There have been countless cyberbreaches over the past few years in which personal data, such as user IDs and passwords, have been compromised. These range from attacks against government agencies, such as two recent incidents affecting the national identity systems in Spain and Estonia, to corporate breaches exposing data belonging to millions of customers.

In the aftermath of many of these incidents, affected organizations have been forced to prompt their customers to change their passwords. Many experts and major industry players have even called for organizations to cease using password protection altogether.

However, cybercriminals are after more than just passwords. As the aforementioned attacks against the Spanish and Estonian ID systems demonstrated, all types of credentials are vulnerable to compromise. It’s crucial for security professionals to establish a break-glass emergency plan for protecting user credentials in the event of a data breach.

Responding to a Breach of User Credentials

What should you do in the event of a data breach that exposes user credentials? The appropriate response will depend on the scope. If one user account is compromised, the security team can simply suspend it and ask the user to reset his or her password. In more extreme cases, security professionals can delete the compromised account and create a new one for the user.

If the scope is larger — say, 1 million users — the response can be more challenging. While the response to a breach affecting the entire user population is often straightforward (e.g., a sweeping password reset across the enterprise), an incident affecting just a portion of a large user base requires security professionals to distinguish those credentials from unaffected ones and revoke access to only compromised accounts. This is often impossible, requiring security teams to inconvenience the entire user base.

Intermingling accounts can also cause problems for security professionals in the aftermath of a data breach. If both customer and employee accounts are housed in the same directory, for example, an attack targeting customer accounts would require the security team to reset employee accounts as well, hindering productivity.

Overlapping normal employee accounts with administrator accounts can lead to even bigger complications. The best practice is to separate administrator accounts from others, creating an identity firewall, so to speak, and ensuring that a data breach would be contained to one set of credentials or the other.

Protecting User Credentials Through Segmentation

Identity and access management (IAM) and privileged identity management (PIM) solutions enable security professionals to configure separate directories and tenants to provide this necessary segregation. It is tempting to try to build a unified directory with all users and attributes managed in a single place. This target architecture will initially reduce costs associated with infrastructure and administration efforts, but it becomes unresponsive to change over time and tightly couples many systems together.

A more loosely coupled architecture can segment identities and their management into physically separate systems, or multiple tenants within a single system. These systems permit change, allow delegation and place management responsibility closer to the applications and systems they are running.

As an added benefit, security teams can meet some compliance mandates for data protection that prohibit cross-border movement of user data by putting the identity management in country while still allowing common functions, such as email and intranet access, to be managed at the organization level.

Cloud Considerations

Another important consideration is how to regain access to cloud-based assets in the event of a breach. Cloud systems have no physical consoles or components to secure, presenting a whole new set of challenges when it comes to protecting user credentials. This creates new opportunities for ransomware operators: Since the data is already encrypted, fraudsters only need to gain access to the administration portal and change the master credentials.

Two-factor authentication can help make these systems more secure. Other methods, such as certificate- and key-based access, may introduce new risks. If you somehow lose access to your keys, for example, you will be locked out of the system. Your security mechanisms should account for users introducing a single point of failure into the authentication process.

Establishing a Break-Glass Backup Plan

To prevent these issues from impeding data breach investigation and response efforts, security leaders should establish break-glass processes that enable them to access the systems storing user credentials so they can quickly start the process of resetting IDs and passwords when attackers strike. In today’s highly volatile threat landscape, additional layers of protection go a long way toward securing employee, customer and administrator credentials, and minimizing the consequences of a data breach.

Download the Ponemon Institute 2017 Cost of Data Breach Global Study

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today