The impact of the Internet over the last few years has meant fundamental changes in the way we access business systems. The network security perimeter has crumbled at all levels while the number of users wanting network access has grown.
The geographical location of users has also widened to a situation where they can be, not just in a different department or company branch office, but anywhere in the world.
The devices for gaining access have multiplied and diversified. Users now want to access using mobile and wireless devices, including laptops. The information they want to access has widened to encompass all aspects of a business, including e-mail, a greater range of applications and various types of data.
While there are enormous productivity benefits available from increased access, the security risks have greatly increased. The traditional method of securing system access was by authentication through the use of passwords. Unfortunately, traditional password authentication is totally unsuitable for securing the access requirements of today’s distributed users.
UK companies are considerably behind the curve in responding to this changing scenario. According to the DTI Information Security Breaches Survey 2006, UK businesses are still overwhelmingly dependant on user IDs and passwords to check the identity of users attempting to access their systems.
The Survey says that UK companies are poorly placed to deal with identity theft, with only 1% having a comprehensive approach for identity management (authentication, access control and user provisioning).
Types of authentication
Weak single factor authentication
This is the use of single static passwords and still employed by most UK companies. The benefit is that static passwords are easy to remember. However, when you have different passwords for different systems, they start to become very difficult to remember and have to be written down, making them vulnerable. A significant use of Post-It notes is rumoured to be password related.
The many disadvantages of single static passwords include how easy it is to crack them. They are short and based on topics close to the user, such as birthdays, partner names, children’s names, etc; and they are typically letters only.
They are also vulnerable to social engineering i.e. people asking for your password or guessing it. Some highly publicised surveys carried out at railway stations have shown how easy it is to get people to reveal their passwords. They can also be picked up by spyware.
The alternative method of password management is to change passwords regularly. Operated correctly, this has the benefit of being more inherently secure than static passwords. A disadvantage of frequently changing passwords is that they can be easily forgotten, leading to very high support costs and significantly increased administration costs. This is particularly relevant for larger organisations with hundreds of applications.
Single Sign On (SSO)
Single sign on allows users to authenticate once and gain access, when required, to multiple (permitted) software systems. This is useful where users are wanting to access an ever increasing numbers of applications. SSO has major security and user benefits, as well as significantly reducing the helpdesk costs of password management.
There is a security risk with static password-based single sign on because a breach of password security means all systems accessible by a particular user can be compromised. Typically, SSO deployments are in conjunction with some form of two factor authentication. SSO is now undergoing rapid growth thanks to new technology from companies such as Imprivata, which has dramatically lowered the cost of deployment.
Strong authentication involves one of a range of elements such as hardware tokens, soft tokens, fingerprint recognition, swipe cards, etc. Most strong authentication deployments are used together with passwords (two factor authentication).
Strong two factor authentication
Strong two factor authentication is a much more secure means of authenticating users onto networks as it requires two separate security elements.
It comprises something you know (a password) and something you have (e.g. a token). Tokens are currently the most popular two factor solution, due to their low cost, ease of deployment, ease of management and the standard of security they provide. VASCO, one of the market leaders, provides hardware tokens which generate one time passwords (OTP). The rapid fall in the price of tokens means they are now available from only a few pounds per user per year
To put that in perspective, it’s less than the cost of ONE password-related helpdesk call. With password-connected calls making up between 30% and 50% of all helpdesk calls (depending on whose research you accept), tokens can represent a cost-saving as well as an improvement in security.
Other two factor options include soft tokens which can be sent to your mobile, swipe cards, USB-based authentication and fingerprint recognition. Proximity authentication is another variation which simply means that once you have authenticated and are within wireless range, you don’t need to authenticate again for another system.
Similarly with physical/logical security, physical swipe card entry systems linked to IT systems security, allow organisations to integrate access security with network security. Companies such as Imprivata are providing converged security systems in this area.
This article has been submitted by Mr. Ian Kilpatrick, chairman Wick Hill Group, specialists in secure infrastructure solutions.