A study of recent hacking attacks on corporations makes it obvious that (weak) password credentials are being used both inside and outside organizations, and are frequently the credential protecting remote access to the enterprise and its "crown jewels." Consider one of the most ancient security mechanisms: a visitor's password response to a sentry’s challenge when approaching a checkpoint or encampment "Halt," cries the security guard, "What is the password?" An overheard passphrase, credentials yelled to sentries on one side of the “wall," shouldn't gain an attacker access through all the walls and into the protected area to see the king, the biggest prize of all. However, this is precisely how modern-day enterprises treat their networks, sensitive data, and proprietary systems.
Though more difficult than a standard security setup in most organizations, we must consider that a logical credential firewall should be deployed at the same boundary edge as a network firewall. To be clear, if a credential is used in a low-security zone, it shouldn’t then be accepted in the high-trust zone (e.g., the outside of wall of the castle versus the private chambers of the king). Doing so is particularly challenging when managing service and administrative accounts, but vital nonetheless.
Several major compromises have been accomplished through escalation of privilege, where the attacker used valid but stolen administrative credentials to grab backup and patch management credentials, which allowed for greater access rights. These escalated privileges were broadly deployed across the company and worked in every server zone. At that point, without a credential firewall, those networks were completely owned.
This example illustrates three important points and should drive new operational patterns for security and IT teams:
 All organizational outsourcing/cloud/SaaS/PaaS must never prompt users for a password, but instead use federated identity (e.g., SAML 2.0) for login, with the organization as the identity provider.
 All access using a credential across a boundary must be accompanied with a multi-factor authentication challenge, and that challenge must meet the test of not being shared outside the firm. Where multi-factor is required by law or regulation, this means the organization should use triple-factor authentication, if one of the factors is a known-compromised credential.
 Service accounts exposed outside a trusted zone are not trusted credentials inside a trusted zone. Thus, not only are separate domains required in a DMZ, but also throughout complete infrastructure stacks (e.g., backup, patch mgmt, audit, logging, etc.), as most administrative tools aren't designed to operate with segregated access across multiple trust zones. In the future, they'll have to operate this way, and our networks will have to rise to the challenge as well.
Until organizations implement multi-factor authentication everywhere, this method of protecting passwords and implementing identity and access management is going to become the new normal.
Security Architect & Perspicacious Security Iconoclast
Dan Houser demonstrates 20+ years security leadership in banking, insurance, healthcare, academia, and managerial consulting firms, building on a decade of client-server development, design, network & server administration, audit, quality & structured testing. As the global practice lead for identity, security strategy, international mergers & acquisitions, and strategic projects, Dan has driven programs to kickstart Security Architecture/Enterprise Architecture, Data Security and Identity teams in Fortune 500 companies and non-profits. Known for innovation, his leadership and architecture designs saved a global logistics company over $100MM in 4 years.
Dan's direct experience in the world of security and identity includes principle security & solution architect for both the first commercial SAML federation implementation and first 3-way SAML federation in the world, and global MFA and mobile authentication solutions for payments and administrative access. As practice lead for cryptography in two firms, Dan successfully broke multiple commercial cryptography solutions via cryptanalysis, and has vetted and implemented dozens of cryptosystems and key management solutions. He has countless successful identity and security projects, implementing directory, Single SignOn, audit, incident response, strategic and tactical security services projects in Fortune 500 organizations. While security architect at a major financial firm, Dan invented 5 technologies for patent.