The long and short on User IDs and passwords
May 15, 2008
It's now a well-known fact that the longer a password is, usually the safer it is, especially if it features upper and lower-case characters in it. And if you change it regularly, it's even better. Recently, Aberdeen has conducted a survey that reveals that about 68.1 percent of organizations currently don't even require passwords be regularly replaced by their employees. Surprisingly, none of the resulting risks, overall costs and inconveniences were the formal intent of management in establishing current user authentication policies based on passwords.
The pressure on companies to better focus their resources on evaluating and implementing stronger, non-password forms of user authentication are those Aberdeen has seen in virtually all security benchmark studies over the past year: Risks, regulations, internal policies, and industry best practices and standards continue to be the leading market drivers, along with "protecting the organization and its brand."
However, the large number of passwords being used today simply compounds the problem to a higher level. In a typical day, an average enterprise knowledge worker may be required to use a half-dozen passwords or more in the normal course of Windows log-on, data encryption, remote access, Wi-Fi access, e-mail, Inter-based applications and back-office applications.
Smaller subsets of users may even use passwords to access privileged accounts or documents, or to execute so-called high-value transactions. Current research indicates that about 87.6 percent of enterprise users have multiple work-related passwords.
Overall strategies based on establishing and enforcing consistent policies for user authentication correlate most highly with current investments in strong user authentication. Aberdeen's research shows that the top performers were 24 percent more likely to identify an explicit strategy to reduce the total cost of managing user authentication credentials as a driver for current investment.
With respect to selecting and implementing specific strong user authentication methods, the data reveals three distinct strategic approaches:
"Reduce overall costs" is a more recently emerging theme seen in Aberdeen's security research, but worthy of special note as a driver for investments in assuring identities given the common misperception that passwords are free. Aberdeen's Nov. 2007 report on Security Governance and Risk Management first showed that top-performing organizations have begun to develop security governance, risk management and compliance processes to more effectively allocate their IT resources and activities based on their business objectives.
"The right tool for the job" is the first approach to implement user authentication methods that are deemed most appropriate for each application and end-user population. An organization might use hardware tokens for administrative access to privileged accounts, digital certificates for employee remote access over VPN, and heuristic, risk-based scoring for online access by external customers. Management of these systems would traditionally be done independently.
"One for all" would be a second approach to strive towards a common user authentication method for all applications and end-user populations. An example of this is a U.S. federal government agency that issues smart cards in compliance with HSPD-12, as described in the Dec. 2007 Logical/Physical Security Convergence: "Is It in the Cards" benchmark report.
"Common platform" would be a third approach to move towards a common user authentication infrastructure that can manage multiple user authentication methods. The same example can be used of a company that deploys hardware tokens, digital certificates, and heuristic, risk-based scoring for different populations and purposes. The difference in this case is that the company could implement a common back end to create and enforce policies, and to manage authentication credentials more consistently over their life cycle.
Aberdeen notes that, as a consistent theme across multiple studies, a strong correlation between top performance and a deliberate shift away from tactical, siloed deployments toward a more centralized infrastructure exists for sustainable, continuous security.
While all these capabilities are still nascent, even among the top-performing companies, the security research firm clearly sees them in the context of providing higher assurance for user identities through the deployment of strong user authentication.
The research clearly demonstrates that passwords continue to be a big problem, and that a rich diversity of strong authentication alternatives will continue to be available in the market. Organizations that deploy at least one strong authentication method should make an informed choice based on their own unique balance of preferences and solution attributes.
They should also give deliberate thought to the strategic choice they are making, between a variety of methods each with their own back-end, versus a single method for all users, and vs a variety of methods with a common back-end.
Tradeoffs will continue to be the name of the game for their ultimate selection. The good news for buyers is that the trend is towards continued variety, flexibility and choice. The "right" strong user authentication will be chosen by finding the unique balance of solution attributes and organizational attributes that make up the selection criteria for your use case and your organization.
In conclusion, independently of which user authentication methods are deployed, top-performing organizations have excelled relative to their counterparts at managing user authentication credentials throughout their natural life cycle. In some cases, this will favor a more ecumenical, platform-oriented approach.
Among the four high-level categories of provisioning, user support, deprovisioning and operations/management, research shows that the best performance overall is currently in the front-end aspects of provisioning. The biggest opportunities for improvement are in the areas of end-user self-service and extracting intelligence from the authentication solution.
Source: Aberdeen Research.
Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.
You can link to the
Internet Security web site as
much as you like. Read our section on how your company can participate in our
reciprocal link exchange program
and increase your rankings
in the major search engines such as
Powered by Sun Hosting
Search engine keywords by Rank for Sales
Development platform by My Web Services
Internet Security.ca is listed in
Global Business Listing