Stronger Passwords Weighing In
Filed under: Authentication Security, Authentication Trends, Data Security, General Information, IT Security, password security, PortalGuard, Security Attacks
One of the pains in an employee’s daily routines is the idea of password management. Especially being able to easily understand what the IT Security Staff means by using a “strong” password. In a recent CNN.com article they stressed the importance of implementing “super passwords” suggesting that passwords should all be a minimum of 12 characters in length. If these types of standards are going to become the norm, due to the varying types of attacks being performed, than the usability of passwords for the user will decrease.
By implementing a simple Password Strength Meter, your employees can easily have visual feedback as to whether or not they are following password policies and avoiding weak passwords. This will also make password strengths easy to enforce for varying levels of required data protection.
With the Password Strength Meter provided by PortalGuard the user has a real time response to their choice of characters for their new password. With each character that is typed in the meter will show the user whether their password is becoming weaker or stronger. The administrators can implement this on every login page or only on those protecting critical data. The idea is that Password Strength Meters are going to aid the user in implementing stronger passwords while maintaining usability.
CNN.com Super Passwords Article
What is Absolutely Necessary?
Filed under: Authentication Security, Authentication Trends, Data Security, IT Security, PortalGuard, Uncategorized
What is absolutely necessary? This is a question in regards to authentication which needs to be asked often. With severe trade-offs between usability and security it is important to understand your users and what access they have to different levels of critical data.
Many times an end-user’s usability may be compromised because they are being required to follow authentication policies which are too strong for the type of data they are accessing. By making the user jump through extra hoops to access data this can greatly slow down productivity.
Due to this issue the answer to the question is NOT a “One Size Fits All” approach. Ideally, you would want to implement a solution which takes into consideration the underlying data being protected. The key is to have an authentication solution that has the intelligence to require only what is necessary from the user and environment, to provide the appropriate level of data protection, achieving a balance between usability, security, auditing and compliance.
To achieve this is to look at the defense and depth of the authentication needed for the data. Let’s take for example the lowest level of protection. For this you might require only a username and password. When moving up to the next level more authentication is needed, such as multi-factor in the form of a personal watermark, for example when used in online banking. Finally on the highest levels of data protection the strongest authentication practices can be implemented, such as out-of-band authentication where the user would receive a one-time password on their mobile device to use along with their login credentials. This is an affordable way to implement best practices.
Overall it is important to keep not only your end-users in mind but also the underlying data that they are accessing. By implementing the same authentication for all levels of data protection you could easily lower usability and security, but with a more exact fit this can be avoided all together.
Data Protection is Now the Top IT Security Concern
The news hit today of further breaches in Visa and MasterCard credit card processing systems. Desperate times generate desperate acts; therefore there’s been a sharp rise in data and identity theft by those exploiting any available opportunity for personal or financial gain.
At a time when companies have enough on their minds with respect to the economy’s impact on business, IT security concerns continue unabated and are one more threat to financial security. An article in January on SearchCIO-Midmarket.com reported that small-to-medium businesses are not only spending more of their IT budgets on security, but they are focusing more on data protection. That’s certainly good news for those who put their faith in organizations that possess their critical financial data!
The article’s information comes from a research report from Forrester entitled, “The State of SMB IT Security: 2008 to 2009.” In the report, Jonathan Penn, Forrester vice president and the report’s author, shares the interesting detail from his study that SMB IT security strategy now more closely reflects that of large enterprises.
With protection of their data assets being the highest priority, both SMBs and enterprise companies are advised to consider several different types of solutions, such as intrusion detection and vulnerability assessment, but also remember that internal data protection is just as critical. This is where access and identity management, as well as authentication solutions, come into play. Penn affirms that data assets must be protected from insiders as well as external intruders, and points out that both authorized and unauthorized users may use information inappropriately. Therefore, a system that controls access, verifies the identity of users and monitors user behavior is indispensable for organizations that want optimal protection for their business and customer data, and especially for those organizations that also must be compliant with SOX, HIPAA and Payment Card Industry regulations.
As this article conveys, companies of all sizes are increasing their awareness that security is a business issue and that not being strategic and proactive about security is a tremendous business risk.