There have been countless cyberbreaches over the past few years in which personal data, such as user IDs and passwords, have been compromised. These range from attacks against government agencies, such as two recent incidents affecting the national identity systems in Spain and Estonia, to corporate breaches exposing data belonging to millions of customers.

In the aftermath of many of these incidents, affected organizations have been forced to prompt their customers to change their passwords. Many experts and major industry players have even called for organizations to cease using password protection altogether.

However, cybercriminals are after more than just passwords. As the aforementioned attacks against the Spanish and Estonian ID systems demonstrated, all types of credentials are vulnerable to compromise. It’s crucial for security professionals to establish a break-glass emergency plan for protecting user credentials in the event of a data breach.

Responding to a Breach of User Credentials

What should you do in the event of a data breach that exposes user credentials? The appropriate response will depend on the scope. If one user account is compromised, the security team can simply suspend it and ask the user to reset his or her password. In more extreme cases, security professionals can delete the compromised account and create a new one for the user.

If the scope is larger — say, 1 million users — the response can be more challenging. While the response to a breach affecting the entire user population is often straightforward (e.g., a sweeping password reset across the enterprise), an incident affecting just a portion of a large user base requires security professionals to distinguish those credentials from unaffected ones and revoke access to only compromised accounts. This is often impossible, requiring security teams to inconvenience the entire user base.

Intermingling accounts can also cause problems for security professionals in the aftermath of a data breach. If both customer and employee accounts are housed in the same directory, for example, an attack targeting customer accounts would require the security team to reset employee accounts as well, hindering productivity.

Overlapping normal employee accounts with administrator accounts can lead to even bigger complications. The best practice is to separate administrator accounts from others, creating an identity firewall, so to speak, and ensuring that a data breach would be contained to one set of credentials or the other.

Protecting User Credentials Through Segmentation

Identity and access management (IAM) and privileged identity management (PIM) solutions enable security professionals to configure separate directories and tenants to provide this necessary segregation. It is tempting to try to build a unified directory with all users and attributes managed in a single place. This target architecture will initially reduce costs associated with infrastructure and administration efforts, but it becomes unresponsive to change over time and tightly couples many systems together.

A more loosely coupled architecture can segment identities and their management into physically separate systems, or multiple tenants within a single system. These systems permit change, allow delegation and place management responsibility closer to the applications and systems they are running.

As an added benefit, security teams can meet some compliance mandates for data protection that prohibit cross-border movement of user data by putting the identity management in country while still allowing common functions, such as email and intranet access, to be managed at the organization level.

Cloud Considerations

Another important consideration is how to regain access to cloud-based assets in the event of a breach. Cloud systems have no physical consoles or components to secure, presenting a whole new set of challenges when it comes to protecting user credentials. This creates new opportunities for ransomware operators: Since the data is already encrypted, fraudsters only need to gain access to the administration portal and change the master credentials.

Two-factor authentication can help make these systems more secure. Other methods, such as certificate- and key-based access, may introduce new risks. If you somehow lose access to your keys, for example, you will be locked out of the system. Your security mechanisms should account for users introducing a single point of failure into the authentication process.

Establishing a Break-Glass Backup Plan

To prevent these issues from impeding data breach investigation and response efforts, security leaders should establish break-glass processes that enable them to access the systems storing user credentials so they can quickly start the process of resetting IDs and passwords when attackers strike. In today’s highly volatile threat landscape, additional layers of protection go a long way toward securing employee, customer and administrator credentials, and minimizing the consequences of a data breach.

Download the Ponemon Institute 2017 Cost of Data Breach Global Study

More from Data Protection

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them. ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge. Understanding Attack Surface Management Here…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor…

The Importance of Modern-Day Data Security Platforms

Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

Meeting Today’s Complex Data Privacy Challenges

Pop quiz: Who is responsible for compliance and data privacy in an organization? Is it a) the security department, b) the IT department, c) the legal department, d) the compliance group or e) all of the above? If you answered "all of the above," you are well-versed in the complex world of compliance and data privacy! While compliance is a complex topic, the patchwork of regulations imposed by countries, regions, states and industries further compounds it. This complexity has turned…