Author: Chase Snyder, Sr. PMM, Xage Security
Usernames and passwords are business critical data. They’re a valuable target for hackers, because they can be used against you in countless ways, or sold on the dark web for someone else to use against you. Estimates range from 60% to 90% of cyberattacks use stolen legitimate credentials for initial access and lateral movement.
So how is it possible that so many millions of usernames and passwords keep getting successfully stolen? Why are these things not locked up better?
One huge factor is that many identity and access management solutions and other solutions that store and access usernames and passwords keep that critical data all in one central place. They may keep it encrypted and attempt to secure it in other ways, but the data is still centralized, making it a vulnerable target. If all your usernames and passwords are in one place, attackers are going to try really hard to break into that place. Evidence indicates that the attackers are succeeding.
The key feature that most of these solutions don’t have yet, that offers major security and access benefits, is distributed password vaulting. A distributed password vault has several major benefits that make it a must-have for any serious enterprise. The two most urgent benefits are:
- Credentials Are Much Harder To Steal: Credentials stored in a distributed credential store are way more difficult to steal than those in a centralized store. The data is broken up across multiple nodes so that even if a node was compromised, the usernames and passwords could not be derived from it.
- Credentials Are Accessible to Legitimate Users Even If The Network Is Down: Passwords are stored across multiple nodes, and are accessible from their local nodes even without internet connectivity. Remote sites (think of an aircraft carrier in the middle of the ocean) that temporarily lose connectivity to any central network can still access their passwords, and can log into their assets.
How Does Distributed Password Vaulting Make Passwords Hard To Steal?
One major reason that huge volumes of credentials are routinely stolen and sold on the dark web is that they’re being stored all in one place inside an enterprise network.
Think of a centralized password store like a bank vault. All the money is there, and everyone knows it. It might be locked up and heavily guarded, but everyone knows where it is. Furthermore, because of the enormous value, it is a target that bank robbers will invest heavily in breaking into.
If a centralized password vault is like a bank vault, a distributed password vault is like tearing every hundred dollar bill into a bunch of pieces, and storing the different pieces in different locations. The owner of the distributed vault has a special machine that can find and reassemble those pieces into usable money. But a cyberattacker would have extreme difficulty discovering all the different locations where these pieces were being held. They’re not well-known targets the way an Active Directory domain controller is. After that, the attacker would have to separately break into each of the different locations. At each individual location, the data they stole would still be unusable.
Banks have many layers of physical and electronic security to prevent their vaults from being broken into, but it still happens sometimes. But for most companies, a single stolen administrator account could grant a cyberattacker access to hundreds or thousands of other usernames and passwords.
A distributed password vault puts roadblocks in the adversary’s path at numerous stages throughout the attack chain, making it increasingly harder for them to complete an attack.
How Xage Reduces Risk with Distributed Password Vaulting
Xage uses a couple of cryptographic processes called Shamir Secret Sharing and Federated Byzantine Agreement to create a highly secure, highly available distributed password vault that makes it easy to store and manage credentials, but nearly impossible for attackers to compromise them.
As cyberattacks continue to successfully use stolen credentials for initial access and lateral movement, enterprises need something that doesn’t just securely store passwords, but offers a range of other capabilities for managing privileged accounts and protecting sensitive information. Enterprise password vaults have become just one feature in more robust product offerings that include privileged access management (PAM), role based access control (RBAC), multi factor authentication, automatic secure password generation and rotation, and more.
To learn more about the benefits of Distributed Access Enforcement and Distributed Password Vaulting, download our white paper.