In Case of Emergency, Break Glass: Protecting User Credentials in the Event of a Data Breach

There have been countless cyberbreaches over the past few years in which personal data, such as user IDs and passwords, have been compromised. These range from attacks against government agencies, such as two recent incidents affecting the national identity systems in Spain and Estonia, to corporate breaches exposing data belonging to millions of customers.

In the aftermath of many of these incidents, affected organizations have been forced to prompt their customers to change their passwords. Many experts and major industry players have even called for organizations to cease using password protection altogether.

However, cybercriminals are after more than just passwords. As the aforementioned attacks against the Spanish and Estonian ID systems demonstrated, all types of credentials are vulnerable to compromise. It’s crucial for security professionals to establish a break-glass emergency plan for protecting user credentials in the event of a data breach.

Responding to a Breach of User Credentials

What should you do in the event of a data breach that exposes user credentials? The appropriate response will depend on the scope. If one user account is compromised, the security team can simply suspend it and ask the user to reset his or her password. In more extreme cases, security professionals can delete the compromised account and create a new one for the user.

If the scope is larger — say, 1 million users — the response can be more challenging. While the response to a breach affecting the entire user population is often straightforward (e.g., a sweeping password reset across the enterprise), an incident affecting just a portion of a large user base requires security professionals to distinguish those credentials from unaffected ones and revoke access to only compromised accounts. This is often impossible, requiring security teams to inconvenience the entire user base.

Intermingling accounts can also cause problems for security professionals in the aftermath of a data breach. If both customer and employee accounts are housed in the same directory, for example, an attack targeting customer accounts would require the security team to reset employee accounts as well, hindering productivity.

Overlapping normal employee accounts with administrator accounts can lead to even bigger complications. The best practice is to separate administrator accounts from others, creating an identity firewall, so to speak, and ensuring that a data breach would be contained to one set of credentials or the other.

Protecting User Credentials Through Segmentation

Identity and access management (IAM) and privileged identity management (PIM) solutions enable security professionals to configure separate directories and tenants to provide this necessary segregation. It is tempting to try to build a unified directory with all users and attributes managed in a single place. This target architecture will initially reduce costs associated with infrastructure and administration efforts, but it becomes unresponsive to change over time and tightly couples many systems together.

A more loosely coupled architecture can segment identities and their management into physically separate systems, or multiple tenants within a single system. These systems permit change, allow delegation and place management responsibility closer to the applications and systems they are running.

As an added benefit, security teams can meet some compliance mandates for data protection that prohibit cross-border movement of user data by putting the identity management in country while still allowing common functions, such as email and intranet access, to be managed at the organization level.

Cloud Considerations

Another important consideration is how to regain access to cloud-based assets in the event of a breach. Cloud systems have no physical consoles or components to secure, presenting a whole new set of challenges when it comes to protecting user credentials. This creates new opportunities for ransomware operators: Since the data is already encrypted, fraudsters only need to gain access to the administration portal and change the master credentials.

Two-factor authentication can help make these systems more secure. Other methods, such as certificate- and key-based access, may introduce new risks. If you somehow lose access to your keys, for example, you will be locked out of the system. Your security mechanisms should account for users introducing a single point of failure into the authentication process.

Establishing a Break-Glass Backup Plan

To prevent these issues from impeding data breach investigation and response efforts, security leaders should establish break-glass processes that enable them to access the systems storing user credentials so they can quickly start the process of resetting IDs and passwords when attackers strike. In today’s highly volatile threat landscape, additional layers of protection go a long way toward securing employee, customer and administrator credentials, and minimizing the consequences of a data breach.

Download the Ponemon Institute 2017 Cost of Data Breach Global Study

Neil Warburton

Security Architect, IBM

Neil Warburton is an IBM Security Architect within the IBM Security division. He has over 15 years experience in...