1 White Paper Cloud Computing Demands Enterprise- class Password Management and Security By Jon Oltsik, Senior Principal Analyst April 2013 This ESG White Paper was commissioned by McAfee (a Division of Intel Corp.) and is distributed under license from ESG.
2 Contents White Paper: Cloud Computing Demands Enterprise- class Password Management and Security Executive Summary... 3 Security Professionals Are Very Concerned About Malware and System Compromises... 3 PC Users Are Extremely Vulnerable... 4 Passwords Represent a Growing Vulnerability... 5 Organizations Remain Burdened by Passwords and Password Management... 6 Passwords Also Carry a Lot of IT Operations Overhead... 6 Password Problems Are Exacerbated by Cloud Computing... 7 The Bigger Truth... 9 All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at
3 Executive Summary The Enterprise Strategy Group (ESG) recently conducted a survey of 307 IT and security professionals working at midmarket (i.e., 100 to 999 employees) and enterprise (i.e., more than 1,000 employees) organizations based in North America, Europe, and Asia. The purpose of this survey was to uncover concerns, challenges, and strategic plans around a number of cybersecurity topics but the majority of questions were focused on the security, manageability, and operations of authentication technologies such as passwords, multi- factor authentication, and single sign- on (SSO). Based upon the results of the ESG survey and the data presented herein, ESG concludes: Security professionals remain concerned about a wide variety of security threats. In spite of layers of security defenses, security professionals continue to worry about all types of security incidents including malware infections, identity theft, and system compromises. These anxieties extend beyond the enterprise IT infrastructure 32% of security professionals are extremely concerned about having their employer s cloud service provider(s) suffer a computer security breach. End- users are especially vulnerable to attacks and identity theft. More than three- fourths of security professionals believe that the average Internet user is extremely vulnerable or vulnerable to a malicious code attack that could lead to identity theft. Security professionals point to weak security and authentication (i.e., passwords) as major issues here. Most security professionals believe that passwords are no longer adequate security controls. More than half of security professionals believe that passwords are insecure and no longer appropriate for controlling access to some or all enterprise applications. Traditional passwords demand an inordinate amount of IT overhead. Aside from weak security, passwords are difficult to provision, manage, and support. These issues are aggravated by the fact that many organizations assign multiple passwords so users can access multiple discrete applications. This antiquated practice simply doesn t scale. Cloud computing exacerbates password security and management headaches. Large and small organizations are embracing cloud applications while end- users utilize a plethora of Internet services for collaboration, note taking, and social networking. Regrettably, cloud applications/services intensify password problems with redundant operations, additional user accounts, and a lack of visibility/control. At a higher level, this adds operational overhead and increases IT risk. Organizations need to bridge the password problems gap. While replacing password authentication with multi- factor authentication might eliminate management and security problems, few if any organizations have the time or money to pursue this disruptive strategy. In lieu of a full replacement, CISOs should seek out solutions that help them streamline operations and lower password risk especially as they increase the use of cloud applications/services. These solutions must centralize identity/authentication operations, ease multi- factor provisioning/management, and provide an integration bridge between internal identity and access management solutions and cloud applications/services. Security Professionals Are Very Concerned About Malware and System Compromises The ESG data clearly illustrates that security professionals are extremely concerned about an array of security risks. For example, 86% of security professionals are concerned or very concerned about having their organization s employees PCs infected by a virus or other type of malicious code, 83% are concerned or very concerned about having their employer suffer a computer security breach, and 82% are concerned or very concerned about having their organization s employees account(s) breached or hacked (see Figure 1). Furthermore, security professionals concerns extend beyond internal IT alone three- fourths of the security professionals surveyed are very concerned or concerned about having their employer s cloud server providers suffer a computer security breach.
