Back in highschool, we all had lockers. To secure them, many of us trusted simple combination padlocks. While easily snipped with a pair of bolt cutters, this form of protection was enough to keep nosey classmates out of our stuff.
The problem, however, is that today’s companies are using the equivalent of simple padlocks to secure data worth millions.
Let me explain. If you have read my previous blogs, you know that the main problem with today’s security strategies lies in the reliance on static credentials. Passwords, access cards, fingerprint scanners, and other biometric methods measure authentication on “what you know” and not “who you are.”
True authentication should be based on USER identification, not “ability to access.” Most authentication methods are easily thwarted with copied credentials. If I know your password, the system will give me the same access as you. In other words, the system doesn’t care WHO you are, just that you had the right key to access it.
In the past, the security industry addressed these weaknesses with more complex credential rules and shorter password life-cycles. But users pushed back claiming that the decrease in convenience was too much to bear. Corporate IT managers capitulated out of sheer exasperation from the tidal waves of user complaints.
Password rules were made lax. Password expiration dates were extended or even removed altogether, just to calm angry users. These same users were allowed to keep their easily-guessed passwords for years, or keep a black book of passwords in their desk, all to assuage the “pain” of inconvenience.
However, server security was compromised in the process. Today’s hackers know some very important facts:
- Complex passwords are hard to remember, so users tend to err on ease of memory rather than the inherent security of complexity.
- If allowed, most users will use the same password to access multiple, disparate accounts.
- Most users have no problem giving those same passwords over the phone to someone they feel they can trust with the information.
- If a company forces password changes often, their users will compensate by documenting those passwords somewhere easily accessible.
- Companies continue to grant server access to computers outside of their control (users’ home PCs) where security and software installation policies are often ignored.
Once again, today’s security is based on the centuries-old methodology of “keys.” A password is simply a key. Anyone with it can access everything the owner can. Whether that key is a password, or a complex fingerprint scan, that data is easily copied and used by ANYONE.
Until companies realize that convenience must take a backseat to security, this problem will continue.
Luckily, forward-thinking organizations are starting to turn to cognitive identification to solve this dilemma. With minimal impact to convenience, this system eradicates the static credential security flaws.
To learn more about the cognitive solution offered by NimbusID, watch this video! Your data is worth more than highschool textbooks. Secure it with something stronger than a three-dollar combination padlock.