In the news: Authentication a chief priority, top issue

It’s nice to receive validation of what you do, and we’ve had the pleasure of actually seeing it in print several times in the past several weeks. People in the industry, from security pros responding to surveys to an industry influencer, have spoken out on authentication.

First, to cheer up everyone who’s thinking pessimistically about prospects for the economy, there’s the survey of security pros in the financial services industry (most hard hit by the recession, remember?) which found that almost 50% report improved funding for security projects in the next six months. The big(ger) news is that the respondents ranked authentication, encryption and network access control as “high priorities.” The study was conducted by SearchFinancialSecurity.com and reported in “Financial security pros expect improved funding in second half of 2009.”

In a recent tech industry talk about what the Internet still needs to make it complete, Vinton Cerf, the chief Internet evangelist at Google and co-designer of the TCP/IP protocols that are the foundation of the Internet, stated that one of the Internet’s most critical needs is authentication. He said that anyone doing business involving the Internet (and who isn’t?) should be “deeply concerned” with incorporating authentication. One of the many articles on Cerf’s talk “The Internet is incomplete…” can be found on Computerword.com

Yet another survey, this one by another company in the space, revealed that the adoption of strong authentication is growing. Among its findings: strong authentication and single sign-on (SSO) are “driving organizational cost efficiencies, security and employee productivity” and strong authentication is “no longer being used exclusively for remote access.” More info as well as access to the full survey report can be found in the article, “National Strong Authentication Survey Shows Uptick in Adoption and Growing Synergy with Single Sign-on Solutions” in the Cloud Computing Journal.

We’ll inform you on other news reports on authentication as we find them!

Security Focus Starts Inside

It is the insiders (i.e. your company’s employees) and not the outside hackers that represent the greatest threat to your information assets. And, their unauthorized access to supposedly protected data can surprisingly be accidental as much as it can be intentional. This reveals that most organizations have not taken sufficient measures to prevent insider access and attacks and ensure that internal security, particularly access control, is adequately addressed.

Strengthening authentication and making passwords stronger should be paramount when implementing an authentication, password management or identity management system. However, security is often secondary to usability among the project’s goals. The focus of password management is on improving the user experience and reducing the number of passwords as well as centralizing passwords to ease the IT staff’s burden of managing multiple, disparate accounts. But, by placing less emphasis on the security aspects of authentication, organizations place their assets at risk. Yes, productivity is improved for end-users and IT staffers to the point of achieving a respectable ROI. Nevertheless, with the rise in data theft, particularly during the economic downturn, if even the most robust authentication solution has inadequate security features, it cannot deliver enough ROI to cover the potential cost of a successful hacking event.

Companies can easily and cost-effectively strengthen authentication and passwords while protecting access to sensitive data. Here are some possible approaches:

  • Incorporate password security functionality such as password strength validation, password expiration intervals, password frequency limits, and strike-out limits by person, group and hierarchy
  • Integrate the Kerberos authentication protocol with Active Directory authentication to mutually authenticate the user and the server to which they are attempting access — and without transmitting passwords.
  • Require users to respond to a set of pre-configured challenge questions, as well as enter their username and password. Multiple challenge question/response functionality is easy to set-up and allows quick access.
  • Implement real-time monitoring and alert functionality to obtain knowledge on user login activity.

Benefits can include:

  • Ensuring passwords and access-related features meet compliance requirements
  • Enabling secure access to applications and databases
  • Enforcing password policies
  • Ensuring passwords and access-related features meet compliance requirements
  • Achieiving greater oversight of user login and authentication behavior
  • Increasing the overall efficiency of authentication and password management
  • Maintaining security overall

For more ideas, as well as to learn more about the above, contact Mark Cochran, a PistolStar authentication expert.

Need a Good Reason to Upgrade Your Authentication System? (We've got 10)

When you have at least one really good reason to do something, you think “Why not?” When you have more than one reason, well then you’re convinced to do it. When it comes to upgrading your authentication system, you may only need one reason to make it happen (e.g. security, usability, etc.), but we can give you 10 really really good ones. (To be clear, 10 is the number of reasons we decided to put together because “top ten” always sounds like a nice round number, but we can give you more reasons if you like.)

Below is our list of 10 (the “top” 10) reasons for implementing a new authentication solution. We’re sure you’ll identify with at least one of them. In fact, if you do, please tell us about it!

Top Ten Reasons for Implementing a New Authentication Solution: What are Yours?

  1. Users have too many passwords and are jotting them on notes left in insecure areas
  2. The IT staff is overburdened with calls to the Help Desk regarding forgotten passwords
  3. The IT staff’s added responsibility of performing password recovery and resets for users is time-consuming, drains resources that should be devoted to more critical tasks, creates added downtime for users while they wait for the recovery/reset and overall diminishes productivity
  4. There are numerous password policies in effect that need to be synchronized
  5. The costs for password management with your current solution are becoming prohibitive
  6. You need greater control over what applications and areas of the network specific users and groups can access
  7. Your organization possesses high-risk systems, applications and information that require more robust and secure authentication
  8. Your organization is required to meet the security requirements of government and industry regulations such as Sarbanes-Oxley, HIPAA, GLB, etc.
  9. You need to implement authentication methods that your users will trust and in which they will have confidence
  10. You need an authentication system that will enhance usability and ease access for your users