Thomas Pedersen, CTO and co-founder of OneLogin, explores the differences between corporate and consumer identities, how businesses can protect employee identity and access management protocols and, ultimately, how businesses can leverage identity standards to combat weak links in the corporate identity and adopt a security first mentality.
Weak passwords have plagued businesses and security parameters for generations. People tend to set passwords that are easy for them to remember without considering how a weak password will impact the security of their data. This translates to corporate environments where employees tend to use personal passwords, meaning they are inevitably putting their corporate network at risk as it is now far easier for cybercriminals to get hold of an individual’s’ personal information and, in turn, company data.
The reality is most organisations are failing to enforce even the most basic requirements when it comes to passwords, putting their business at significant risk of data breach. In fact, according to OneLogin’s research, only 31% of UK organisations require employees to rotate their passwords monthly and 52% only request password rotation once every three months. Worryingly, 14% of people rotate their passwords on a bi-annual to annual basis.
The good news is that, enterprise identity has two major advantages over consumer identity. The first one is that an enterprise owns and manages all of its employees’ corporate identities, from the moment an employee joins an organisation to the moment they leave.
When someone starts a new position, they are assigned an email address and password that ties them to the company they have joined. This is basically an employee corporate ID, providing them access to the relevant parts of the corporate network and applications. The day they leave the organisation, their email account is suspended – so they no longer have the ability to access the corporate network and applications.
The second advantage that enterprise identities have over consumer identities is that the enterprise space has identity standards that allow a large ecosystem of players to seamlessly collaborate, such as Security Assertion Mark-up Language (SAML). This standard is supported by thousands of enterprise applications and eliminates the need for user passwords. For example, once an organisation enables SAML for a cloud application like Salesforce, its users can no longer sign in with a password.
When an employee tries to sign into his organisation’s Salesforce account, Salesforce will instead redirect the user to that organisation’s identity provider, which will then authenticate the user and then sign the user into Salesforce using the SAML protocol.
This will therefore create a safer and seamless environment for employees, without the worry of replacing and reusing passwords. Employees and enterprises can have trust in the SAML procedure to authenticate their employees effectively.
Without getting too technical, SAML eliminates passwords by replacing all the users’ passwords with a digital certificate, which has been issued by the organisation’s identity provider. When a user is signed into e.g. Salesforce by the identity provider, it generates a so-called SAML assertion, which is a digitally signed XML document that contains the user’s identity among other things.
Salesforce can then use the digital certificate to verify that the signature is valid and extract information about the user’s identity. To use ourselves as an example, all important cloud apps we use at OneLogin support SAML; both on web and mobile, which means that employees don’t have to remember any app-specific passwords. All they have to remember is their OneLogin password, which is protected by multi-factor authentication.
It is no secret that everyone hates passwords. Stories around password hacking always grab the news headlines since they are crucial in the safety and development of internet security. In-fact, it was revealed in the media that Facebook has stored millions of passwords that are not protected by any encryption.
The harsh reality is that many organisations are failing to adhere to continuous security changes – putting their customers’ data and privacy at risk every-time they allow security to fall through the cracks.
Essentially, if a customer uses a weak password on a corporate network, they are not just putting themselves at risk, they are jeopardising the whole corporate network.
Of course, it is fair to say that we still have a long while to go until passwords are completely gone forever and it is unlikely to happen anytime soon. Passwords are crucial to the safety of the evolving technology industry, they are secure and reliable with new technology processes.
In summary, the harsh truth is that consumers are going to have to deal with passwords for a long time. However, thanks to the ‘SAML’ standard and easy-to-deploy Identity-as-a-Service solutions like OneLogin, enterprises do have the option to eliminate the need for most of their employee passwords.