Information Security Today Home

New Books

Information Security Governance Simplified: From the Boardroom to the Keyboard by Todd Fitzgerald, ISBN 978-1-4398-1163-4, $79.95
Defense against the Black Arts: How Hackers Do What They Do and How to Protect against It, Jesse Varsalone and Matthew McFadden, ISBN 9781439821190, $69.95
Asset Protection through Security Awareness by Tyler Justin Speed, ISBN 978-1-4398-0982-2, $69.95
Cybersecurity: Public Sector Threats and Responses edited by Kim J. Andreasson, ISBN 978-1-4398-4663-6, $59.95
Cybersecurity for Industrial Control Systems: SCADA, DCS, PLC, HMI, and SIS by Tyson Macaulay and Bryan Singer, ISBN 978-1-4398-0196-3, $79.95

Passwords Are Not Enough: Why Enterprises Need Strong Authentication, Too

Tim Matthews, Director for User Authentication, Symantec

Would most people store their valuables in a bank that left the front door unlocked, or deliberately put the keys to the vault where anyone could get them? Probably not - most people would demand cameras, motion sensors and as many other different proven security measures as possible to keep their possessions safe.

Alarmingly, many organizations don't apply the same mindset to protecting critical IT systems and data. Many enterprises use only passwords, a decades-old user authentication technology, to grant or deny access. This is even more important with cloud and mobile implementations, whose reliance on third-party resources makes trusted Internet transactions a must.

Industry experts for years have warned that more and more, passwords are losing effectiveness as a sole line of defense against escalating cyber security threats increasingly designed to exploit password vulnerabilities. Moreover, in trying to keep up with worsening threats, password technology has become so cumbersome that many employees actively find ways to work around it - undercutting the very security their data needs.

It's a fact: Many enterprises' continued use of just passwords is putting many of their latest IT projects - not to mention their data, business and reputation - at unnecessarily higher risk of data breaches.

Fortunately, a powerful technology already exists to supplement passwords: strong, or two-factor, authentication. Strong authentication helps defeat hackers by requiring users to show two simultaneous but independent means of verifying their identities: something they know--their password--and something they have, such as a one-time security code generated by a strong authentication credential. Together with strong passwords, strong authentication provides proven protection against evolving data security threats.

Administrative Burdens, Security Risks
The explosive growth of IT deployments in recent years has included widespread adoption of cloud and mobile technologies, as well as collaboration tools and Software as a Service (SaaS). This expansion has required employees to access more solutions and toolsets, each of which often needs its own password.

This stampede of new passwords is overwhelming many employees, a December 2010 Forrester Research study discovered. The survey interviewed 306 IT security professionals across several industries and found that:

  • 87 percent of users are expected to remember two or more passwords to access corporate resources
  • 80 percent of organizations ranked passwords as the "top access problem in the enterprise"
  • 60 percent of organizations today are using at least two SaaS applications and 20 percent are using six or more

Many organizations have implemented password length, composition and replacement policies to help improve password security. Unfortunately, many users circumvent password security systems by reusing passwords across multiple systems, including their personal (external) accounts, and by using weak passwords or writing longer passwords down, often on notepads or other papers in open view.

Weak password security presents real security risks, especially for companies using cloud, mobile, collaboration and SaaS technologies. Applying already over-complicated password technologies to cloud, mobile and other modern IT implementations extends password weaknesses throughout IT infrastructure, often beyond the direct control of IT staff. Malicious hackers need millennia to crack strong passwords but can unravel weak ones in hours or days - or seconds if they find the right sticky note.

Widespread acknowledgment of the problems passwords pose hasn't yet translated to incorporating other authentication technologies, including strong authentication. The Forrester survey found that two-thirds of companies (67 percent) do not require strong authentication from their partners to access corporate networks. Moreover, Forrester found that more than half of companies surveyed (54 percent) experienced a data breach in the previous year - a figure that is rising in part to increased use of cloud and other technologies.

WikiLeaks: A Cautionary Tale
Password weaknesses took center stage in the latest chapter of one of the most notorious data breaches of recent years: WikiLeaks. WikiLeaks - an online whistleblower organization - exposed more than 250,000 sensitive U.S. State Department documents in November 2010.

August 2011 news reports explained how in July 2010, WikiLeaks founder Julian Assange provided the British newspaper The Guardian and other sources a temporary password to access the uncensored, encrypted data. Assange apparently promised he would change the password after a few hours, but never did. Later, Assange released the same encrypted files on peer-to-peer file sharing sites. He thus created multiple copies of the same sensitive information, all beyond control or recall and all relying on the same password.

Fast forward to February 2011, when two Guardian reporters included what they thought was the expired password in their book on the WikiLeaks breach. The book's publication enabled anyone who had downloaded the previously unreadable data to decrypt its contents. In August 2011, Assange and The Guardian slammed each other in the press about who was responsible for violating confidentiality agreements and endangering secret sources. In response, Assange published all 251,287 unredacted cables in September 2011.

This incident highlights many worst practices of using just passwords to protect data: People can share passwords, forget to change them and disagree on who's responsible for keeping them secret. The loss of a password proved to be the Achilles heel in the WikiLeaks situation, as it would in many organizations if a system admin password were compromised.

New Tools Provide New Solutions
As dire as the data breach situation may appear, good news does exist: Cloud and mobile technologies themselves enable the improved security that passwords alone can't provide. Organizations can now verify online identities for customers, employees and partners with strong authentication delivered as a secure, scalable cloud-based service. These new tools offer organizations the flexibility to tailor strong authentication deployments to meet specific business and security needs.

Software for PCs, mobile devices, tokens or key fobs can serve as dramatically cheaper, or even no-cost, credentials that generate one-time passwords. Open standards enable organizations to select the vendors they want when they want, while individual users can pick the form factor that works best for them.

Solutions capitalizing on this cloud-mobile combination typically require no upfront investment in on-premise hardware or software or administrator expertise to implement new capabilities - which can lead to savings of 40 percent or more compared to previous strong authentication solutions. Easy-to-use interfaces don't impede productivity and encourage employees to use the system, improving security and security policy compliance.

Building a Trusted Future
Recent advances in cloud-based, mobile-assisted strong authentication solutions will enable many enterprises to follow the Forrester study's recommendation to implement strong authentication throughout their organizations. Seeking to cultivate this opportunity, the federal government in March 2011 launched an ambitious new program: the National Strategy for Trusted Identities in Cyberspace (NSTIC).

NSTIC is the largest-ever effort by the federal government and private sector partners to develop a secure, standards-based and interoperable online "identity ecosystem." Improving online security and privacy through improved and expanded strong authentication are primary goals. In fact, Jeremy Grant, senior executive advisor at the National Program Office for NSTIC, stated in August 2011 that "We're trying to get rid of passwords. It's time for something better."

In the meantime, enterprises can explore better solutions that are already available: strong authentication tools that support a defense-in-depth IT security strategy. These technologies seek to simplify the complexity of user authentication and keep data how it should be - safe and under the right control at all times.

Related Reading

Enterprise User Identification and Authentication Challenges

Why Leading Enterprises are Issuing Employee Smart Cards

Getting Started With Trusted Computing

Subscribe to Information Security Today

Powered by VerticalResponse

Share This Article

© Copyright 2011 Auerbach Publications