In his conversation he mentioned that two-factor authentication is a minimum baseline security measure that got a lot of nods in the crowd but completely forgot that statement when he was wrapping up his session. At the end of his session he spoke about measures we should all take such as ensuring we keep signature based security appliances up to date, perform security audits, understand what our critical assets are and finally implement better password policies. Huh? Better Password Policies?
Did I miss something?
I thought he had stated earlier that two factor is a minimum baseline security measure? If we assume that we are going utilize two factor security then why worry about better password policies. I am going to make an assumption that he meant to say that we need to consider when a password makes sense and when two factor makes better sense.
In today's world with connected devices and remote workers we have to assume that external access from employees, contractors and vendors is the norm. We also have to assume that we have some form of basic policies to dictate that a password will contain Upper/Lower case, a number and a special character. What we need to add to our assumptions is there will also be an actual secure validation that the user is actually who they say they are.
Two-factor authentication is a very simple process of utilizing a user name that is static (not secure) with a PIN that only you know (sort of secure as its still static) combined with a number that is generated and changing constantly (very secure)
While I don't disagree with his statements of ensuring we are doing a better job of keeping signatures up to date, performing security audits, we definitely need to know our critical assets, I do however disagree with his final statement. While Password policies are needed, we need to rethink where and when we will allow them to be used. Sure, at EMC we do have passwords and policies for those passwords but two factor is paramount to our security baseline.
Read original article
No comments:
Post a Comment