Organizations today are an increasingly complex IT environment. Besides maintaining the supporting IT infrastructure they face new challenges, such as the Cloud and incorporating hybrid solutions. Add in the security issues of home working and contractor access and it is clear why the ‘password problem’ is pretty difficult to solve. Rik Peters investigates in this fascinating blog.
Our last blog discussed why passwords are not enough to preserve data and system integrity.
If you need further proof, check out this list of the most popular passwords of last year. You can probably guess that ‘123456’ and ‘password’ figure pretty high up the list – first and second respectively – but there are plenty of blatantly obvious and equally hackable alternatives.
The list for 2014 and 2013 has exactly the same suggestions in identical positions. Clearly organizations cannot rely on their people to maintain IT security. So – what are the alternatives? This blog attempts to establish the best authentication method.
The key word is ‘attempts’. In an ideal world, I would just give you the definitive answer. Everyone’s data would be safe, the hackers would be foiled and everything would be rosy. But life isn’t like that and there really is no such thing as “the best authentication method”. Certainly not as a catch-all solution that works for everyone.
The right authentication method differs for each use case, organization, user and even geographical location. To illustrate the problem of trying to apply a general rule to a diverse spread of user scenarios, I have created some generic use cases and offer some insight in what kind of authentication method would fit. But before we get to the hypothetical, let’s look at the reality.
Organizations today are an increasingly complex IT environment. Besides maintaining the supporting IT infrastructure they face new challenges, such as the Cloud and incorporating hybrid solutions. Add in the security issues of home working and contractor access and it is clear why the ‘password problem’ is pretty difficult to solve. Many authentication solutions only solve a specific part of the puzzle, as these scenarios illustrate.
- We use remote access solutions like RSA and Vasco for remote access. We authenticate using hard or soft tokens to access the corporate VPN environment.
- We are using on-premise solutions, including HID Smartcards or DigitalPersona biometrics to solve the password problem for employees.
- We use Cloud solutions such as DUO and Symantec to help solve the federated authentication issue for protecting Cloud-based applications, including Salesforce and MS Office 365. These tend to use SMS or phone based authentication methods.
For some users it is perfectly normal to carry different tokens for their Cloud applications and VPN access and a smartcard for their corporate desktops – and to need strong authentication in three different systems.
Multiple passwords, more problems
These organizations can all maintain multiple solutions to solve the same password problem. This means a lot of work, cost and frustration for administrators and users alike; users need multiple authentication devices for the various environments while admins must maintain users in different systems.
So, back to our original question. What authentication fits best in which situation? Let’s try to define some use cases and match them with the three different authentication solutions.
- Remote access
- Desktop access
- Cloud access
So what authentication methods provide the best fit? Let’s start with the first.
Users of corporate or home workstations need access to the company VPN. The best authentication method would not require software to be installed on the host workstation or connected to the workstation. So this would be a smartphone, tokens or email model.
Authentication through a controlled environment on a company workstation. The organization controls what software runs on the devices and specifies the use of specific hardware, typically cards, biometrics, smartphones and hardtokens. Organizations with a BYOD policy typically share the same authentication practices as those using remote access.
Users tend to work on any device when accessing Cloud-based applications. These can be desktop, laptop, tablet or smartphone. Authentication methods requiring drivers or pre-installed software are a no-go here. Smartphones, tokens or email are fine.
So, while authentication methods vary between use cases, they are very alike for remote and Cloud-based access. Why are these methods not used in desktop access? Simply ease of use. Users find typing in an extra One-Time-Password every time they unlock their desktop too time-consuming. A fingerprint or smartcard is easier and faster.
Multiple challenges, single solution
So we need different software solutions for each use case, right? Not any more. The Micro Focus Advanced Authentication solution supports authentication methods for every use case. Users register their authentication devices through a single enrolment portal and administrators manage all the users and methods in a single admin interface. Certain groups, such as administrative users, should and can use stronger authentication than others.
So a multi-level problem really can have one solution. Clearly, IT environments are only going to become more complex and none of us know what the next innovation will bring. What is clear, though, is that any organization hiding their sensitive business data behind QWERTY may not be around to see it.