Digital data and communications have become an inseparable part of people's
lives, holding enormous value for organizations. Additionally, enterprises are
expecting employees to be connected and work outside the office, making mobile
workforce more and more common. Thus, the need for data protection has taken
the spotlight.
Organizations are turning to identity and access management solutions -- which
increasingly include strong authentication as a vital element -- to establish
secure and trusted digital environments. Numerous forces are driving organizations
to implement strong authentication solutions, such as:
Enablement of secure high-value transactions and provision of secure access
to important information, to increase productivity and business
Compliance with regulations
Defense against attackers who exploit weak authentication for identity theft
and fraudulent transactions
Reduction of costs derived from password management and lost passwords
Attraction of an increasing number of security-conscious consumers
IT executives are increasingly looking for holistic strong authentication solutions,
rather than combining multiple systems. Holistic solutions can offer a mix of
authentication devices for flexibility and cost savings, a broad range of supported
security solutions to meet current and future needs, management tools for cost-effective
deployment and life-cycle management of the full solution, and the capability
to integrate with existing IT infrastructures and security policies.
Alongside this growing demand for advanced strong authentication solutions,
more comprehensive and integrated product offerings are offered that support
present and emerging requirements, improve ease-of-use for both users and administrators,
and provide significant ROI.
The demands of consumers as well as compliance pressures bring organizations
to search for new ways to strengthen their internal controls, authentication
methods, and identity management practices. The message is clear: action is
needed to stay ahead in the fast-changing, security-conscious market.
Passwords are no longer adequate
Upon their introduction in the early 1960s, passwords were regarded as cheap,
easy to use, and secure. Forty years and many technological developments later,
is there any reason to believe these facts still hold?
Difficult to use and remember, passwords are also expensive to manage and are
not at all secure. Studies reveal that users today have on average approximately
15 password-protected accounts. One password may be easy to remember, but handling
many passwords is a time-consuming task and a security hazard. It has become
evident and widely accepted that passwords are not a reliable method for authenticating
users. To achieve the benefits of information security and overcome the inherent
weakness of passwords, organizations are turning to stronger authentication
solutions.
The Bottom Line: Strong Authentication is Key
Those wishing to enable more business, reduce security vulnerabilities, comply
with regulations mandating data privacy and protection, save costs, and attract
security-conscious customers, a strong and robust authentication system can
lead the way to achieving business goals.
Accelerate Business - By implementing strong authentication solutions,
organizations can allow legitimate users to access sensitive data anytime, anywhere.
With the enhanced security, organizations can provide their users with tools
and abilities that are otherwise risky or not practical. For example, hospitals
can enable their patients to securely access personal medical records online,
businesses can enable their executives to access confidential business data
from the corporate network while traveling, and university professors can allow
their students to securely submit examinations and view their grades electronically.
Reach Compliance - A growing number of rules and regulations hold organizations
responsible for the integrity of their business data and for the protection
of personal information that has been entrusted to them. To comply, organizations
need to ensure that individuals who access their network, applications, and
portable devices are indeed who they claim to be. Therefore, strong authentication
constitutes a basis for compliance with many of these regulations.
The Federal Financial Institutions Examination Council's (FFIEC) Authentication
Guidance considers "single-factor authentication, as the only control mechanism,
to be inadequate for high-risk transactions involving access to customer information
or the movement of funds to other parties Account fraud and identity theft
are frequently the result of single-factor (e.g., ID/password) authentication
exploitation." Another instance is the Health Insurance Portability and
Accountability Act, which requires healthcare-related organizations to securely
authenticate individuals before granting them access to sensitive patient data.
The above requirements are just two examples from an ever-growing list of regulations,
including the Sarbanes-Oxley Act, Electronic Signatures in Global and National
Commerce Act, Basel II, Food and Drug Administration (FDA) 21 CFR Part 11, and
more, that mandate organizations to protect their data and meet IT security
standards. Strong authentication enhances compliance by enabling secure user
access and providing a proven and attestable method for protecting internal
data and networks.
Boost Productivity - Providing users with widespread access to necessary
business data and applications in the office, at home, or on the road, improves
communication among employees, shortens the response times to clients and customers,
and in short, increases productivity. Strong authentication solutions provide
the needed security for organizations to give their users such access.
Correctly implemented strong authentication solutions also increase productivity
by significantly reducing the time spent on password administration and maintenance
by both users and help desk personnel.
Reduce Costs, Enhance ROI - Strong authentication enables organizations
to provide increased connectivity and secure access to digital data and applications.
