Why "Identity" Is Central To IT Security
by John Stewart - CEO and Co-Founder of Signify - Monday, 29 November 2004.
Passwords: while suitable to protect low grade resources it widely accepted that passwords are too weak to protect the digital ID’s of corporate users. They can be so easily be guessed, snooped, copied or cloned that IdentityTheft becomes easy for an attacker who can walk through your firewalls and other defences using the stolen ID. With passwords you can never be really sure that a user is who they claim to be.

One-time Passcodes: the user presents a different passcode everytime they login, which means that even if a user’s session is snooped, the copied passcode cannot be reused. OTP’s can be sent on request to a user’s mobile phone or PDA by SMS or e-mail. They are ideal for Anywhere Access because the user is not tied to logging in from any specific PC.

Tokens: typically tokens (eg RSA SecurID) are used, in combination with a secret PIN, as the most secure and convenient to generate One-time Passcodes. They are ideal for any form of corporate remote access - whether VPN, Web or RAS based.

Smartcards & USB smartkeys: used to securely store a user’s PKI digital certificate, these devices can be used to ‘digitally sign’ documents and most appropriate for corporate ‘Single Sign-On’ and hotdesking projects where the users will always be logging in from a corporate-controlled PC or laptop.

Biometrics: despite generating many column inches, fingerprint, iris and other forms of biometric authentication are mostly used for physical access security rather than as a digital ID for network access. Again, the user is tied to a using a computer with an appropriate scanner, so most biometrics are not suitable for ‘Anywhere Access’. The exception is voice authentication which has significant promise in this area.

No-one system fits all

The reality is that each of these forms of authentication is appropriate for different users and in different applications. There’s no one perfect system that fits all needs and budgets. Larger organisations often find that they need to implement several different authentication systems to support travelling staff, teleworkers, supply chain and consumer access.

This can end up in an Identity Managment nightmare where people find they have to carry different digital ID’s and authentication credentials to access different systems and applications.

Identity Management takes more than just technology

Whatever form of authentication that you choose to implement, you will find that secure identity management cannot be delivered by technology alone. To handle the roll out of devices, PIN’s and passwords to a widespread user base you need well integrated policies, procedures and logistics, and then you need to provide your users with 24x7 support to ensure your that their digital ID’s are secure and can be trusted at all times.


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th