Enabling Business Through Strong Authentication

Untitled Document

Digital data and communications have become an inseparable part of people's lives, holding enormous value for organizations. Additionally, enterprises are expecting employees to be connected and work outside the office, making mobile workforce more and more common. Thus, the need for data protection has taken the spotlight.

Organizations are turning to identity and access management solutions -- which increasingly include strong authentication as a vital element -- to establish secure and trusted digital environments. Numerous forces are driving organizations to implement strong authentication solutions, such as:

  • Enablement of secure high-value transactions and provision of secure access to important information, to increase productivity and business
  • Compliance with regulations
  • Defense against attackers who exploit weak authentication for identity theft and fraudulent transactions
  • Reduction of costs derived from password management and lost passwords
  • Attraction of an increasing number of security-conscious consumers

IT executives are increasingly looking for holistic strong authentication solutions, rather than combining multiple systems. Holistic solutions can offer a mix of authentication devices for flexibility and cost savings, a broad range of supported security solutions to meet current and future needs, management tools for cost-effective deployment and life-cycle management of the full solution, and the capability to integrate with existing IT infrastructures and security policies.

Alongside this growing demand for advanced strong authentication solutions, more comprehensive and integrated product offerings are offered that support present and emerging requirements, improve ease-of-use for both users and administrators, and provide significant ROI.

The demands of consumers as well as compliance pressures bring organizations to search for new ways to strengthen their internal controls, authentication methods, and identity management practices. The message is clear: action is needed to stay ahead in the fast-changing, security-conscious market.

Passwords are no longer adequate

Upon their introduction in the early 1960s, passwords were regarded as cheap, easy to use, and secure. Forty years and many technological developments later, is there any reason to believe these facts still hold?

Difficult to use and remember, passwords are also expensive to manage and are not at all secure. Studies reveal that users today have on average approximately 15 password-protected accounts. One password may be easy to remember, but handling many passwords is a time-consuming task and a security hazard. It has become evident and widely accepted that passwords are not a reliable method for authenticating users. To achieve the benefits of information security and overcome the inherent weakness of passwords, organizations are turning to stronger authentication solutions.

The Bottom Line: Strong Authentication is Key

Those wishing to enable more business, reduce security vulnerabilities, comply with regulations mandating data privacy and protection, save costs, and attract security-conscious customers, a strong and robust authentication system can lead the way to achieving business goals.

Accelerate Business - By implementing strong authentication solutions, organizations can allow legitimate users to access sensitive data anytime, anywhere. With the enhanced security, organizations can provide their users with tools and abilities that are otherwise risky or not practical. For example, hospitals can enable their patients to securely access personal medical records online, businesses can enable their executives to access confidential business data from the corporate network while traveling, and university professors can allow their students to securely submit examinations and view their grades electronically.

Reach Compliance - A growing number of rules and regulations hold organizations responsible for the integrity of their business data and for the protection of personal information that has been entrusted to them. To comply, organizations need to ensure that individuals who access their network, applications, and portable devices are indeed who they claim to be. Therefore, strong authentication constitutes a basis for compliance with many of these regulations.

The Federal Financial Institutions Examination Council's (FFIEC) Authentication Guidance considers "single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties…Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation." Another instance is the Health Insurance Portability and Accountability Act, which requires healthcare-related organizations to securely authenticate individuals before granting them access to sensitive patient data.

The above requirements are just two examples from an ever-growing list of regulations, including the Sarbanes-Oxley Act, Electronic Signatures in Global and National Commerce Act, Basel II, Food and Drug Administration (FDA) 21 CFR Part 11, and more, that mandate organizations to protect their data and meet IT security standards. Strong authentication enhances compliance by enabling secure user access and providing a proven and attestable method for protecting internal data and networks.

Boost Productivity - Providing users with widespread access to necessary business data and applications in the office, at home, or on the road, improves communication among employees, shortens the response times to clients and customers, and in short, increases productivity. Strong authentication solutions provide the needed security for organizations to give their users such access.

Correctly implemented strong authentication solutions also increase productivity by significantly reducing the time spent on password administration and maintenance by both users and help desk personnel.

Reduce Costs, Enhance ROI - Strong authentication enables organizations to provide increased connectivity and secure access to digital data and applications. By offering additional services online, organizations can enhance efficiency and thereby save significant costs in their ongoing business activities.

