Neglecting identity management

It's time to make the switch from passwords to two-factor authentication

Many midsized companies won’t consider identity management, because they think it is too difficult to deploy, too expensive to purchase and implement, and too complicated to administer and maintain.

The problem is that it’s precisely when companies grow to midmarket ($150 million to $1 billion) that user accounts seem to multiply like rabbits, and “password management” requires a disproportionate percentage of security budgets and manpower.

Postponing an investment in some form of unified account or identity management often proves to be one of the most common — and costly — mistakes in security today.

User accounts are like mold: Left unattended, their numbers grow unabated. The number of user accounts per employee increases because companies must expand their application mix to remain competitive, comply with regulatory guidelines, improve marketing and merchandising, and collaborate effectively.

This is a common consequence of growth, but in my experience it rarely occurs without adding considerable user account and authentication overhead. The reasons are easy to identify and nearly impossible to avoid: Many applications use disparate or proprietary authentication methods and databases, and finding a single authentication platform that’s supported by every application is nearly impossible.

The results are too frequently the same. Users have multiple accounts and must contend with multiple authentication procedures and interfaces. Employee productivity and willingness to comply with password security policies deteriorate over time as frustration sets in over having to flog through multiple authentication challenges to complete work.

IT struggles to create, maintain, archive and delete accounts at diverse authentication databases in a timely manner; for example, before credentials can be abused by disgruntled employees or exploited by attackers. In most cases, IT spends time helping employees with password issues that could be more productively applied to patch management and other proactive desktop-security measures.

These factors also foster lax password-security policies and dangerously weaken authentication measures. I’ll focus on passwords for two reasons: They are the most commonly used credential, and the easiest to subvert. I commonly see two strategies. In both cases, passwords are so devalued they are useless.

The password placebo effect

One is where IT has been directed to permit static passwords with minimal composition, complexity and length criteria to ease the pain of multiple accounts. Employees adopt their own single-sign-on solution and attempt use of the same (or similar) password for all accounts. Managers share their passwords with secretaries and staff. If you see anything more than a placebo value to enforcing passwords in this scenario, you need a refresher course in authentication.

In a second strategy I frequently encounter, IT dutifully enforces stringent password policies, and management quickly acquiesces to the need for automated password reset or restore. The growing employee attitude toward passwords is that they are dispensable, as in, “if I forget it, IT will reset it.”

This is a dangerous conclusion, because the distinction between dispensable and worthless is easily discounted. If you doubt that users discount authentication to this extent, I’ll remind you of a survey taken in London during InfoSecurity Europe in April 2004, where 70% of London commuters willingly shared their logon information with those conducting the poll, for a bit of candy. Candy for credentials aside, the help desk costs and the risks associated with weak and exploitable password-reset processes can be considerable.

Avoid authentication mudslide

To avoid these unanticipated consequences and the potential for an “authentication mudslide,” consider identity management at the onset of the multiple-password phenomenon rather than after the mudslide has overwhelmed you. Begin by investigating unified identity management (UIM) appliances. Many are less expensive to acquire, easier to implement and better able to scale with a growing organization than processes organizations implement to “manage” multiple accounts. Several provide reduced or single logon for employees.

Look for appliances that support widely used authentication methods and services that are required by your business or that can accommodate proprietary authentication methods of your quirky, legacy applications via scripting and customizable proxies.

Adopting UIM won’t eliminate the password problem, so wean users off passwords and implement two-factor authentication at your UIM appliance. The cost of token-based authentication is low enough for organizations of several hundred to consider.

Numerous form factors are available, so I suggest that you obtain samples of several from potential vendors, share these with your users and choose the token that users find most convenient. This measure often improves adoption and compliance.

A parting note: As you revise your security policy and your user account management to include tokens, you may encounter skepticism from members of IT and finance who express concerns that users will lose tokens and that the replacement costs make the program less attractive. Consider a social experiment within your organization. Rather than criticize users who lose their token or abandon the project altogether, offer a savings bond or cash reward to those who maintain possession for enhancing corporate security.

Piscitello is president of Core Competence. He can be reached at dave@corecom.com.

Learn more about this topic

Phishers try to beat banks' strong authentication

07/13/06

Passlogix brings centralized management to strong authentication deployments

06/12/06

RSA pushes authentication deep into apps, devices

04/24/06

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT