This month we dive into authentication. This is an interesting product group for, if nothing else, its diversity. Products going through our labs included tokenless-, token- and cloud-based systems, among others. The debate about token versus tokenless will, I am sure, continue and both have something to offer. That said, let's take a quick look at authentication in general and how one should think about deploying it enterprise-wide.
Probably most important is the debate over the usefulness - or lack thereof - of passwords. Most security professionals decry the use of password authentication as next to worthless. Certainly the events of the past year or so - password thefts at an all-time high... over two million from a single attack by the Pony botnet - seem to support that contention. However, for all of that, we still have, obviously, a lot of passwords floating about. Studies have repeatedly shown that people commit the two cardinal sins of passwords (very weak passwords and reusing passwords) with frustrating frequency. So why do we still use passwords? Simply: cost. It costs a lot to equip the world with hardware tokens or biometrics.
Biometrics, however, are starting to become affordable and such technologies as tokenless multifactor authentication show a lot of promise. That does not mean the death of passwords by any means, though. People - average users - probably will not flock to multifactor authentication any time soon. But, for corporate users, there is less and less reason to stick to password authentication. If one must use passwords for the bulk of users, though, here are some thoughts on when not to.
If system and database administrators are using passwords, shame. These folks have the keys to the kingdom and if their credentials are stolen one has a new threat inside the enterprise! Credential-stealing bots are now so common that they may almost be thought of as old school.
If remote users are using passwords to login over the organization's VPN, one needs to rethink that authentication method sooner rather than later. A stolen laptop, tablet or other mobile device can expose the organization, especially if the employee uses remembered passwords and reuses the same password. A simple, innocuous breach at a site that most people would think of as trivial is not trivial at all if the passwords stolen are reused on more sensitive systems, such as the corporate network.
There are other sensitive users, such as executives, HR managers and others who have direct access to private or regulated data. These users carry it on their laptops and access it remotely. The laptops should be encrypted and every place that contains the data in question should require multifactor authentication to access it.
With all of this in mind, let's look at how one makes the tough, apparently, decision to move off of passwords and on to multifactor authentication. The big cost today, in the organizational environment is not - as is evident from this month's reviews - the devices or the server. These are relatively inexpensive and there are several options that are quite thrifty indeed. The cost is in administration. So, one's first step is to determine who gets multifactor authentication and who doesn't. Consider what the authentication is to be used for. Are you concerned with systems, networks, applications or something else? Often the thing to be secured dictates the limitations placed on authentication methods.
Once one has determined what needs to be secured and what it will take to secure it, one needs to consider deployment and ongoing administration. Does the enterprise have such geographically wide-ranging requirements that some sort of self-provisioning makes sense? How do you handle the day-to-day user management, device - if there are any - management and other ongoing tasks.
Now, you may find that there are some attitude adjustments necessary for users who believe that the token or other device is too difficult to use. Be very careful about this because if users think that the security measures are too draconian they will bypass them. So datasets, for example, that require "difficult," token-based authentication will find their ways into Excel spreadsheets on unprotected laptops and tablets. Training, awareness and a bit of high-touch personal training can go a long way to help this. It is perceptual usually rather than actual.
But there are occasions where some kinds of token authentications can be quite trying. Often, these stem from some sort of disability that makes using an authentication device difficult, uncomfortable or frustrating. Select your authentication method carefully if you have employees who might be affected.
Generally speaking, then, there are good reasons to move to multifactor authentication for some, if not all, of your employees. There are lots of important considerations and decision factors, cost often being the least of them. You have lots of choices and some of the best are represented in this month's group. So, on with the show!