There have been countless cyberbreaches over the past few years in which personal data, such as user IDs and passwords, have been compromised. These range from attacks against government agencies, such as two recent incidents affecting the national identity systems in Spain and Estonia, to corporate breaches exposing data belonging to millions of customers.

In the aftermath of many of these incidents, affected organizations have been forced to prompt their customers to change their passwords. Many experts and major industry players have even called for organizations to cease using password protection altogether.

However, cybercriminals are after more than just passwords. As the aforementioned attacks against the Spanish and Estonian ID systems demonstrated, all types of credentials are vulnerable to compromise. It’s crucial for security professionals to establish a break-glass emergency plan for protecting user credentials in the event of a data breach.

Responding to a Breach of User Credentials

What should you do in the event of a data breach that exposes user credentials? The appropriate response will depend on the scope. If one user account is compromised, the security team can simply suspend it and ask the user to reset his or her password. In more extreme cases, security professionals can delete the compromised account and create a new one for the user.

If the scope is larger — say, 1 million users — the response can be more challenging. While the response to a breach affecting the entire user population is often straightforward (e.g., a sweeping password reset across the enterprise), an incident affecting just a portion of a large user base requires security professionals to distinguish those credentials from unaffected ones and revoke access to only compromised accounts. This is often impossible, requiring security teams to inconvenience the entire user base.

Intermingling accounts can also cause problems for security professionals in the aftermath of a data breach. If both customer and employee accounts are housed in the same directory, for example, an attack targeting customer accounts would require the security team to reset employee accounts as well, hindering productivity.

Overlapping normal employee accounts with administrator accounts can lead to even bigger complications. The best practice is to separate administrator accounts from others, creating an identity firewall, so to speak, and ensuring that a data breach would be contained to one set of credentials or the other.

Protecting User Credentials Through Segmentation

Identity and access management (IAM) and privileged identity management (PIM) solutions enable security professionals to configure separate directories and tenants to provide this necessary segregation. It is tempting to try to build a unified directory with all users and attributes managed in a single place. This target architecture will initially reduce costs associated with infrastructure and administration efforts, but it becomes unresponsive to change over time and tightly couples many systems together.

A more loosely coupled architecture can segment identities and their management into physically separate systems, or multiple tenants within a single system. These systems permit change, allow delegation and place management responsibility closer to the applications and systems they are running.

As an added benefit, security teams can meet some compliance mandates for data protection that prohibit cross-border movement of user data by putting the identity management in country while still allowing common functions, such as email and intranet access, to be managed at the organization level.

Cloud Considerations

Another important consideration is how to regain access to cloud-based assets in the event of a breach. Cloud systems have no physical consoles or components to secure, presenting a whole new set of challenges when it comes to protecting user credentials. This creates new opportunities for ransomware operators: Since the data is already encrypted, fraudsters only need to gain access to the administration portal and change the master credentials.

Two-factor authentication can help make these systems more secure. Other methods, such as certificate- and key-based access, may introduce new risks. If you somehow lose access to your keys, for example, you will be locked out of the system. Your security mechanisms should account for users introducing a single point of failure into the authentication process.

Establishing a Break-Glass Backup Plan

To prevent these issues from impeding data breach investigation and response efforts, security leaders should establish break-glass processes that enable them to access the systems storing user credentials so they can quickly start the process of resetting IDs and passwords when attackers strike. In today’s highly volatile threat landscape, additional layers of protection go a long way toward securing employee, customer and administrator credentials, and minimizing the consequences of a data breach.

Download the Ponemon Institute 2017 Cost of Data Breach Global Study

More from Identity & Access

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today