4 Figure 1. Security Professionals Have Numerous Concerns How concerned if at all are you about each of the following Internet security risks? (Percent of respondents, N=307) Very concerned Concerned Neutral Not concerned Not at all concerned Having your organizajon s employees PCs infected by a virus or other type of malicious code 42% 44% 11% 3% Having your employer suffer a computer security breach 41% 42% 12% 5% Having your organizajon s employees account(s) breached or hacked 38% 44% 12% 6% Having your organizajon s employees personal informajon stolen 36% 39% 16% 8% 1% Having your organizajon s employees smart phone or tablet infected by a virus or other type of malicious code 35% 45% 12% 6% 2% Having your employer s cloud service providers suffer a computer security breach 32% 43% 16% 7% 1% Source: Enterprise Strategy Group, Security professionals are paid to be paranoid, but their concerns are not based on general opinions alone. A majority of respondents (59%) acknowledged that their organization suffered an endpoint security breach within the last two years. Alarmingly, of those organizations that suffered an endpoint security breach within the last two years, 28% admit to at least 11 security breaches or more. PC Users Are Extremely Vulnerable 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% The concerns described above are understandable; security professionals are acutely aware of cybersecurity issues including the increasing malware volume, growing hacktivist activities, and a wave of publicly disclosed security breaches at organizations like Google, Lockheed- Martin, and the New York Times. Additionally, security professionals realize that PC users may represent the weakest link in the security chain. For example, 79% of security professionals believe that the average Internet user is extremely vulnerable or vulnerable to a security breach that would ultimate lead to identity theft (see Figure 2).
5 Figure 2. Security Professionals believe Internet Users Are Vulnerable to Identity Theft Given your experience managing security and user authenzcazon, how vulnerable do you believe the average Internet user is to idenzty the[? (Percent of respondents, N=307) Not vulnerable, 6% Extremely vulnerable, 24% Neutral, 15% Passwords Represent a Growing Vulnerability Vulnerable, 56% Source: Enterprise Strategy Group, Over the past few years, global organizations of all sizes have invested billions of dollars in security technologies, yet security professionals remain concerned while PC users continue to be vulnerable to attack. Why? It s easy to speculate about things like software vulnerabilities, social engineering techniques, and sophisticated malware, but one of the greatest security weaknesses may be the continued reliance on the use of passwords for user authentication. The issues associated with passwords were recently described in great detail in a Wired Magazine article. As the article stated: Since the dawn of the information age, we ve bought into the idea that a password, so long as it s elaborate enough, is an adequate means of protecting all this precious data. But in 2012 that s a fallacy, a fantasy, an outdated sales pitch. And anyone who still mouths it is a sucker or someone who takes you for one No matter how complex, no matter how unique, your passwords can no longer protect you. 1 Do security professionals agree with the position stated in the Wired article? In a word, yes. Eleven percent of security professionals believe that user name/ password authentication is no longer secure and should be eliminated in all cases, 44% stated that user name/password authentication is no longer secure and should be eliminated for business critical applications but remains an adequate option for authentication to non- business critical applications (see Figure 3). Security professionals in the Asia Pacific region are especially bearish 19% said that user name/ password authentication is no longer secure and should be eliminated in all cases. 1 Source: Honan, Mat, Kill the Password: Why a String of Characters Can t Protect Us Anymore, Wired, November 15, 2012.
6 Figure 3. Security Professionals Believe that Passwords Are No Longer Secure 50% 45% Given the current threat landscape (i.e., malicious code, automated tools, idenzty the[, etc.), which of the following statements best reflects your opinion with regards to the use of user name/password combinazons for authenzcazon? (Percent of respondents, N=307) 44% 40% 35% 34% 30% 25% 20% 15% 10% 5% 11% 11% 0% User name/password authenjcajon is no longer secure and should be eliminated as a form of authenjcajon in all cases User name/password authenjcajon is no longer secure and should be eliminated as a form of authenjcajon for business crijcal applicajons but User name/password authenjcajon is fairly secure and remains an adequate opjon for authenjcajon to most business crijcal and non- User name/password authenjcajon is secure and remains an adequate opjon for authenjcajon for all business crijcal and non- business crijcal applicajons remains an adequate opjon business crijcal applicajons for authenjcajon to non- business crijcal applicajons Source: Enterprise Strategy Group, Organizations Remain Burdened by Passwords and Password Management Despite the fact that the majority of security professionals are wary about password security, large and small organizations continue to rely on passwords as their primary authentication mechanism for network and application access. This makes these organizations vulnerable to general password security weaknesses, but this is not the only issue. Security risk is exacerbated because users typically have numerous passwords for accessing various applications and services. Security professionals claim that 56% of users are assigned between two and five passwords by their organizations, 19% of users are assigned between six and ten passwords by their organizations, and 15% of users are assigned more than ten passwords by their organizations. Not surprisingly, enterprise organizations tend to assign more passwords per user than midmarket organizations. Given the security vulnerabilities associated with passwords, more passwords per user equates to more risk for the organization. Passwords Also Carry a Lot of IT Operations Overhead As if IT risk wasn t enough, provisioning and managing user accounts is fraught with manual processes and costly operational tasks. Why? User provisioning can involve input and cooperation from a number of corporate constituencies including security administrators, network administrators, dedicated identity administrators, application administrators, and department heads. When asked to define user account provisioning and management challenges, 50% of organizations point to defining account access and privileges, 49% say auditing accounts to ensure that employees have the right privileges, and 43% are challenged by changing accounts as employees change roles and/or internal organizations (see Figure 4).
