Content Copyright © 2006 Bloor. All Rights Reserved.
Anyone that has worked in an IT department supporting an organisation of any size quickly realises what a trial managing users and their respective access requirements is. Couple that with physical access, admittedly not really an IT issue per se, and you have a big business burden.
The smarts in the IT security industry saw an opportunity here a while back and worked to deliver integrated single sign on as a way to try and beat the demon of password fatigue and yellow sticky insecurities. Couple that with secure remote access and integrated ID cards you end up with a pretty useful infrastructure to support an Assured business.
The Assured business is something I have been promoting for a while as a way of articulating IT security to the CxO community, many of whom have little interest in the subject.
The problem is that as soon as one starts talking technical to these people they will switch off quicker than you can say single sign on.
But start shouting about compliance and personal risk and you soon see them switch back on, as the most intransigent CEO is concerned by recent legal actions Stateside and how it may affect them personally.
How can these basic elements of an Assured business be put in place?
Starting at the company border a decent ID card system to control physical access is a must. Photo cards alone are an obvious to most people but are often a waste of money as I can’t remember the last time anyone studied my picture on a piece of photographic ID.
Of real benefit is the use of the card, combined with passwords and PINs, to gain access to buildings and IT systems—at this point the photo is irrelevant and the PIN/password rules the moment.
Single sign on does (or should do) what is says on the packet. By providing one password a user can be taken transparently to all of the systems they are authorised to use without the frustration of entering yet more passwords. The obvious flaw in this approach is that once this access has been compromised access can be had across all subsequent systems—hardly defence in depth I would suggest, or is it?
The good news is that multifactor authentication is now gaining a foothold, ensuring that when the user does sign in for the first time they are really really able to prove who they are. This often follows the pattern of something the user has (smart card), something the user knows (PIN/password) and something the user has which is unique (fingerprint, retina scan).
It is only with multifactor authentication firmly in place that any organisation should consider single sign on to sensitive systems—it’s too darned risky otherwise.
Finally we have secure remote access. Being a huge proponent of remote working I am ever keen to see better ways of ensuring quick and easy access to corporate resources, as long as they are secure. The days of dial up are really over, but it is surprising how many organisations still use it. At least it protects from the hijacking of wireless hotspots, but broadband access with a VPN is probably the way forward for now. Couple this with multifactor authentication and it is probably as good as it is currently going to get.
Finding all of this in one place—secure physical access, secure single sign on and secure remote access—may seem a bit of a struggle. Certainly there are some very good vendors that have good point solutions for all of these, but not many that can give you a package covering all three aspects.
One that does come to mind is ActivIdentity. Born out of the merger of Protocom and Activcard they have been able to build a one stop shop for digital ID management. The best news is that it is built on open standards, giving you the better advantage when it comes to creating an Assured business. If your preference is to shop around for individual solutions then fine, but I like the fact I can buy from one vendor and task them with delivering the security I need—it’s a quicker route to an Assured business.