Active Directory may well be the center of the universe when it comes to security at most organizations and I’ve spent a good amount of time on AD password security recently in my webinars. Covering topics like password policy, credential stuffing, password spraying, leaked passwords, etc.
But if we successfully protect AD passwords unfortunately, we are only covering somewhere between 4% to 0.5% of the passwords in our organization. Those percentages are based on the range of passwords reported per user by different surveys. Most studies suggest that your average user needs at least 25 different passwords in order to get their job done. Some studies by password management apps put the number even higher at close to 200!
Regardless of the exact number, there is no doubt that there are a lot of passwords out there. Despite widespread support of AD, Azure AD Connect, federation with ADFS and other authentication integration technologies that help eliminate the need for extra passwords, the problem doesn’t go away. Between accounts on non-integrated internal systems, cloud accounts, vendor sites, customer sites, banking apps and SaaS, users still have a lot of passwords.
And integration seems like a constant game of catch up. Because different departments are constantly implementing new services and applications.
These passwords represent real and present danger to the organization. To fully understand the risk, you have to identify all the systems and applications with their own passwords and then analyze the information in those systems and the business processes facilitated.
In this real training for free event, we will examine the risks and mitigations relevant to 3rd party passwords. I will discuss how to systematically identify systems, sites and applications with their own passwords. Then we’ll look at key questions to ask about each system to understand the risks as well as the mitigation options.
Next, we’ll explore the different risks of 3rd party passwords including:
- Password re-use
- Leaked passwords
- Lack of auditing and monitoring
- Password policy
3rd party and non-integrated passwords are here to stay and we need to acknowledge that reality and address the risks. Every password is a corporate asset (or risk center) that needs to be managed as such.
Some organizations turn to consumer-focused password managers but history demonstrates this can introduce a potentially bigger risk than what we are trying to solve.
Netwrix is our sponsor for this session and their Password Secure product is the perfect solution for this problem. Sascha Martens from Netwrix will briefly show you how Netwrix Password Secure will give your organization the secure and efficient control of these business assets without compromising security for convenience.
Please join us for this real training for free session.