the user, or it could be forwarded to a secondary administrator as an extra authentication step (dependent on a company’s security process) before transmitting the PIN to the user.
Once the user has the PIN they are instructed to enroll (or re-enroll) in the self-service function, where they use the PIN to reset their own password.
Thus it redirects assisted users back to the self-service process, reinforcing its usage. This is turn disincentives users from repeatedly calling the service desk. It creates a virtuous circle of self-service password resets.
What is the cost?
However even though self-service and assisted service password resets aid compliance with GDPR there remains a perception that such solutions are expensive. As well as being complex to implement and manage. This is particularly the case in heterogeneous environments where a plethora of systems and architectures prevail. Challenging this view can be difficult, particularly where suspicions over ROI-based arguments are common.
IDC believes that a pure ROI justification misses the point because it only considers cost. In fact, GDPR mandates firms to consider not only cost but also the risk associated with the processing of personal data. The context in which a company operates, and state of the art security technology (see Article 32) make it much harder to argue against self-service reset approaches. From a risk perspective state of the art password reset is clearly self-service.