Password Compliance

New legislation, including General Data Protection Regulation (GDPR), NYDFS Cybersecurity Regulation (23 NYCRR 500) and Cybersecurity Maturity Model Certification (CMMC) has been introduced to help protect consumer and corporate information. Lack of compliance with these regulations and breaches of data can lead to fines of up to €20 million ($22 million) in damages or four per cent of global revenue.

The indirect consequences of a breach in security should also be considered. The direct financial impact and fines from non-compliance are often compounded with the loss of consumer confidence in a company or brand, which could be even more costly.

Passwords have become ubiquitous in their use to secure access to computer systems, yet they are far from perfect from a usability and security point of view. Recent guidelines address these issues by reducing both the complexity of passwords and the frequency that users need to change them. Whilst the ultimate goal may be to replace passwords, for now, we can improve how they used.

Discover how implementing these guidelines can improve password security and bring other benefits too.

The Authlogics Password Breach Database is a key component when looking to meet the new password policy guidelines set by NIST SP 800-63B. It provides a comprehensive and well maintained dictionary of unacceptable and compromised passwords in the cloud for real-time lookups.

Find out how the Password Breach Database can help you simplify your password headache.

What changes do I need to make to my security processes?

Regulations, including GDPR and CMMC, follow some common principles which could also easily apply to best practice when implementing a corporate security policy. The following steps will make you more secure and reduce your risk of being negatively affected by data protection legislation.

1. Determine if the legislation applies to you. If you do business or handle personal information for citizens based in the area affected by the legislation, or work with government and military, then its highly likely that regulations apply to you. Systems that hold personal or financial data are highly likely to be covered by the new guidance.

2. Determine how to apply the legislation. Be aware of all aspects of the legislation, such as any requirement to encrypt certain data and how decryption keys should be stored. GDPR explicitly refers to the principles of “privacy by design” and “privacy by default”. Determine the parties responsible for applying this legislation.

3. Make sure the basics are in place first. Ensure that desktop machines are password-protected and have a good anti-virus package installed. As we saw with the WannaCry incident it is key to ensure they’re up-to-date with the latest Microsoft patches. Ensure your password policy complies with the latest regulations from NIST and that users do not have a password that has been compromised on the web.

4. Augment and improve the existing security. In the event of a security breach, it is usually up to the company to prove that modern and all reasonable best practice has been followed. Poor password management makes it easier for attackers. Multi-Factor Authentication further reduces the risks associated with a password-only approach to authentication.

5. Ensure you have robust auditing and accountability. Legislation around data protection, such as GDPR, requires that companies show that they use a framework to continuously monitor compliance, as opposed to a single ‘point in time’ audit process. This turns out to also be a sensible approach to data security. Ensure that your systems can continuously report the status of items such as password compliance and usage of Multi-Factor Authentication.

Comply and Secure with Authlogics

A secure password is a foundation on which all other security initiatives are built. It is critical to ensure your passwords are both secure and compliant (including the fact that they do not appear in any password breaches) before adding Multi-Factor Authentication (MFA); simply adding MFA does not diminish the password security requirement.

Password Security Management has been specifically designed to meet, and exceed NIST SP 800-63B guidelines for password compliance. It can be deployed in minutes on corporate network servers and enforces a compliant password policy as soon as a user changes their Windows password, without requiring any desktop software.

Authlogics Multi-Factor Authentication coordinates the provisioning and management of identity information to allows users to log in securely from desktops, mobile, Cloud and 3rd party applications. It provides a consistent and fully featured layer of security wherever users log on. A self-service portal allows users to set passwords that comply with the latest security guidelines and lets users add and remove multi-factor devices as needed. Each action is logged in detail and can be reported on for audit and compliance purposes.

Find out how we can help you comply with the latest regulations