Identity and authentication management faces fresh challenges in today's complex IT environment, reports Jim Romeo.
A state government recently discovered a rather embarrassing security vulnerability: Using their normal work login, employees of the Parks and Recreation Department were able to access the state's probation records. This otherwise confidential and sensitive information was now open to workers who had no business viewing it.
“Clearly something was misaligned,” says Geoff Webb, a marketing manager with the Texas-based IT firm Credant Technologies. He believes that a form of identity management could have prevented the breach.
A sound approach to identification and authentication is an elementary building block to security policy within most any organization. Webb's concerns are shared by many, and the discipline is growing as the configuration of IT platforms, devices and equipment used in today's dispersed computing environments challenge those charged with the task of identity management.
“The tools and techniques have greatly improved,” says Kelly Bissell, a principal in the security and privacy practice of Deloitte & Touche in Atlanta. “The IAM [identity and access management] tools are much easier, but that is not the challenge. Authentication and identity tools are really highlighting the real difficult issue: Companies who own multiple heterogeneous legacy platforms, such as multiple flavors of Unix, mainframe or VAX. This causes the deployment of authentication and identity tools that are complex and costly to support.”
“As we look at the growth of mobile and, potentially, cloud computing, the problem is accelerating away from the IT department's capacity to solve it.”
– Geoff Webb, marketing manager with Credant Technologies
In fact, today's computing environment is more complex than it was even a few years ago, he says. The number of devices, the types of access required and the scope of people – both internal and the partners who need identity and authentication management – has grown significantly and rapidly. Concurrently, enterprises have struggled to roll out broad identity and access management projects, leaving them with a mishmash of technologies, not to mention users struggling with multiple logins and passwords and misaligned access privileges. It is a lot of work for IT help desks, Bissell says.
There are no easy solutions, Webb adds. “In many ways, as we look at the growth of mobile and, potentially, cloud computing, the problem is accelerating away from the IT department's capacity to solve it.”
Others agree. “The top concern regarding identification and authentication is the reliance on the antiquated user ID and password scheme,” says Mike Meikle, a consultant with the Richmond, Va.-based Hawkthorne Group, which provides consulting services to the health care industry.
“Savvy social engineering techniques can gather user identities, and passwords can be readily cracked due to the difficulty of enforcing proper password protocol,” he says. Also, due to the increase in computing power, most passwords can be compromised via brute force.
“The largest concern in deploying and supporting IAM solutions is dealing with complex and heterogeneous systems,” says Deloitte's Bissell.
He points out that aside from the complexity of IT infrastructure, user behavior is adding fuel to the fire. “In addition, the increasing compliance regulations and improved internal and external attacks are creating a perfect storm in making the IT manager's job more difficult,” he says.