Embrace the new NIST Digital Identity Guidelines to better manage access management risks. By doing so your organization can manage costs and enhance digital and physical security. The secret lies in three basic principles.
The Cost of Security
Access management is a classic problem of compliance and security versus costs of operations. When users can’t access systems, the costs to your organization are clear. 24/7 human-staffed call centers are a dauntingly expensive solution to this problem in large organizations and, while the automation of password resets can be cheaper, such functionality brings its own set of risks.
Costs and compliance are on a direct collision course here – dramatically decreasing the number of resets would seem to be critical, while compliance requirements, discussed below, force policies that actually make resets more likely. Against this back drop new NIST digital identity guidelines show security managers a way forward – focus on usability and stronger authenticators rather than arbitrary rules to enhance security and avoid a steep operational price tag.
The Old Way
Forgetting passwords and passcodes seems like an inevitable part of life. Not only do we have to keep several different passwords in our heads they seem to be increasingly alien in composition and so unfamiliar that for most of us memory refuses to cooperate in properly placing @'s and !, in addition to random numbers, when trying to enter the right string. These odd combinations of numbers and special characters make passwords very unlike the natural language people are used to memorizing at length. No surprise then that password resets can dominate call center budgets – estimates run as high 30% of calls are for password resets or access management issues. In addition to forgotten passwords leading to resets compliance rules often require frequent, arbitrary resets. Furthermore, rules that require odd amalgams of numbers and letters often lead many "compliant" workers to write passwords down on sticky notes in offices that are not always secure, adding another risk to be managed.
Much of the current state of affairs is due to previous NIST standards and accepted best practices. However, when we look deeply at the old standards we find that the original "research" underpinning earlier NIST guidelines didn't utilize real password data. Against this backdrop we have new guidance from NIST that suggests not only are some of the above rules unnecessary, but adhering to the previous guidance may not actually improve the security of networks and systems because of the large numbers of resets and the practice of passwords being written down.
Evolving NIST Standards
The new NIST guidelines first and foremost are based on real password and breach data, not, as used for developing the original standards, test data created for evaluating brute force attacks. Additionally, this new approach reveals important insights about the psychology of users and would-be bad actors and applies them to the new rules. The truth is that despite strict controls many users skate as close to the compliance requirements as possible, reusing similar passwords and predictable sequences of numbers and other characters. Bad actors know this and will first try already compromised passwords and variations on them, often with success.
Given that human behaviors are not likely to change, a central component of the new NIST guidelines is that usability, not random strings of characters, is your best friend when it comes to crafting access management rules. We especially like the additional usability considerations (section 10.2) which suggests allowing at least 64 characters and doing away with a mandatory mixing of character types. Further, by marrying long passcode requirements with the idea of "passphrases" organizations can increase the strength of passwords and reduce both the reliance on "sticky-note reminders" and password resets. How?
Passphrases ask users to think of a string of actual words (including spaces) that are meaningful to them and easy to remember but hard for someone to guess randomly. For instance, an inside joke from your childhood written in sentence structure may be hard to crack with current brute strength methods. Better yet, a silly phrase you never vocalize can be easy to recall and difficult for anyone else to guess. By encouraging users to utilize passphrases the results are often better memorization and longer, tougher to crack passwords.
In addition to passwords that are more easily remembered, the new NIST guidelines allow you to do away with random password resets. These resets too often lead to recycling similar passwords, and similar to hard-to-remember passwords, lead to more passwords being written down rather than committed to memory.
Along with longer, easier to remember passwords and the end of arbitrary resets, the NIST guidelines suggest more of a reliance on multi-factor authentication. Be it a text message, smartphone app, or a security token, the addition of another authentication step can greatly improve security without adding too much burden to users. The more sensitive the information (e.g. PII or trade secrets) the more stringent these multi-factor authenticators should be. By combining new password rules with multi-factor authentication organizations can improve usability while maintaining or increasing the strength of their access management programs.
The bottom line – Access Management Principles
Compliance and cost no longer need to compete at the expense of increased digital and physical risk. The following three principles, based on the new NIST standards can improve your security posture and reduce risks all without a hefty price tag:
- Reduce resets by not mandating arbitrary password resets. Remember, the new ones have been shown often to be nearly identical to old and sometimes compromised passwords. Resets can be worse than useless.
- Embrace two factor authentication by adopting text, app or token based authenticators in addition to passwords or passphrases, especially for access to systems with sensitive information. With multi-factor authentication, even if a password is compromised your system isn’t.
- Enhance usability by simplifying composition rules (no more random mixed characters) and encouraging the use of long passphrases that utilize natural language, including spaces. This practice helps you and your users enhance memorization and eliminate the hazardous practice of writing passwords down.
Interested in enhancing your access management by applying these principles? Start by evaluating your current policies and procedures and various regulatory & compliance requirements before making changes. Make changes in places where you can test the impact and measure risk reduction. We believe in testing and measuring change so that you know and understand not just the costs, but the business value of new initiatives.
Read more about reputational risk >> HERE