| ON
A TYPICAL MONDAY MORNING, Joe Employee logs on to his
desktop with his user name and password; the password is his
daughter’s name. After signing into e-mail with yet
a different password (his German shepherd’s name),
he finds he needs to access his company’s CRM application
and gather some information to send to a customer. But because
his CRM password is different from the other two, he can’t
remember it: Did he use his wife’s name, his son’s
birthday or his favorite Ben & Jerry’s flavor? He
calls the helpdesk—which is already busy servicing other
employees in the same password predicament—and waits
seven minutes for assistance. Once he gets his CRM password,
he writes it down—right next to his computer. No sooner
does Joe Employee have that issue sorted out, the IT department
issues its monthly “password reset” mandate. And
so it begins again.
 |
While this example is hypothetical, the
problem it illustrates is decidedly real. Enterprises spend
huge amounts of time and money on security. Last year alone,
according to Meta Group’s 2004 Worldwide IT Benchmark
Report, security spending represented an average of 8.2 percent
of overall IT budgets — an increase from both 2002 and
2001— even though IT expenditures were limited in most
other areas. Yet much of this spending focused on secure access
for companies’ remote and mobile users, as well as their
partners and customers, all of which are outside the firewall.
Just as important—but frequently overlooked—is
the question of how to handle user authentication inside the
enterprise.
“Typically, companies have been concerned
about strong authentication in terms of remote users coming
in,” says Bill McQuaide, senior vice president for enterprise
products at RSA Security. However, if only 10 percent of users
in a 1,000-person organization access the network from remote
or mobile locations, that leaves 900 employees accessing company
networks with less stringent authentication methods. “That
causes a weak link in terms of protecting corporate assets,”
McQuaide says.
Companies for the most part have concentrated
their efforts inside the enterprise by promoting password-based
methods of authentication, but as those methods become more
complex, users have responded by making them less secure.
“Inevitably, users write down passwords, or maybe a
department has one password that everybody shares,”
McQuaide says. “All of those things add more risk to
what IT is trying to secure inside company walls.”
“Organizations have reached a point
where they’re drowning in complexity,” notes Earl
Perkins, vice president for security and risk strategies in
the Technology Research Services division of Meta Group Inc.
“They want to streamline security practices and try
to save some money, so many of them are going after a cleaner,
simpler environment.”
Propelled by both internal and external
drivers, organizations are finding that tangible business
benefits do result from implementing new user authentication
techniques inside the enterprise.
Top
FORCES FOR CHANGE
Among the catalysts prompting enterprises to take a new look
at inside-the-firewall authentication are external pressures
such as:
REGULATORY
COMPLIANCE New legislation is forcing companies
to take greater care of sensitive employee and customer information,
and that means guaranteeing appropriate scrutiny of internal
users as they access that data and providing a concrete audit
trail of user activity. In the United States, these regulations
include the Health Insurance Portability and Accountability
Act (HIPAA), which requires organizations dealing with health
information to adhere to strict privacy provisions; the Sarbanes-Oxley
Act, which mandates accuracy and reliability of financial
information in public companies; and the Gramm-Leach-Bliley
Act, which protects information belonging to financial institutions’
customers. Add to that list the Data Protection Directives
of both the European Union and Japan, which safeguard the
confidentiality of personal information, and you get a sense
of the regulatory pressure being exerted on businesses worldwide.
“We’re seeing a lot of pressure
being placed on enterprises and agencies for compliance-related
matters,” says Perkins. In response to many of these
regulations, he adds, “Organizations need to be able
to provide proof of which people accessed what sensitive information
and when.”
CONSUMER EXPECTATIONS
It’s not just world governments that have increasingly
high expectations for organizations. Consumers also have strong
opinions. A recent study by RSA Security that looked at consumers’
attitudes toward identity theft found that 53 percent of consumers
consider banks and financial institutions to be “very
responsible” for protecting them against identity theft.
In the U.K., a recent Winmark Research study commissioned
by RSA Security found that, of respondents who submit personal
data in on-line transactions, 57 percent believe it is the
website’s responsibility to secure that data. These
indicators mean that companies that rely on consumer trust
must do their best to ensure strong authentication within
company walls. The more secure an organization is against
internal intruders, the more tightly it can guard valuable
customer data, and the less likely it will be to violate that
customer trust.
In addition to the external pressures, global
enterprises face powerful internal demands, including:
MITIGATING
RISK “Roughly 70 percent of unauthorized
access to a company’s information comes from inside
company walls,” says McQuaide. Adhering to the common
perception of a hacker—a twenty-something loner clad
in jeans and a sweatshirt, tapping away at a keyboard from
a studio apartment in Nowheresville—can lull organizations
into thinking the biggest threats come from beyond company
headquarters. “It’s not sufficient just to prove
the identities of people coming from the outside,” McQuaide
says. Without creating tough policies and methods for authenticating
users within the enterprise, companies leave themselves vulnerable.
The risks become even greater when you consider that global
organizations have users authenticating themselves from offices
around the world.
THE PASSWORD
PUZZLE Organizations that are aware of these
sobering numbers often respond by implementing password policies
that become increasingly stringent — and complicated
— as time goes on. “Companies are realizing that
traditional methods of authentication are becoming a problem,”
says Michael Atalla, group manager of the security business
and technology group for Microsoft, which recently teamed
with RSA Security to announce the RSA SecurID® for
Microsoft® Windows solution, designed to deliver
strong authentication for Microsoft® Windows desktops.
[Click here for more information.]
“All of the mechanisms that malicious individuals have
for attacking password-based systems have caused passwords
to become mentally complex if they
are to be at all secure,” Atalla explains.
