Picture this: you’re a trader on the brink of making millions for your investment firm. You log in to the system to complete the first step of your transaction. You move on to the second step using another application and another password. Just as you’re about to enter the application for the third step of the process, you get that dreaded grey error box “Password invalid”. You try it again. Then in uppercase. You try another password. You search high and low through the Post-It notes tacked to your monitor for the one that might work. Fellow traders can hear the cursing and swearing as you resort to yelling at the helpdesk personnel to provide you immediate access to the application. If only they could.
The growing password problem, the proliferation of network access devices and the rush to conduct business online is pushing authentication and single sign-on high up the network security agenda. As CIOs decide where they will invest their IT dollars for the balance of this year and early into 2002, they would be remiss to omit authentication technology. Considering the foregoing scenario, this new pillar of network security should actually top the list.
There is much hype these days about secure e-commerce, conducting business over cell phones and PDAs, and other emerging scenarios. The reality is that today organizations are focused on securing their internal networks.
Recent press has proclaimed that the greatest exposure to fraud and malicious attacks comes from within the organization. Think about it: a medium-size bank or government department has upwards of 50,000 desktops. That’s over 50,000 points of security exposure. In so many cases, sensitive information is protected by a password that is shared, written on a Post-It note or emailed to others. And it often goes unchanged for as long as possible. Internal network security addressed by technologies such as encryption, firewalls and Public Key Infrastructures (PKIs) all have a place within mainstream enterprise security infrastructures, but they do not address the fundamental issue of how to verify the identity of the end user – the role for which passwords were originally created.
Take PKIs, for instance. A PKI manages digital certificates (including your encryption and signing keys) transparently so customers and partners can conduct e-business with confidence. However, often these digital keys and certificates are protected by only a password or Personal Identification Number (PIN), their complexity dictated by the need for maximum security. Unfortunately, organizations encounter the same problem with PKI passwords as they do with all other passwords. And because the nature of PKI dictates the need for a more complex password or PIN, there is often much user resistance to PKI implementation. In order to get the full value out of PKI technology, authentication is needed to bind the actual user with his or her digital identity.
End user convenience is, in fact, the most common driver behind the implementation of authentication solutions. Common sense dictates that if you can just get users to adhere to network security policies, your systems will inherently be secure. So the challenge becomes, how do you appeal to end users?
Enter single sign-on. It might be a single password, or a password replacement such as smart card or biometric. For years, biometric devices were expensive, proprietary and just plain scary in terms of privacy. But fingerprint devices have become affordable for wide-scale deployment, vendors have had to integrate non-proprietary technologies, and privacy issues are better understood. For instance, we understand now that fingerprint data is not actually stored.
The attitude towards privacy in the corporate IT world never reached the fevered pitch it did (and still does) in the consumer world. Maybe it’s because the general population isn’t educated enough about the technology. In today’s corporate network security environment, biometrics is a real and feasible alternative to the password. So while biometric authentication is a reality now, its use on mobile phones and PDAs is not. For now, large organizations are loath to invest in these handheld devices for all their users, particularly in light of the fact that wireless technology isn’t quite ‘there’. It will be, but for now the focus is on the desktop.
Authentication Technologies Defined
Single sign-on, whether it’s biometric or not, is an important part of the authentication equation. But don’t think it is the only part.
When you attempt to verify the identity of a person, the process is called user authentication. For years, passwords have been that verification. Strong user authentication refers to any authentication process that increases the likelihood that a user’s identity will be verified correctly. Identification factors fall into three categories: Knowledge (something you know, such as a password), Possession (something you have, such as a smart card or token) and Being (something you are, such as a biometric fingerprint). In some cases, strong authentication is achieved through the use of multiple factors together.
As you decide on priorities for your 2002 IT budget, keep in mind that contrary to some security technologies like PKI, authentication does not have to be complex or budget-hungry. In fact, preparation for an entire enterprise roll-out can be as simple as including it in your new Windows 2000 desktop build.
Let’s forget any considerations that are not IT-related for a moment. If you look at what counts within the IT environment, some must-haves are obvious. IT groups contend with diverse user populations and disparate systems, often working up one-off applications and roll-your-own solutions every day. An authentication infrastructure shouldn’t be one of those. A proper analysis of your user populations and their needs can help determine authentication requirements more realistically. Understanding what platforms and applications need authenticated access is also crucial, of course. A close look at your existing security infrastructure helps. You might want to ask yourself how authentication technologies could enhance those as well.
Look at credential consolidation. Single sign-on is a crucial aspect of an authentication solution. To work effectively, an enterprise solution must consolidate credentials for a wide range of off-the-shelf products, including the local operating system, local area network, desktop applications, legacy applications, Web-based applications, and services such as a PKI. Further support for Web logins or vertical applications, plus support for on-screen login dialogs, can facilitate acceptance by users.
It’s a reality that a large organization has everything from aged mainframe applications to new thin-client, browser-based applications. An authentication infrastructure has to secure access to all of them. There is no point having multiple security policies.
So, understand your integration, security and usability requirements first. They will dictate what features and benefits you need to have in a solution. And while you may not see a need to implement smart cards yet, you know it’s coming down the road. Think ahead. You’ll want your authentication project to incorporate upcoming security initiatives.
Deployment deserves its own special considerations, since authentication solutions have come so far in recent years. There are organizations out there rolling out some pretty cool technology to their end users. You can learn from their experiences. As with any IT project, a phased, global roll out always works best. Deployment must accommodate all existing and planned corporate security policies, workflows and geographic issues.
Realistically, client/server is the logical approach for authentication. There are still geographic issues around user enrolment for biometrics and smart card issuance, but a centralized administration tool for configuring users can help alleviate some of the headaches at the user end.
The burning question is whether to outsource or implement and manage an authentication project in-house. If you have in-house resources with experience in multiple security technologies, that might work for you. But as with any technology that hasn’t quite hit the mainstream, it’s often best and most economical to leave it in the hands of experts.
Fortunately for the customer, authentication companies are still vying for market position, which means product and services can be obtained at a reasonable cost.
Should you expect ROI?
Return on Investment is always a tricky thing, particularly when it comes to network security. There are some hard numbers available if you look at helpdesk costs associated specifically with password resets and other system access issues. (Gartner Group puts the cost of each call for a password reset at $14 to $25.) In the end, though, judging the impact of authentication on your overall network security is a subjective thing. If you succeed in responding to that frustrated trader’s need to eliminate passwords, that’s a ringing endorsement from the revenue-generating side of the business.
As authentication technologies evolve, there may be more concrete, measurable results. For now, there are enough reasons to at least get the ball rolling.
Marshall Sangster is president and CEO of Ankari Inc., a provider of enterprise authentication solutions to some of the world’s largest financial, government and healthcare organizations.