The laptop security gap
You may not realize it, but you have a big security gap with the laptops accessing your corporate apps. Many of these laptops have no security policies associated with them. So your users can use weak passwords that can be easily cracked.
How easily? A password consisting of a seven character dictionary word can get guessed in less than a millisecond. Hackers have used a graphics processing unit (GPU) cluster to crack every standard Windows password in less than six hours. Cyber-criminals can build a nearly 5000 core GPU cluster for less than $800 in parts.
“But wait,” you might say, “We’re safe. Our corporate PCs enforce laptop password security policies using Active Directory. Our passwords are secure.”
That might have worked in 2000, when everyone used Windows from an office. But it’s 2017, and Macs are more common than you realize in your corporate environment: when your employees catch up on work in the evening, on weekends, or during vacations, there’s a good chance they’re using Mac laptops to log into corporate apps. Among US consumers, Mac market share may be as high as 25%.
Connecting all those Macs to AD isn’t easy. Microsoft provides no official documentation on how to do this on their website, and you can read horror stories of people who have spent days trying to do so. Sadly, Azure AD doesn’t help either.
These unmanaged laptops are likely to use unsecure passwords. Now, what happens if someone steals one of those laptops, which has a still-active session for a corporate web application and a weak OS password?
This scenario is quite possible: Laptop are stolen about once a minute according to separate studies by Gartner and Dell. Full disk encryption won’t help if a laptop has a weak OS password.
How to improve laptop security
Thankfully, there’s an easy solution: OneLogin Desktop.
Last summer, we released OneLogin Desktop for Mac. Today, we’re pleased to announce OneLogin Desktop for Windows. Together, these two products enable you to secure ALL your laptops by extending application password policies to your operating system passwords. You can ensure all OS passwords are sufficiently long to prevent cracking and can enforce regular rotation of those passwords.
OneLogin Desktop has additional advantages:
Unified access policies: OneLogin Desktop, along with the rest of OneLogin’s service, makes it easy to manage device and application security policies in one place. That makes it easier to onboard new employees and ensures that former employees are completely offboarded — which doesn’t happen an astounding 13% of the time — to secure corporate devices and apps from ex-employees.
VPN-free: Active Directory requires VPN to access. The problem with VPN is that all network traffic has to go through it, increasing download times when working remotely from overburdened networks on planes, cafes, and airports. VPN often encrypts packets, which consumes CPU cycles and thus reduces battery life. OneLogin doesn’t require VPN to access, ensuring faster downloads and longer battery life — a big boost to user productivity and satisfaction.
Interoperate with Active Directory: As much as we like to point out the deficiencies of AD, we realize that it’s not easily ripped out. So we provide a best-in-class realtime bi-directional AD connector, with HTTP proxy support, and automated load-balancing and failover. This lets you manage identities and credentials in AD, lets Macs and PCs authenticate against those credentials without having to bind to an AD domain, and keeps AD safe behind a firewall. Oh, and unlike Microsoft, we actually document how to connect Macs to our directory. Imagine that. (And if you’re cloud-native, OneLogin Cloud Directory can completely replace AD.)
Instant kill switch. When a laptop is stolen, it’s easy to revoke OneLogin Desktop’s certificate so that no one can log into a laptop account connected to OneLogin Cloud Directory. This protects the data associated with that account (since disk encryption is common on Windows 10 and turned on by default on Macs) and prevents that account from logging into any corporate apps.
BYOD-friendly. One of our customers — you’ve undoubtedly heard of them — is growing insanely fast, adding many thousands of users annually. To support that growth while saving money, they tell their users to go out and buy a laptop, expense it, and connect it to the company network. If there’s an issue, the employee works with the laptop manufacturer to get support, just as they would with a BYOD phone. For these cases, OneLogin Desktop is ideal since it lets IT create a company-managed account that they control — without having to get bogged down in the muck of laptop management.
Reduced security fatigue. Nagging users to improve security is never fun. Users hear these warnings so often they’re developing security fatigue and ignoring good security practices. Other Identity Management products contribute to this fatigue, since they require you to login to your laptop, then log in a SECOND time into their “Single” Sign-on portal, and then enter a THIRD password sent to your phone. OneLogin Desktop is different: when you log into your laptop, you’re automatically authenticated into all their SaaS apps and SAML-enabled Desktop apps (such as Slack and RingCentral). Since this authentication uses two factors — your OS password and the certificate that OneLogin Desktop installs on your laptop — there’s no more fumbling for your phone to enter a second factor. We call this Endpoint SSO, and its convenience will reduce security fatigue.
In summary, you should consider OneLogin Desktop if one or more of the following applies to you:
- You have remote workers
- You have a mix of PCs and Macs
- You don’t have an Active Directory domain
- You are cloud-native, or working to become so
- You have a BYOD laptop policy
Here’s a demo of OneLogin Desktop in action: