by: VMware Senior Security Architect Craig Savage
Sometimes you can’t see the forest for the trees, and this is the case when it came to colleague security. VMware IT teams were so focused on creating a safe ecosystem that password protocols became overly complex on a greater number of disparate systems. This had the reverse effect: colleagues were reusing passwords and finding other ways to bypass the complexity, making our entire security initiatives less effective.
Thus, for us at VMware, a new journey to passwordless security began, one that was easier said than done. Unlike a lot of similarly-sized enterprises, VMware has an extremely heterogeneous technology environment. This presents significant issues when attempting to deliver the same optimum colleague experience regardless of device or geo, all while maintaining high security standards.
Less is a lot more!
Our journey’s objectives focus on removing passwords wherever feasible by employing tokens and certificate-based authorization to provide the necessary credentials. We are also committed to delivering a non-intrusive experience for colleagues, as well as one that encourages the creation of better and (ultimately) safer passwords where required. The goal is to make security “second nature” by being as seamless as possible—and the best way to accomplish that is to keep it simple by removing typed-in password requirements whenever possible.
Turning dreams into a (secure) reality
Creating a secure ecosystem in an era of multiple devices, remote colleagues, global offices and dynamic market changes is no easy task. Making that ecosystem simple to use is even more challenging. To that end, we are implementing a variety of robust protocols and processes collectively called the VMware Cloud Authentication Service. Components include push notifications based on multi-factor authentication (MFA) such as colleague ID combined with a randomly-generated token code, as well as incorporation of biometrics and Fast Identity Online (FIDO) Alliance protocols. In addition, deployment of on-premises/cloud hybrid solutions to ensure resilience (load balancing/fault tolerance) and “access anywhere” and improved self-service/self-recovery options that encourage continued protocol adherence are included.
Present challenges require future thinking
Since there is still the requirement to have the “something you know” part of the authentication triad (the three factors being something you have, know and are), passwords still need to exist. We just strive to make it as easy as possible, even where there is a requirement for complex passwords that are different on every system. For example, the use of FIDO2-type USB devices has allowed for those long and complex passwords to be easily and securely stored, ready for colleagues in those increasingly rare occasions when they need it.
In general, using certificate-based authentication has removed the need for passwords on many of our platforms, and the list grows as we extend our identity management platform’s reach.
Such a major change is not without roadblocks: there have been issues with the integration of legacy applications and other technical limitations, in addition to compliance with various international standards and regulations.
At the end of the day, we have made significant progress in accomplishing what was once thought unattainable—the ability to provide colleagues with near-passwordless access on any device, anywhere, while IT realizes better internal and external control than ever before.
Stay tuned for updates on the next leg of this fascinating journey.
VMware on VMware blogs are written by IT subject matter experts sharing stories about our digital transformation using VMware products and services in a global production environment. Contact your sales rep or [email protected] to schedule a briefing on this topic. Visit the VMware on VMware microsite and follow us on Twitter.