Raj Bhargava (CEO of JumpCloud) and I got into a discussion at dinner the other night about the major security hacks this past year including Sony, eBay, Target, and The Home Depot. Raj spend over a decade in the security software business and it was fascinating to realize that a common thread on virtually all of these major compromises was hacked credentials.
I felt this pain personally yesterday. A bunch of random charges to Match.com, FTD.com, and a few other sites showed up on Amy’s Amex card. We couldn’t figure out where it got stolen from, but clearly it was from another online site somewhere since it’s a card she uses for a lot of online purchases, so I cancelled it. Due to Amex’s endless security process, it took almost 30 minutes to cancel the card, get a new one, and add someone else to the account so I wouldn’t have to go through the nonsense the next time.
In my conversation with Raj, we moved from basic credential security to the notion that the number of sites we access is exploding. Think about how many different logins you have to deal with each day. I’m pretty organized about how I do it and it’s still totally fucked.
Every major new service is managed separately. Accounts to AWS or Google Compute Engine or Office 365 are managed separately. Github is managed separately. Google Apps are managed separately. Every SaaS app is managed separately. All your iOS logins are yet another thing to deal with. The only thing that isn’t managed separately are individual devices – as long as you have an IT department to manage them. Oh wait, are they managing your Mac? How about your iPhone and other BYOD devices? Logins and passwords everywhere.
Raj’s assertion to me at our dinner was that there are too many different places, and too many scenarios, where something can be compromised. For instance, some companies use password managers and some don’t. Some companies that take password management to an individual level – where a single employee manages her own passwords – end up with many login / password combinations which are used over and over again. Or worse, the login / password list ends up in an unencrypted file on someone’s device (ahem Sony.)
If you are nodding, you are being realistic. If you aren’t nodding, do a reality check to see if you are in denial about your own behavior or your organization’s behavior. Think about how new services enter your organization. A developer, IT admin, marketing person, executive, or salesperson just signs up for a new online service to try. When doing so, which credentials do they use? If it is connecting to your company’s environment, it’s likely they are using your organization’s email address and a verbatim password they use internally as well. That’s a recipe for getting hacked.
So, Raj and I started discussing solutions. Some of it may just be unsolvable as human nature may not let us completely protect users online. But it seems like there are areas where we can make some immediate headway.
- Secure directory services (the approach JumpCloud is taking)
- Multi-factor authentication has become all the rage (I use it)
- Different strong passwords for each service, possibly via a password manager like LastPass (which is what I use)
What other approaches exist that would scale up from small (10 person orgs) to large (100,000 person orgs) and provide the same level of identity and credential security?