Stephen Howes, CTO, GrIDsure: Passwords are no longer enough to protect critical data in a mobile age
March 2011 by Stephen Howes, CTO, GrIDsure
Protecting sensitive data – be it installing a system, or managing information on behalf of in-house or third-party clients – has never been more important in a world where top-secret US files can find their way onto the web via WikiLeaks. With the explosion in mobile data access thanks to the wave of portable devices hitting the market in recent years, its high-time thought was given to whether the authentication solution you have in place is still fit for purpose.
Recent research by Forrester Consulting on behalf of Symantec suggests it might not be. The survey, which covered more than 300 businesses, found that a third were still happy to rely on the very weakest form of authentication – passwords – to grant external access to their networks. The report’s authors described the use of traditional password verification as “antiquated” in the era of Cloud computing, collaboration tools and smartphones, and I’d have to agree. One reason for this is that even this most basic level of authentication is frequently misused. People remain the weakest link in any security set-up and in a bid to beef up protection passwords have been lengthened and made more complicated. As humans, the majority of us leading hectic lives simply can’t remember long strings of numbers easily, with the result that they get written down or simplified (where possible) rendering a weak form of authentication redundant in security terms. Forrester also found password issues are the top access problem businesses face, with forgotten passwords common. Factor in lost time and productivity, password resets cost on average £25 at the very least.
Putting aside the enormous reputational risk you run if data is compromised due to weak password protection, there’s now a significant cost of another magnitude to face. Last November the Information Commissioner’s Office demonstrated beyond doubt that it is far from a toothless tiger, hitting Hertfordshire County Council with an eye-watering £100,000 fine, relating to the accidental distribution of sensitive personal information to the wrong recipients. Given this, now is very much the time to challenge the status quo. The question is not so much what is the best authentication solution (although most are preferable to a login and password set-up) but rather how you wish to use it; what you’re using it for; how risky an environment you’re operating in; and how frequently you’ll be using the solution, as employees who maybe use it once a month will forget what to do if its particularly complicated, nullifying the benefits of being able to access data remotely or on the go.
So what are the alternatives? Smartcards and key codes can’t address remote or mobile authentication. Tokens, which generate a One Tim Passcode, are a secure, and now familiar authentication technology. However, the acquisition and maintenance of these hardware devices comes at a cost, which has become significant in recent years as more employees demand to work from home. Usability of such a system is also relatively low due to the need for users to carry around an additional piece of hardware to ensure authentication and data access.
Biometric authentication is an interesting development but to my mind will probably remain niche for the foreseeable future. Solutions that send a SMS to a device, such as a mobile, are certainly ahead of passwords in terms of performance but can’t provide 100% authentication as devices can be stolen and cellular coverage is sometimes patchy. To that end there are a number of visual options in the marketplace, where users remember a shape, face or pattern rather than password to generate a One Time Passcode. Studies by UCL’s Department of Computer Science in London have found that people find it much easier to remember a pattern than a string of numbers. Being software based there are also advantages in rolling out this extra layer of security quickly across networks, and a cost saving as there’s no need to purchase or deploy tokens.
Regardless of what you opt for, by far the most important thing is to make sure it’s as intuitive and accessible to the end user as possible, less it be circumvented. With ever increasing regulation and the threat of hefty fines, now is the time to make sure you have the correct authentication in place.
GrIDsure is exhibiting at Infosecurity Europe 2011 (stand G94), the No. 1 industry event in Europe held on 19th – 21st April at the prestigious venue of Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk