When it comes to shadow IT and security, we pointed out the oversight and challenges of password protection and employee-created accounts many times before. But our partner Scirge, with the release of the solution – Scirge 3.1, this was taken to the next level, improving the efficiency of detection capabilities while simultaneously protecting employee privacy.
Scirge collects data that customers specifically choose, in order to respect the privacy from the beginning. In addition, it is already one of the principle features to allow the anonymization of personal data for auditors or administrators – even for logging and alerting.
Scirge updated their policy design to allow for an additional use-case: detecting the private reuse of corporate passwords without collecting any PII data from our employees.
Why is this important in the first place? We have already been able to uncover the use of weak, shared, reused, or breached passwords, but our policies required the collection of the complete account information, including the email address and the URL that was used, along with the passwords. This works great for corporate emails, as these are owned by the organization and regulated by internal policies.
In all honesty though, we had a bit of an issue with personal accounts. It goes without saying that reusing a corporate password (even an Active Directory password) in a personal account – whether for entertainment, personal finances, or any other purpose – is a properly scary topic for security. With billions of breached records available out in the wild, the correlation of different emails belonging to the same person becomes a likely threat for high-profile employees and executives.
When such correlations are made by attackers, private passwords become much more valuable, as it is likely that the same password has been used for your corporate accounts. After all, we are human and, when we are forced to create and remember strong business passwords, it only makes sense to reuse them for our private accounts, since their strength and complexity was confirmed by corporate policies.
This is one of the darkest corners of shadow IT, as the personal nature of such accounts are not even relevant for the organization. The passwords reused in them, however, can introduce invisible backdoors to our kingdom. Monitoring personal activity has always been a controversial topic, but we believe that the only way to go is to provide 100% privacy and 100% security at the same time.
Simply put, the challenge of these accounts is to discover the private reuse of corporate passwords without breaching the privacy of the individuals.
And this is exactly what Scirge did. Starting with Version 3.1, it is possible to collect password hashes without collecting the account information – i.e., without collecting email addresses or the URLs where they were used. This means that policies may be set up to monitor personal activity, but with the sole intention of pinpointing if someone is reusing a corporate password in a private application. Of course, this only requires to collect the secure hashes of private passwords and compare them to other corporate passwords’ hashes. A one-way secure hash is not personally identifiable; thus, it falls out of range for privacy concerns. By the way, we also never store the cleartext version of corporate passwords to avoid introducing a new source of weakness into the organization.
Password hashes can be stored in the local environment without ever being sent anywhere, just so that we are able to compare and correlate them for reuse and sharing detection. This new setup allows us to shed light on even the darkest corners of shadow IT, while respecting our employees and without compromising privacy.
Ask us more about this Scirge 3.1 solution!