By offering additional services online, organizations can enhance efficiency
and thereby save significant costs in their ongoing business activities.
Organizations can reduce the ongoing costs associated with password administration
when implementing strong authentication with single sign-on capabilities, as
users need not handle multiple passwords. Strengthening security also saves
organizations significant costs by preventing potential security breaches. These
include misuse of data and networks by insiders, lost data from stolen laptops,
and other security attacks that affect many organizations today. With strong
authentication, it is possible to block unauthorized access and to hold authorized
individuals accountable for their usage of the organization's digital resources,
thereby reducing errors or deliberate harmful behavior.
Typically, different strong authentication offerings provide various levels
of solution support. The broader the range of security solutions enabled --
such as secure network access, single sign-on, PC security, and secure data
transactions -- the greater the return on investment (ROI).
Attract Customers - The dramatic increase in fraud and online identity
theft has led consumers to demand better online security. Organizations are
now viewing security not only as a need for compliance, but also as a marketing
differentiator, attracting customers, increasing sales, increasing brand loyalty,
and improving their reputation by positioning themselves as security-minded.
Consumers are dictating to the market that the better product is also the safer
product. Strong authentication provides an effective solution users can easily
understand and adopt.
What's available through strong authentication solutions?
Organizations can ensure that a user is indeed who he or she claims to be.
Strong authentication solutions increase the security of the authentication
process beyond passwords by requiring two or more of the following forms of
authentication:
Something you know - something the user needs to remember, such as a password,
a PIN, or an answer to a personal question
Something you have - something the user needs to physically carry, such
as a token or a card
Something you are - a biometric feature, such as a fingerprint or facial
characteristic
These solutions commonly involve a physical device (e.g. token) used together
with a password to prove the owner's identity. A wide variety of strong authentication
token technologies and form factors are available in the market. The following
are descriptions of the key form factors available today:
Smart Cards -Smart cards are credit card-sized devices that contain
highly secure microprocessor chips dedicated for cryptographic operations. To
authenticate, users must insert their smart cards into their readers and enter
a password. Smart cards provide highly secure storage of user credentials and
keys. While providing functionality and security, smart cards lack mobility.
Smart Card-Based USB Tokens - Smart card-based USB tokens, which contain
a smart card chip, leverage the advantages of both USB tokens and smart cards
to provide the greatest level of security and versatility, and they enable a
broad range of security solutions and provide all of the benefits of a traditional
smart card and reader, without requiring the separate reader.
One-Time Password (OTP) Tokens - OTP tokens are small handheld devices
that allow authentication using onetime passwords generated by the device, based
on a secret key shared by the device and an authentication server. A user wishing
to authenticate enters the one-time password appearing on the token, and this
value is compared to the value generated by the authentication server.
Hybrid Tokens - Hybrid tokens provide multiple types of functionality,
which increases flexibility. Hybrid USB and OTP tokens allow full USB-based
strong authentication and security solutions, as well as OTP-based strong authentication
in detached mode when needed.
Software Tokens - Software tokens enable strong authentication without
a dedicated physical device. These tokens are software programs that can be
stored on a user's computer, or on mobile devices such as a cellular phone or
PDA. Based on a secret key, the token generates a one-time password that is
displayed on the computer or mobile device. Software OTP tokens are also available
for use with mobile devices.
What to look for when evaluating a strong authentication solution
With so many strong authentication offerings available today, it is important
for organizations to carefully evaluate the available solutions before making
a decision on which solution to implement. When investing in a strong authentication
solution, organizations should carefully examine their current and future needs,
and select the solution that best answers those needs. The following are some
questions to consider:
Do I want to protect my internal network from unauthorized access?
Do my users need to connect from remote locations? Do my employees travel
frequently?
Do my users need to access many password-protected applications?
Do I want my users to digitally sign and encrypt sensitive data or transactions?
How sensitive is my business data?
Do I want to firmly protect data that sits on my users' PCs and laptops?
Have I or do I want to implement a secure physical access solution?
How usable, flexible and manageable must the solution be for my organization?
Managers are realizing that security is vital for enabling business, cutting
costs, complying with the applicable regulations, establishing a productive
work environment, and attracting customers. Meanwhile, strong authentication
solutions can typically answer the organizations' needs by providing easy-to-use
solutions with numerous benefits to both users and organizations.
About the Author
Chen Arbel is vice president of strategic development at Aladdin Knowledge Systems (www.aladdin.com). He can be reached at chen.arbel@aladdin.com.