Tuesday, April 26, 2016

#empoexpiire Lack of automated rotation is identified by @cloudsa as a problem...but automated rotation is not the solution


The Cloud Security Alliance recently published a report (downloadable from here) that talked about security breaches.

In February of 2016, the Cloud Security Alliance released “The Treacherous Twelve: Cloud Computing Top Threats in 2016” which revealed the top concerns expressed by IT security professionals in cloud computing. Data Breaches, Account Hijacking, and Malicious Insiders all rated as top threats. The enabling of these attacks can occur because of a lack of scalable identity access management systems, failure to use multifactor authentication, insufficient password use, and a lack of ongoing automated rotation of cryptographic keys, passwords, and certificates. As a result, these deficiencies can enable unauthorized access to data and potentially catastrophic damage to organizations and end users. It was not surprising to find that Insufficient Identity, Credential, and Access Management was listed as the top vulnerability in the report.

Cloud Security Alliance “IDENTITY SOLUTIONS: Security Beyond the Perimeter”

For professional reasons - my employer provides both biometric and cloud-hosted solutions - I am interested in tons of things in this report, but for this blog post I want to focus on the statement about "a lack of ongoing automated rotation of cryptographic keys, passwords, and certificates."

My question:

So what?

As has been previously noted in other posts with this hashtag, there is really only one "automated rotation" that is required in IT security: rotate the keys/passwords/certificates in when the person requires access, and rotate the keys/passwords/certificates out when the person no longer requires access.

Years ago, a guy named Lamar worked at one of my employers. Lamar was a tall, imposing man. Among his other duties at the time, one of his jobs was to stand outside of the office/cubicle of a person who had just been terminated from the company as said person was packing up his/her things.

If I were to convert Lamar's name into an acronym for termination procedures, the "R" in LAMAR would stand for Revoke. As the person is packing up to leave the facility - or perhaps as the person is getting the bad news in a human resources office - your IT professional should be revoking the person's passwords and shutting off the person's company phone. Meanwhile someone should be taking the person's company phone, along with keys, computers, and the like.

Guess what? If all of these access privileges are revoked upon the termination of the employee - or upon the termination of an employee's need to have a certain level of access - then there is no NEED for an automated rotation policy. Which means that people won't have to deal with the hassles of such a rotation policy, and won't have to write passwords down every 90 or 60 or 30 days. Remember my prior post in which I quoted Lorrie Cranor (Chief Technologist of the U.S. Federal Trade Commission)?

There is also evidence from interview and survey studies...to suggest that users who know they will have to change their password do not choose strong passwords to begin with and are more likely to write their passwords down. In a study I worked on with colleagues and students at Carnegie Mellon University...we found that CMU students, faculty and staff who reported annoyance with the CMU password policy ended up choosing weaker passwords than those who did not report annoyance.

And remember the story from Alan Henry that I shared in this post:

I knew one person who put post-it notes [with her passwords] on the bottom of their chair—she was livid when she arrived one morning to find a colleague had borrowed her chair for an impromptu meeting in her office next door.

So if you get rid of auto-rotation, everyone will be more secure.
blog comments powered by Disqus