Who are you? Can you prove it?
Findings from the Reg reader study
You've probably heard the stories of employees who are prepared to part with logon and password information for a free café latté, Easter egg or some other form of instant gratification.
It makes for some fun headlines, but highlights the serious point that security of information systems is not just about technology, the human factor is important too, and one of the obvious places in which security meets the user is authentication.
This is an area that has become a very hot topic. A recent Reg reader study sponsored by RSA Security looking at trends in access and authentication, for example, attracted nearly 1,500 respondents.
The study was designed by Freeform Dynamics and revealed that despite advances in authentication technologies, the majority of organisations still rely primarily on user names and passwords for application access. The study also confirms the proliferation of systems requiring secure access, typically tens in small and mid-size organisations and hundreds in larger enterprises.
Added to this, an increasingly mobile and gadget-equipped workforce is expecting unfettered access to key applications from any location, taking advantage of Wi-Fi hotpots, 3G, and the latest broadband HSDPA services recently launched by the likes of from T-Mobile, Orange and Vodafone. The study confirms that the era of the always-on roaming business user is now very much a reality.
Looking beyond the workforce, access to business applications is increasingly extending backwards to materials suppliers and onwards to downstream customers through web portals and VPNs. As a result of this, two thirds of large and mid-size organisations are already allowing some form of access to their systems by third parties. Evolution here will be further driven by the concept of Service Oriented Architecture (SOA), which allows separate systems to be linked together much more easily using standard service and data interfaces.
Put these trends together and you have more users from more organisations connecting to more applications that exchange data in more sophisticated ways.
The strains on the human side of the business are clear. Internal and external users are often left to cope with the proliferation of authentication methods themselves, while network managers have to struggle with new forms of vulnerability that arise with each new application and method of remote access introduced.
Clearly, the older practices of leaving users to remember all their credentials and their consequent use of yellow stickies doesn't scale to fit this model, and this, along with the multiple modes of access, has much broader security implications for the organisation, as well as ramifications within the new compliance culture sweeping through business.
In order to address these issues, organisations are increasingly looking to Single Sign On (SSO) as a way to manage the proliferation of passwords, with 55 per cent already adopting this approach to some extent, and the majority planning to increase its use. Additionally, companies are recognising the need to overcome the vulnerability of a simple user name/password logon and are planning to ramp up their use of multi-factor authentication using biometrics, smartcards, and traditional tokens in the future.
It is also interesting to note that nearly half of respondents plan to start using digital signatures on documents, which helps to explain the current lively discussion between Microsoft and Adobe about the former's inclusion (or not) of a "save as pdf" function in the upcoming Office Systems 2007 release. As the Redmond giant looks to integrate digital signatures and rights management into its new file formats, it is going to be seen increasingly toe to toe with the evolving capability of Adobe and other established players in this area.
All in all, it looks like corporate IT departments are becoming increasingly aware of the security implications of proliferating applications, workforce mobility and the growing need for integration of systems with suppliers and customers. This is not always reflected by the measures actually in place, but as organisations look for help in managing the trends we have been discussing, we can anticipate continued vendor competition and lively debate in areas such as network access control, SSO, authentication and document control.
In the meantime, results from the reader study mentioned above have been summarised in a report entitled Managing Access Securely, which is available from the Register research library here. ®