Gartner Blog Network


Security Solutions Can Lead to Risk Problems in the Digital World

by John A. Wheeler  |  June 17, 2015  |  3 Comments

This week, a password security company announced that it had been the victim of what they described as a “network compromise” by an unknown intruder. In other words, the company had been hacked. This event has created a frenzy of speculation in the press. The nature of this data breach is unique in that it exposed master passwords and customer data used to gain access to a multitude of user passwords that the security company manages.

You see, the company specializes in providing password management services to alleviate the need for remembering countless passwords for both business and personal app use. Having to remember all types of ever-increasing complex passwords just to conduct your daily affairs is a real problem for many people today. So, this particular company offers its customers a cloud-based vault to store all of their passwords and automatically link to the appropriate app to expedite login. This is a great solution to a major information security headache.

However, as this week’s announcement demonstrated, there is a serious downside. While the password security company could safely say that all the passwords stored in its vault were safe, it could not say the same for the master passwords used to access the vault by each customer. Evidently, the hackers gained access to the master passwords as well as other customer identifying data. The company’s suggested resolution to the problem is to have each customer change their master password. This is not a very comforting message for the customers impacted.

Security solutions like these have the very real potential to create major risks in our new digital world. So, how can situations like this be avoided? A great way to start is to first understand the potential risks of a digital solution through the lens of its analog equivalent. In this case, the analog equivalent is the use of the traditional safety deposit box within a physical bank vault. Keys to each box are provided to each customer and the bank has a key. Both keys must be used to access the contents of the box.

This analog approach is similar to using multi-factor authentication. Two keys are required to access the vault – the master password (customer safety deposit box key) and a code generated by a third-party app (bank key). While the password security company does offer multi-factor authentication, it is not required for use by its customers. After this week’s announcement, that may be a decision they reconsider.

sdb2

 

 

Additional Resources

Category: cyber-risk  cyber-security  digital-risk  information-technology  risk-management  security  security-of-applications-and-data  technology-and-emerging-trends  

Tags: data-breach  digital-risk-2  digital-security  password-manager  

John A. Wheeler
Global Research Leader - Risk Management Technology
8 years at Gartner
30 years IT Industry

John A. Wheeler is global research leader for risk management technology solutions and professional services. His areas of specialty include integrated risk management, executive leadership and corporate governance. Follow him on Twitter @JohnAWheeler Read Full Bio


Thoughts on Security Solutions Can Lead to Risk Problems in the Digital World


  1. Really very great information .Please read this .

  2. […] Lastpass-sagen illustrerer på mange måder en udfordring med løsninger, der hjælper brugerne med at opbevare de mange adgangskoder, skriver Gartner-rådgiver John Wheeler i et blogindlæg. […]

  3. […] Lastpass-sagen illustrerer på mange måder en udfordring med løsninger, der hjælper brugerne med at opbevare de mange adgangskoder, skriver Gartner-rådgiver John Wheeler i et blogindlæg. […]



Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.