Still using that tired and worn out password to log onto your PC? Is your mother’s maiden name still the main prompt you use to log on and check your credit card statement? Worried that the PIN number you use to access your online banking is the same PIN you’ve given the children to access the Sky Digibox? You should be. The fact is that as individuals, we are not doing enough to guarantee user authentication. And if you think that’s bad, the situation in organisations is even worse.
Most organizations—from multinational corporates to small businesses—still exclusively rely on the user name and password as a mechanism to control the way employees, contractors, partners and customers gain access to corporate information assets. The result being that these organisations are exposing themselves to cyber terrorism, which includes everyone from the most malevolent terrorist to the basement hacker. Their aim: to sit on your doorstep and undermine and destroy the fabric of your organisation.
Threats against passwords are increasing as they are perceived as the more vulnerable security aspect of IT infrastructures and are therefore inadequate in securing an IT system.
So why isn’t more being done to overcome the cyber terrorism threat? After all, following the terrorist attacks in New York and London, Governments are being especially diligent in its duties to combat everyday terrorist threats—so why isn’t business doing more?
One of the main reasons we are in this maelstrom is that—until now—technology has been a barrier to cost-effective and practical user authentication. Solutions in the market today are both prohibitively expensive and take too long to deploy and manage. The second reason is complacency. Many organisations do not perceive there to be a real threat. Corporate governance regulations, such as Sarbanes-Oxley, are starting to have an impact, but there remains a lack of urgency.
Some organizations have taken the matter into their own hands and simply made passwords longer, or require employees to change them more frequently. This is not a good idea as the employee will just forget the password or write the password down, therefore compromising security in a different way,
Almost 90 percent of organizations today still rely on user name and password for user authentication. The result is that they have very little control over who has access to their systems, the degree of access people have, and who gives the approval for that access. A few organisations have reached the second phase of user authentication: they know who’s coming in and what they are accessing, because the organisation has controls over authentication. But, it’s a reactive policy. They can only report on what the intruder or innocent user has seen. Nothing more, nothing less.
Centralised, Best Practice Identity Management
So what is the solution? To effectively combat the very real threat of cyber terrorism in the business community, each and every organization needs to adopt a centralised, best practice approach to the way identities and access privileges are managed. In other words, the proactive, real-time monitoring of every aspect of user authentication. It represents good governance. For example, when a new finance employee joins the organisation, they should be denied access privileges to both the creation and payment of invoices. There should be an enforcement policy in place which means they need to seek approval prior to this privilege being accepted.
There are a number of steps to consider (on the assumption complacency has been put to one side!). First of all, the CIO or other senior executive in the organisation must ask themselves some very straightforward questions: who are our users? What do they have access to? Who approves this access? And what do they do with their access right? If they have all the answers to these questions, they’re in great shape—and one of the few organisations that can claim to be totally secure.
If, on the other hand, there are more questions than answers to these questions—the senior executive must urgently be tasked with implementing a best practice identity and access management strategy. This can be achieved in three stages. First, to standardise administration of users, authoritative sources of identity information are identified and connected to the access management, user management and provisioning processes. In stage two, policy-based automation of approval processes and user self-service for requesting password changes, access privileges, and directory information updates enhance the user experience and enforce security policy. And, in stage three, monitoring actual user behaviour in the context of security policy and business controls is efficient and consistent when based on a set of automated, integrated identity management processes.
The fundamental fact remains that the risk of passwords being compromised is becoming greater and greater, because it’s becoming easier to download tools that will crack them. And industry is not doing enough to tackle the issue. The centralised management of identities and access privileges enables the policy-based management of enterprise identities and their corresponding access privileges, and it strengthens the organisation’s ability to establish, monitor, and validate access policies. Start now—before it’s too late.