That’s precisely where the paradox
lies: passwords need to be so technically secure that they
become difficult to remember, so people begin to write them
down or otherwise circumvent password policies, which ultimately
makes the entire enterprise less secure. “There’s
a constant struggle between usability and protection of the
assets of a company,” says McQuaide.
THE BOTTOM
LINE While internal password authentication
methods are generally considered to be free (they often are
included with operating systems and applications), the costs
of managing those passwords can drain IT departments. In a
typical day, a user might sign on to five or 10 different
applications, with a different name and password for each.
“As the number of passwords rises, so does the number
of calls to the helpdesk,” says McQuaide. “A single
call to a helpdesk can cost in excess of $50, when you consider
the helpdesk personnel, the systems that are needed on the
back end to recover passwords and the lost productivity of
the users.”
There is a definite ROI attached to the
notion of reducing the complexity of user authentication,
notes the Meta Group’s Perkins. “You have a lot
of different platform environments that have been deployed
over the years, where there are many different ways to authenticate
people,” he explains. “Many enterprises have reached
a point where they are hopelessly lost in a maze of passwords
and IDs.”
Top
SIMPLE, SECURE SOLUTIONS
Once companies recognize the importance of improving authentication
methods inside the firewall — and, experts agree, that
recognition can’t come too soon — they have several
different techniques and technologies to consider. Among them:
TOKEN AUTHENTICATION
Companies that employ this method issue their users a device,
called a token, that contains a frequently changing ID code.
Users authenticate themselves to systems and applications
with the combination of something they know (like a short
PIN) and something they have (the security code).
CERTIFICATE
AUTHENTICATION This method uses a certificate
authority (CA) to issue a digital certificate that contains
a user’s name along with other identifying information
for authentication.
SMART CARDS
AND USBS Quickly gaining acceptance to protect
identities, smart cards and USBs contain a microprocessor
that works with a reader to authenticate a user to a network.
Smart cards can be used for both logging on to a network and
getting into a building.
BIOMETRICS
This technique identifies users by “reading” biological
characteristics such as fingerprints, face scans, or retinal
or iris scans.
By implementing any of these authentication
techniques, organizations can realize some tangible benefits:
EASE THE USER
BURDEN By adopting authentication methods
that are the same for users both inside and outside the enterprise,
companies can simplify the user experience and offer simplified,
consistent sign-on methods. Imagine how convenient it would
be for users to have a single login username and password
that provides access to multiple systems and applications.
EMPOWER USERS
Strong user authentication offers the potential to create
more productive users by making more systems and applications
accessible, while at the same time keeping those applications
secure. “The idea is to make security comfortable and
easy for the end users, as opposed to trying to disrupt the
work flow and upset the user community,” says McQuaide.
EASE THE IT
BURDEN “When compared to the current
state of password-based systems, [stronger user authentication
methods] will reduce the requirement to remember long, complex
passwords, and in theory reduce the load on IT departments
that have been overrun with having to reset passwords,”
says Microsoft’s Atalla. By eliminating the need for
password resets and time-consuming, costly helpdesk calls,
strong user authentication methods have the potential to reduce
strain on IT departments and ultimately improve the bottom
line.
BUILD THE
AUDIT TRAIL Strong authentication methods
offer organizations a single, concise log of users’
activities, and those records can go a long way toward proving
regulatory compliance and protecting company assets. “You’re
able to use that later on if you’re called upon to know
when a particular resource was accessed and why,” says
Perkins.
Top
|
SECURITY SOLUTIONS
USER-AUTHENTICATION
TOOLS FOR VARIOUS NEEDS & ENVIRONMENTS
RSA SECURID®
SMART CARDS
Smart cards offer users the opportunity to store
different methods of authentication in one physical
card. The smart card can hold both electronic
and physical identification so that an employee
may, for example, use the same card to get into
the company headquarters and to log on to his
workstation by plugging into a smart card reader.
RSA SECURID®
USB TOKENS
Like smart cards, these devices can store digital
certificates and user identification, along with
other applications, in a container that travels
easily and plugs into a USB port. The result:
secure access to network information both locally
and remotely.
RSA KEON® CERTIFICATE
AUTHORITY
This software provides an automated, centralized
way for organizations to manage digital identities
such as cryptographic keys and digital certificates,
providing organizations with a secure way for
employees to conduct and authenticate electronic
transactions.
|
|
|
FOUR TIPS FOR STRONGER USER AUTHENTICATION
Choosing new authentication methods requires
the right combination of analysis and forethought.
Earl Perkins, vice president for security and
risk strategies in the Technology Research Services
division of Meta Group Inc., offers these tips
for organizations looking at secure enterprise
access.
1. KNOW
what’s going on inside your enterprise.
How many employees do you have? What levels of
authentication are already in place? “You
can’t build a strong authentication methodology
if you don’t know what simple authentication
you have first,” says Perkins.
2. ASSESS
what’s most valuable to your enterprise,
and determine which employees deserve high levels
of access. “You’re not going to be
able to give everybody gold-level access —
there are going to be layers,” he says.
3. EVALUATE
the maturity of security options currently available
in the marketplace. “In their eagerness
to look at some of these modern technologies,
people overlook some really good capabilities,”
Perkins says. “Instead of rushing out to
buy expensive technologies, be realistic and pragmatic
about what you can and cannot afford.”
4. CHOOSE
those technologies that line up most closely with
your organization’s needs. “There
may be, in some cases, a need for some enterprises
to buy the most modern capabilities,” he
notes. “Be sure to match the capabilities
of the technology with the needs of the company.”
|
|
Illustration by Christian Northeast
Top |