7 Faced with organizational collaboration and specific user- provisioning and management challenges, it is not surprising that it takes several days to provision all of the accounts and systems once a new employee is hired at half of all organizations surveyed. Figure 4. Challenges Associated with User Account Provisioning and Management Which of the following present the biggest challenges for your organizazon in terms of provisioning/managing user accounts for new employees? (Percent of respondents, N=307, mulzple responses accepted) Defining account access and privileges Audijng accounts to ensure that employees have the right privileges Changing accounts as employees change roles and/or internal organizajons Terminajng accounts when an employee leaves or is terminated Provisioning muljple accounts across muljple applicajons and services Monitoring idenjty stores for stale and/or rogue accounts Complejng all requests for new accounts in a defined period of jme Confirming the provisioning of each account Genng approval from all parjcipants in a jmely fashion 29% 28% 50% 49% 43% 42% 38% 37% 36% None of the above 4% 0% 10% 20% 30% 40% 50% 60% Source: Enterprise Strategy Group, Aside from provisioning and IT management issues, users also deal with a number of challenges with passwords. According to the security professionals surveyed, 39% of users require password reset support at least five times per month. Just over half (51%) of organizations report that it takes between five and ten minutes for their help desk staff to help users reset their passwords. This does not seem like much effort alone but it can add up to a significant amount of time for organizations with thousands of employees and multiple passwords for users. Password Problems Are Exacerbated by Cloud Computing These issues are bad enough when contained to internal networks and applications, but few organizations limit their IT services to corporate systems alone. Over the past few years, most organizations have effectively externalized their IT services through the use of cloud- based infrastructure (IaaS), applications (SaaS), and development platforms (PaaS). Forty- six percent of organizations use between one and five cloud applications/services, 40% use between six and ten cloud applications/services, and 14% use between 11 and 20 cloud applications/services today. Additionally, the number of organizations using between 11 and 20 cloud applications/services will increase from 15% to 40% over the next 12 months (see Figure 5). Aside from corporate deployment, users are also implementing an increasing number of cloud- based applications/services themselves sometimes without the knowledge or permission of IT. In fact, 38% of organizations found employees using cloud- based applications and/or services that IT was unaware of prior to this discovery. Seventeen percent of organizations found employees using cloud- based applications and/or services that IT was unaware of prior to this discovery five or more times over the past year.
