By Bill O’Hern, Chief Security Officer, AT&T
This article is first of a new series from the AT&T Chief Security Office to provide insights for business leaders and practitioners to advance their cybersecurity goals and objectives. Each article will incorporate insights from AT&T’s unique vantage point working on cybersecurity with organizations of all sizes and sectors across the globe.
During my career at AT&T, which has spanned decades, I’ve watched as our employees, customers and other companies continue to struggle with passwords. This has always struck me as a little surprising because passwords are so comfortable. Everyone knows how to set up and use passwords.
And yet, the struggle continues.
The familiar challenge with passwords is that there are just too many of them. The tools offered to support simplification, such as password managers, are often clumsy and do not cover all use cases. As a result, some people still resort to carrying around small paper booklets with alphabetized listings of passwords that are scribbled down, crossed out, reused and erased.
It’s not unusual for someone to have literally hundreds of different passwords for everything from corporate VPNs to online gaming systems. We hear this every day from customers.
The challenge is complicated by multifactor authentication, which was created to reduce the risk of password guessing or stealing. Methods such as mobile push notifications or biometric scanning are used to improve the security of access to corporate networks, web applications, entertainment systems and more.
They are straightforward to use, but they do require that the user have access to an additional proof factor such as a mobile phone. Perhaps worse, they are usually combined with the continued use of passwords, which can be a serious vulnerability.
This is a really important topic. I would rate authenticated identity at the top of any list of hot security issues. The majority of headlines you read about breaches and ransomware involve someone getting into a system through a problem with access credentials.
Authentication in Business and Government
The biggest issue with authentication in a business or government context involves friction. That is, at a time when organizations want their online systems to be easy to use, passwords and two-factor authentication often increase user frustration.
This is especially true for government online systems which must support a wide range of use cases for citizens. For example, it cannot be assumed that every citizen has a government-issued ID or possesses the physical attributes to support a certain type of biometric system.
Based on my experiences at AT&T dealing with many different authentication scenarios, including for our massive employee base, I’d like to offer some practical suggestions.
Obviously, the steps offered below will need to be tailored to your local situation. But hopefully they can serve as a useful resource. Here they are:
Step 1: Take an Inventory.
This first step might seem obvious. But when I speak with business leaders about their authentication challenges, it often becomes clear that they don’t know what they have deployed today. Consider, for example, that employees might be using one type of authentication system, perhaps with single sign-on (SSO) for multiple applications. This system might be configured differently across various regions, subsidiaries or acquisitions.
Furthermore, partners and suppliers might be using a different authentication approach. And customers might be using a totally separate means for authenticating to products, services and resources.
This implies that before management decisions can be made about more efficient authentication, an inventory is needed. I wish I could tell you that there was a simple automated tool that can discover these systems, perhaps by crawling your network. But the truth is that the only way to get the facts is to create a management initiative that collects data from relevant systems and that solicits information from business unit leaders and their supporting security teams.
This process is easier said than done – but it is necessary.
Step 2: Identify and Prioritize Threats.
This next step is to examine your cybersecurity goals. At AT&T, we understand cyber risk protection initiatives must be a primary concern, especially with the emerging cloud, fiber and 5G infrastructure we support. But even within a modern Internet Service Provider (ISP), cyber threats must be prioritized. Threats targeting sensitive data or ones that can cause outages to critical infrastructure, for example, are particularly high priority and will always have my team’s fullest attention.
For your situation, the threat prioritization should be driven by the specifics of your mission. The security concerns that exist within a civilian federal agency, for instance, will be different than the threats that affect our military.
Even within the civilian sector, differences will emerge. An administrative bureau, for example, might not prioritize online network availability in the same way that a consumer-facing bureau might. Each organization will have unique threat profiles, and these must be factored into the local authentication requirements.
Step 3: Define the User Experience.
This step involves determining the factors related to user experience. In almost all cases, this will involve removal of sources of friction – but there are exceptions. Designers of systems that manage the safety of a nuclear power plant, for example, are likely to prioritize high function over a frictionless experience. That said, nuclear operators must never be prevented from accessing a system in an emergency – so the balancing act results in a tough challenge for authentication system designers.
In all situations, it is best for the security team to understand the objectives of the user experience. This should include clarity on how employees, suppliers, customers and any other stakeholders should be authenticating to access resources.
The user experience will also be influenced by requirements for federation to popular identity systems, adherence to budget pressures and matching the authentication process to the local situation (e.g., home office, factory floor, busines office, military camp).
Step 4: Plan Your Authentication Transition.
Once you’ve completed your inventory, identified threats and defined the user experience, it is time to begin planning your journey to efficient and effective authentication. This will likely involve discussions with new vendors – and our teams at AT&T Cybersecurity and AT&T Public Sector are certainly here to help. As you develop your roadmap, especially in the federal government, initiatives are influenced by budgets, priority shifts and other factors – and we can help.
An option to consider is our joint venture with other major US wireless providers to develop the innovative ZenKey authentication. ZenKey utilizes the power and reach of domestic mobile carriers to create an effective option for many – using a combination of wireless network signals to verify identity.
Regardless of the solution you choose, I hope your management roadmap leads to a successful implementation of effective and efficient authentication.