2014: The Nexus between Identity and Today’s Headline Grabbing Security Breaches

As someone who has been in the enterprise IT industry for 25+ years, it has always been the case where “industry” people (fellow Silicon Valley entrepreneurs, VCs, employees of fellow enterprise tech companies here in Silicon Valley, IT people, etc.) have understood what my company Centrify does vis a vis identity management. They could quickly grasp our special technical sauce and go-to-market strategy. Meanwhile, it was typically the case that “civilians” (i.e. non-IT people, e.g. my relatives in the Midwest) just knew at a high-level that “Tom works in the technology industry.” They could not really understand what Centrify does after hearing me summarize our solution (but I did get some patient smiles), and our value proposition was certainly not readily apparent.

But the headlines in 2014 around major security breaches at everyday vendors (Home Depot, JP Morgan, Sony Pictures, etc.) caused by hackers stealing privileged users’ passwords and getting the “keys to the kingdom” (email, intellectual property in the form of movies in the case of Sony Pictures, payroll information, etc.), coupled with consumers drowning in a sea of online passwords, have made identity management very understandable and relevant to everyone as individuals.

In the case of JP Morgan where hackers stole information for more than 83 million JP Morgan Chase customers, the New York Times reported that attackers stole the credentials of a JP Morgan employee who had privileged access to servers that had key customer data on it.  Per Network World:

“Following the initial intrusion, the attackers were eventually able to gain access to over 90 servers at the bank…The attackers were able to compromise names, addresses, phone numbers and email addresses, along with information about which line of business the customers were affiliated with.”

And further notes the importance of the “Access” part of “Identity and Access Management”:

“Strong access management policies and network segmentation are key to limiting the extent of damage that attackers can do once they gain a foothold inside a network. However, for organizations like JP Morgan, implementing uniform security controls across their vast networks can be difficult because they often have to integrate large numbers of new systems with different levels of security as a result of acquiring other companies.”

In the case of Sony, well…they hid most of their sensitive passwords in a file directory called “passwords.”  Per Gizmodo:

“BuzzFeed rather easily found the ‘Password’ folder in the newly released data and reports that it “includes 139 Word documents, Excel spreadsheets, zip files, and PDF’s containing thousands of passwords to Sony Pictures internal computers, social media accounts, and web services accounts.” The kicker: “Most of the files are plainly labeled with titles like ‘password list.xls’ or ‘YouTube login passwords.xlsx.’ Because when hackers go looking for sensitive information like login credentials, they would never think to search for the word ‘password’.”

Screenshot of Sony password files courtesy of Buzzfeed
Screenshot of Sony password files courtesy of Buzzfeed

The key thing is that the bad guys are finding holes in computer systems, exploiting bugs and vulnerabilities, and/or doing social engineering (e.g. spear phishing) with the primary goal of getting the passwords of people who have privileged access to important information. So yes, holes need to patched – equally important is that privileged accounts within an enterprise must also be secured (i.e. given the least amount of privilege required). And, additional levels of authentication are needed to validate it is really the correct employee typing in the password. The activities of those accounts must be regularly audited and passwords should not be stored in plaintext files or spreadsheets but in a highly secure repository and changed frequently, etc.

And as end users with an organization gain access to more business apps to become ever more productive, and are increasingly using their personally owned devices to access those apps, it is also important to ensure that they are secure while accessing them. There is a need for a step-up level of authentication via multi-factor authentication, and preferably the users don’t even have a password to their SaaS apps but their organization leverages SSO protocols such as SAML, etc. While a sys admin’s password being stolen can have massive impact in terms of a firm’s entire intellectual property assets being stolen, even a sales rep’s Salesforce.com account being stolen or hacked can have a significant negative impact to a business.

These issues are now squarely on the front page of the New York Times, which means IT-centric people and consumers are now starting to fully realize the significance of identity and access management. And this leads me to feel very good about where Centrify stands vis a vis addressing these very real problems. We can make a real difference in helping mitigate the security risks out there and have direct relevance to IT people and consumers alike.

As I look back at 2014, our performance shows Centrify is uniquely positioned in the industry to address both the identity needs for privileged users AND end users, and that we can elegantly span across data center, cloud and mobile environments. We are not just a single sign-on solution for SaaS or a password vault for privileged users accessing on-premises servers and routers, but a comprehensive solution that addresses end and privileged users’ identity needs no matter where an organization is in their move to cloud and mobile. And expect Centrify in 2015 to further execute upon this broad and highly relevant vision.