8 Figure 5. Cloud- based Applications and Services Used Today and In the Next 12 Months 50% 45% 40% 35% 30% 25% 20% 15% 10% 5% 0% Approximately how many cloud- based applicazons and/or services does your organizazon currently use? Approximately how many cloud- based applicazons and/or services will your organizazon use in the next 12 months? (Percent of respondents, N=307) Number of cloud applicajons/services currently used 2% None Number of cloud applicajons/services used 12 months from now 46% 23% 40% 29% Between 1 and 5 Between 6 and 10 Source: Enterprise Strategy Group, From a security perspective, it is worth noting that many of these applications also contain sensitive or regulated data. In fact, 26% of organizations claim that their cloud- based applications use sensitive, regulated, or company- confidential data extensively, while 53% of organizations say that their cloud- based applications use sensitive, regulated, or company- confidential data somewhat. Few would argue about the fact that cloud computing has the potential to enable new business processes, streamline operations, and cut IT costs. These benefits are offset, however, by a plethora of security risks. Since password security and management is already tenuous within IT, it is only logical that password problems will multiply as cloud computing becomes increasingly pervasive. Furthermore, user provisioning and password management tasks will become more difficult and time consuming, as IT administrators deal with multiple cloud applications, identity tools, and reporting/auditing capabilities. CIOs and CISOs must understand and address these issues as part of their cloud computing strategies. 14% 40% Between 11 and 20 2% More than 20 4% Don t know
9 The Bigger Truth White Paper: Cloud Computing Demands Enterprise- class Password Management and Security In aggregate, the data presented in this paper presents an alarming and risky pattern. The security professionals surveyed by ESG believe: 1. Account provisioning is fraught with numerous challenges and cross- organizational processes that often take days to work through. 2. Organizations are embracing cloud computing applications that often utilize sensitive data. The use of cloud computing applications/services makes password provisioning and management even more difficult. 3. Users remain vulnerable to identity theft in spite of password provisioning and their investment in security technology controls. 4. Password authentication is no longer secure and should be eliminated for all or some business applications. ESG believes that the situation described above has come to a head. Passwords are insecure and difficult to manage. Users who can t remember them increase help desk costs. At the same time, many organizations are increasingly turning to cloud applications/services, making password management extremely difficult and rapidly increasing IT risk. This situation is unacceptable. So what s needed? Many organizations use strong passwords, multi- factor authentication, and single- sign on (SSO) tools to address the operational and security challenges described above, but many of these legacy technologies lack integration, scale, and adequate reporting. Furthermore, most identity tools are designed to plug into a variety of legacy mainframe, client/server, and web applications rather than the army of new cloud- based offerings. Replacing all passwords with multi- factor authentication technologies like tokens, one- time passwords (OTP), smart cards, or biometrics is not an option as this would be too complex, expensive, and disruptive to the business. So what should be done in the short term? To truly address risk and operational overhead, organizations need identity and access solutions designed to automate, improve, and simplify: 1. User lifecycle management. Internal IT must have the ability to provision, de- provision, and change user accounts (i.e., change user role, group, password, etc.) for all internal and cloud- based applications from a central console. To minimize redundant operations, these administrative activities must be tightly integrated with existing user repositories, such as Active Directory. 2. Authentication controls. User authentication demands flexible options. IT administrators need the ability to enforce strong password management, leverage existing multi- factor authentication technologies, or seamlessly tie into SaaS- based authentication methods while remaining transparent to user activities. Many organizations recognize these needs 91% of organizations employ a strong password policy today while 57% use some type of multi- factor authentication technology. What are needed now are centralized tools that provide flexibility and automation of multiple methods of authentication. 3. Cloud connectivity. IT managers need tools for SSO connectivity to disparate cloud applications. Since these connections will vary, SSO technology must support federated ID standards such as SAML tokens and provide native connectors for proprietary sign- on techniques such as shared secrets. The best SSO tools will also provide form- based authentication for connections with unsophisticated cloud applications lacking technical integration points. 4. Monitoring, logging, reporting, and auditing. Collecting and analyzing user activity is essential for risk management, compliance, and incident detection/response. Unfortunately, previous ESG research indicates that the ability to track user behavior for security analysis is an area of weakness at many organizations. To address this shortcoming, IAM technologies that bridge internal IT and cloud applications must provide strong monitoring, logging, reporting, and auditing. 5. Single Sign- on (SSO) for bridging IT and cloud computing. It is simply unacceptable to burden users with multiple passwords for internal and cloud- based applications/services. SSO solutions can help bridge this gap and provide a point of central control for all identity and password management activities for cloud application/services accounts. ESG recommends that organizations work with vendors offering both on- premises and on- demand SSO solutions. By doing so, CIOs can implement SSO where appropriate and have the flexibility to swap on- premises products for on- demand services (or vice versa) in the future.
10 20 Asylum Street Milford, MA Tel: Fax: global.com