Why authentication is still the CISO’s biggest headache

Authentication remains one of the most painstaking challenges faced by CISOs in organizations large and small. This longstanding, fundamental element of security continues to cause headaches for security leaders seeking to identify and authorize users and devices often spread across different states, borders, and time zones. Meanwhile, persistent risks associated with ineffective authentication strategies and processes threaten businesses as they become more agile and remote, requiring security teams to rethink approaches to authentication in the modern landscape.

Authentication a significant obstacle for modern CISOs

Authentication continues to test CISOs for several reasons, with its modern definition being the first to address, Netskope CISO Lamont Orange tells CSO. “We use lots of terminology to describe what is meant to address the authentication and authorization methods required for devices, applications and systems, in addition to supporting security policies that govern this interaction. In the past, we have implemented authentication in very basic construct: If I need access, I must pass credential tests (login/password) for each user/service request without the use of MFA in most cases,” he says.

Modern authentication, however, must consider API and token-based authentication along with MFA capabilities, which introduce complications, Orange adds.

Authentication is also a moving attack target, with new threats and vulnerabilities requiring constant re-evaluation to securely authenticate users and devices, says Keyfactor CSO Chris Hickman. The continued expansion beyond the traditional network and shift to cloud transformation plays a key role, too. “CISOs experience either a lack of visibility and ability to scale to those environments or the continuous need to configure and reconfigure authentication gateways and identity providers to keep up with the changing demands,” he says.

Friction in relation to increasing levels of rigor in verifying an identity is also a significant issue, says principal scientist, Synopsys Software Integrity Group, Sammy Migues. “At some point, the highest levels of rigor in authentication become too much work for our organizations and employees for the return in assurance.”

Challenges of authentication include interoperability, usability and vulnerabilities

The challenges posed to CISOs and their organizations by modern authentication are numerous, spanning interoperability, usability, technical limitations, and vulnerabilities. “Many companies are still struggling to solve user identity, and now modern authentication complexities introduce machine, system level, and secrets management opportunities to solve,” says Orange. “However, not all technologies are mature enough to adapt, therefore you have disparate governance models and sometimes implicit support of legacy protocols which introduce security gaps, whilst the use of APIs and the management of access methods may be disparate given API maturity/capabilities.”

For Greg Day, global field CISO at Cybereason, user experience poses the biggest challenge. “No one likes trying to remember long and complex passwords, or being prompted to enter them every five minutes, or having to remember 100 different passwords for all the processes they use. Asking users to enter their own unique PIN for each transaction improves security, but it adds time to complete transactions.”

Shifting authentication paradigms require security and technology teams to rethink approaches with models such as zero trust, says Hickman. “New strategies like zero trust need strong authentication of the machine or device to grant authorization. Most organizations are only now beginning on a machine identity strategy and management of machine credentials and, just like human identities/authentication, machine identities/authentication comes in many forms and factors. It can be a challenge to manage all machine-based authentications effectively.”

Emerging biometric authentication concepts also present notable hurdles, Migues adds. “Human biometrics has more assurance but it’s much harder to deploy at scale and even these systems can be spoofed. Someone must show up somewhere and have, for instance, a detailed picture taken of their eye, give copies of their fingerprints, get a thermal scan, and so on. Those details will be locked to that person. Even without the Hollywood scenarios, let’s say the right person does show up. What do they bring as their authentication so they can get their authentication? Driver’s license? Birth certificate? Passport? How will those be verified? What if they don’t drive and don’t have a passport? It’s easy to say that you go as deep as you need to, but that gets expensive fast. Obviously, we’ll do that for people who access the nuclear missile silo, but where do we stop for access to the corporate LAN – and I hope we’re some time away from having to do biometrics on bots!”

Unauthorized access, data disclosure among risks of ineffective authentication

Ineffective authorization introduces significant risks to organizations with outcomes that can manifest in over privileged users, systems/machines, services and devices that may lead to unauthorized access and data disclosure, says Orange. “In the DevOps ecosystem, API components may open themselves up to several vulnerabilities and exploitations such as broken object level authorizations. Ineffective authorizations will also introduce leaky APIs which can pose a threat of fines for privacy violations, emerging attack susceptibility, and successful exploitation of ransomware via attack surface expansion.”

Indeed, data is one of the most valuable assets every business holds and if you cannot control who has access to it, then you put your business at risk, Day tells CSO. “We frequently see the real-world implications of this through ransomware and the ever-growing demands of payments that go with these attacks. Controlling who has access to data, and who that data is shared with, is fundamental to every business’ success.”

This has been evidenced following widespread reports of a data breach of the internal systems of cloud-based authentication software provider Okta by ransomware group LAPSUS$. According to Twitter posts, LAPSUS$ did not target Okta’s databases, but focused on Okta customers to reportedly gain superuser access to systems. Cloudflare CEO Matthew Prince tweeted the company would be “resetting the Okta credentials of any employees who’ve changed their passwords in the last fou months, out of abundance of caution.” and that it would be “evaluating alternatives” to the authentication software.

Best practices for effective modern authentication

Authentication best practices are easy to enumerate but not necessarily so easy to implement, especially in large organizations, Migues says. “Don’t try to invent your own system of tokens, encryption, protocols and so on. You can’t. Just think about how many security advisories you get from companies that literally do this for a living, and that’s for enterprise quality, mature products with thousands of users, and even more attackers, contributing their opinions every day.”

Migues does advocate working toward passwordless authentication and ensuring that API-to-API authentication is given the same focus as employees accessing sensitive files. He suggests using NIST 800-63B and similar guidance when planning your authentication strategy. “Also, understand that attacks against authentication services will happen, so put velocity checkers everywhere to slow down automated attacks,” he adds.

For Orange, involving governance, risk and compliance (GRC) teams to help provide requirements for modern authentications, continually testing to identify weaknesses, regaining visibility and contextual analysis through deployed solutions, and aggressively educating and training workforces about related threats are important best practices to implement, too.

Day urges CISOs not to overlook the importance of user experience, warning that if authentication processes are too hard or too complex, employees will find a way to work around the authentication tools that are in place. “The long-term goal must be to find a way to have risk-based consolidated access management across all information systems.”