This month we look at authentication. Most years we begin this review section with a basic chat about the access control process. This year, let's have a look at how that process has changed. The big news is price and ease of use. While there still are a few pricey solutions to the authentication challenge, the trend - absolutely - is to make it fiscally practical to move from passwords to strong authentication.
Authentication is a component of the access control process. That includes identification, authentication and authorization. More and more organizations are realizing that access to sensitive systems is way too easy. The cry to "encrypt everything" has met with resistance, both due to cost and to the weakness of encryption as a confidentiality solution. If you can compromise the admin account, you can get in. The encryption is pretty useless in that situation. That, of course, is not an admonition to scrap encryption entirely. It does have its place. But wholesale encryption of entire hard disks probably - by itself - won't solve the confidentiality issue.
So, we're back to the real gatekeeper: strong authentication. Today, as always, that probably means multifactor authentication in most cases. Traditionally, multifactor has been expensive. And, as you will see, there still are some pricey products. Those, however, need to be taken in context with how many users they are intended to support. Looked at that way, the price starts looking much more reasonable. A price of one to 10 dollars per user makes strong authentication well within the reach of most organizations.
The other issue that has pushed strong authentication out of the reach of many organizations is ease of use. While it probably is reasonable for system administrators to have the technical chops to use just about any authentication tool, it is not as reasonable to expect that of the average business user. And, why should it be? The average business user should address computing as a tool to get his or her job done, not an end in itself. Such things as email encryption and data classification - very cumbersome at one time - now almost are automatic. Strong authentication should be as well. And, many vendors of strong authentication have addressed that, as we saw this year.
How do you build out a strong replacement for passwords? Carefully!
So, where does strong authentication fit in the confidentiality scheme of most organizations? It depends on when you ask. In years past, the answer was "for high risk accounts." That meant that the system administrators or any other person who had access to sensitive data got the hardware tokens. Hardware tokens as multifactor devices are very good but, in the past, they also were very expensive. As well, there were no other - perhaps, more imaginative - solutions to the strong authentication problem, so the sys admins got the tokens and everyone else made do with passwords.
Today, though, that is not necessarily the best solution. Certainly you might want to keep the hardware tokens for the high-risk accounts - although they are nowhere near as expensive as they once were - but there are other schemes that are cheap and will work for the average user. Also, mixing products is viable and integration into existing systems is pretty simple. This is a sea change from the past. Part of why this is possible - and practical - is the pervasive use of cloud computing. Sitting the heavy lifting on a big server farm readily accessible from the internet makes a lot of sense. It also has the economy of scale that puts the cost of the service well within the reach of most organizations.
Given these changes, how do you build out a strong replacement for passwords? Carefully! First, evaluate, evaluate and then evaluate some more. When you get down to a couple of products that you like, run a small pilot. Most vendors will gladly help you do that.
Consider how you are going to use the product(s). Consider how they integrate with such things as encryption. If everyone is using some form of strong authentication, pervasive encryption starts to look quite practical and effective.
Now, look at deployment. If you are a big organization spread all over the country or the world, you might want to consider something that can be self-deployed by your users. Self-service systems are becoming much more common, especially for cloud-based vendors, and that could ease your support pains significantly.
The bottom line is that it now is feasible for organizations of just about any size to support everyone in the organization with strong authentication. It is cost-effective and easy to use in most cases. As the old TV commercial said, "Try it...you'll like it!"