Organizations can reduce the ongoing costs associated with password administration when implementing strong authentication with single sign-on capabilities, as users need not handle multiple passwords. Strengthening security also saves organizations significant costs by preventing potential security breaches. These include misuse of data and networks by insiders, lost data from stolen laptops, and other security attacks that affect many organizations today. With strong authentication, it is possible to block unauthorized access and to hold authorized individuals accountable for their usage of the organization's digital resources, thereby reducing errors or deliberate harmful behavior.

Typically, different strong authentication offerings provide various levels of solution support. The broader the range of security solutions enabled -- such as secure network access, single sign-on, PC security, and secure data transactions -- the greater the return on investment (ROI).

Attract Customers - The dramatic increase in fraud and online identity theft has led consumers to demand better online security. Organizations are now viewing security not only as a need for compliance, but also as a marketing differentiator, attracting customers, increasing sales, increasing brand loyalty, and improving their reputation by positioning themselves as security-minded. Consumers are dictating to the market that the better product is also the safer product. Strong authentication provides an effective solution users can easily understand and adopt.

What's available through strong authentication solutions?

Organizations can ensure that a user is indeed who he or she claims to be. Strong authentication solutions increase the security of the authentication process beyond passwords by requiring two or more of the following forms of authentication:

  • Something you know - something the user needs to remember, such as a password, a PIN, or an answer to a personal question
  • Something you have - something the user needs to physically carry, such as a token or a card
  • Something you are - a biometric feature, such as a fingerprint or facial characteristic

These solutions commonly involve a physical device (e.g. token) used together with a password to prove the owner's identity. A wide variety of strong authentication token technologies and form factors are available in the market. The following are descriptions of the key form factors available today:

Smart Cards -Smart cards are credit card-sized devices that contain highly secure microprocessor chips dedicated for cryptographic operations. To authenticate, users must insert their smart cards into their readers and enter a password. Smart cards provide highly secure storage of user credentials and keys. While providing functionality and security, smart cards lack mobility.

Smart Card-Based USB Tokens - Smart card-based USB tokens, which contain a smart card chip, leverage the advantages of both USB tokens and smart cards to provide the greatest level of security and versatility, and they enable a broad range of security solutions and provide all of the benefits of a traditional smart card and reader, without requiring the separate reader.

One-Time Password (OTP) Tokens - OTP tokens are small handheld devices that allow authentication using onetime passwords generated by the device, based on a secret key shared by the device and an authentication server. A user wishing to authenticate enters the one-time password appearing on the token, and this value is compared to the value generated by the authentication server.

Hybrid Tokens - Hybrid tokens provide multiple types of functionality, which increases flexibility. Hybrid USB and OTP tokens allow full USB-based strong authentication and security solutions, as well as OTP-based strong authentication in detached mode when needed.

Software Tokens - Software tokens enable strong authentication without a dedicated physical device. These tokens are software programs that can be stored on a user's computer, or on mobile devices such as a cellular phone or PDA. Based on a secret key, the token generates a one-time password that is displayed on the computer or mobile device. Software OTP tokens are also available for use with mobile devices.

What to look for when evaluating a strong authentication solution

With so many strong authentication offerings available today, it is important for organizations to carefully evaluate the available solutions before making a decision on which solution to implement. When investing in a strong authentication solution, organizations should carefully examine their current and future needs, and select the solution that best answers those needs. The following are some questions to consider:

  • Do I want to protect my internal network from unauthorized access?
  • Do my users need to connect from remote locations? Do my employees travel frequently?
  • Do my users need to access many password-protected applications?
  • Do I want my users to digitally sign and encrypt sensitive data or transactions?
  • How sensitive is my business data?
  • Do I want to firmly protect data that sits on my users' PCs and laptops?
  • Have I or do I want to implement a secure physical access solution?
  • How usable, flexible and manageable must the solution be for my organization?

Managers are realizing that security is vital for enabling business, cutting costs, complying with the applicable regulations, establishing a productive work environment, and attracting customers. Meanwhile, strong authentication solutions can typically answer the organizations' needs by providing easy-to-use solutions with numerous benefits to both users and organizations.

About the Author

Chen Arbel is vice president of strategic development at Aladdin Knowledge Systems (www.aladdin.com). He can be reached at chen.arbel@aladdin.com.

More by Chen Arbel