Passwords are simply not reliable nor secure enough for modern and dynamic IT and OT environments. Here are three reasons why.
Contents
1. The fundamental flaw of passwords
2. (Not just) Passwords are a common cause of data breaches
3. Both passwords and traditional PAM tools are things of the past
The way forward is Zero Trust, passwordless, and keyless
1. The fundamental flaw of passwords
All passwords share a single element that makes them ultimately susceptible to being stolen and abused.
What is this mystery element, you ask?
It’s us – human users.
But how come?
Think about the history of passwords. First, the standard was 6-character passwords. Then it moved up, and you also had to add capitalized letters and numbers.
Now, it’s all the way to 13 characters, capitalized letters, numbers, and special characters. Plus, you have to regularly change your passwords and you cannot use the same or similar password as before. You also shouldn’t use the same password for various accounts.
It’s a password mayhem.
And let’s be honest, do you really use unique passwords for all your work-related as well as personal accounts?
2. (Not just) Passwords are a common cause of data breaches
Now, think about passwords from an organization’s perspective. They are a standard security control used to protect access to an organization’s IT environment.
To keep passwords from being stolen and abused in a data breach scenario, organizations go to many lengths to protect them.
Typically, they use privileged access management (PAM) tools to do this job. And these tools use various processes to secure passwords, mainly vaulting and rotating them regularly.
But imagine vaulting and rotating thousands and thousands of passwords every day – that's a lot of work.
On top of that, passwords are not the only credential that can provide access to an IT environment.
There’s another commonly used credential. Actually, it’s used more often than passwords, and its numbers can go to millions. The typical ratio is 1 password to 10 of these. Now imagine, vaulting and rotating millions of credentials every day – that's a proper load.
No more mysteries. We're talking about SSH keys here.
If you think that managing passwords using traditional PAM tools is complicated and requires a lot of effort, make room for the madness that SSH keys bring into the mix.
Traditional PAM tools claim to manage SSH keys - no problem. But in reality, they manage only around 10-20% of them. (Where’s the other 80-90%? Let’s not go into detail, but if you’re curious about the topic, check out this white paper.)
So, if you’re not managing your passwords AND keys in a holistic and modern way, your organization is at an increased risk of data breaches. In fact, stolen or mismanaged passwords are consistently among the top three reasons for data breaches.
3. Both passwords and traditional PAM tools are things of the past
Traditional PAM tools struggle to comprehensively manage access and related credentials.
As mentioned above, they are inefficient from an operational perspective. They manage only a limited section of passwords and keys. And they do a decent job only when it comes to static credentials. On top of that, traditional PAMs are costly.
Those are just a few reasons.
Now, think about the security needs of a modern business: They want to be efficient, fast, and super secure.
They also want to utilize the cloud infrastructure, which is very dynamic in nature. And traditional PAM tools notoriously struggle to scale with the cloud.
And it’s not just the cloud, organizations are moving away from using static, permanent, long-standing credentials towards temporary authentication credentials. They’re migrating away from keys and passwords to short-lived certificates.
The way forward is Zero Trust, passwordless, and keyless
The age of passwords is over. If your company hasn’t caught up to this fact yet, this is your wake-up call.
So, what's the way forward?
Your next step shouldn’t even be looking for a modern PAM solution – it's too late for that. You should look for a comprehensive, holistic, and centralized access and communications solution that covers your access management as well as secure communications.
Key features to look out for include:
- Just-in-Time and Just-Enough access
- Passwordless and keyless access
- Zero Trust architecture
- Zero standing privileges
- Full SSH key lifecycle management
- Session monitoring, recording, auditing, and termination
- Compliance with industry standards and regulations, like the NIS2 directive
- Automation features
- Post-quantum encryption algorithms
Our SSH Zero Trust Suite can do all that and more. Check it out here >>>
Juuso Jahnukainen
Technical Product Manager