Passwords alone are no longer sufficient, and with the
rapid rise in phishing, companies that host valuable assets are
seeking more stringent methods of authentication. Helen Beckett
reports
Confirming that someone is who they say they are has never been
more critical. As more transactions are conducted over networks,
the number of digital identities owned by individuals is
mushrooming. So too is the amount of digital identity theft
perpetrated in recent months by phishing or spoof websites. Finding
a way to rationalise and secure digital identities is preoccupying
IT directors, governments and businesses.
Common sense informs anyone making transactions online that a
solitary password is not a strong deterrent against a determined
fraudster with average intelligence. A recent survey of 2,000
consumers, conducted for secure ID and access management
company
Entrust, found that 22% of customers would swap banks if they
thought it would increase security. This anxiety is linked to a 50%
month-on-month increase in phishing attacks.
"The truth is that passwords, used alone, are not that safe,"
says Richard Starnes, head of the Information Security Services
Association.
The old axiom holds that changing passwords every 90, 60 or 30
days may be sufficient depending on how privileged the user account
is. However, with a fair degree of knowledge about an individual,
passwords can be guessed easily. The availability of programs such
as l0phtcrack on the internet means that passwords can be cracked
in 30 minutes.
Given the ease of access to such code-cracking programs,
companies hosting valuable assets on their network or conducting
high-value transactions online are progressing to stronger methods
of authenticating users. "You can authenticate in three ways:
something you know, something you have and something you are," says
Starnes.
Digital identity is further strengthened by combining two or
more of these factors: the use of password plus a physical token is
becoming a de facto way of beefing up security.
"Most big city corporations use them for remote access," says
Adam Westbrooke, consultant and former IT director with law firm
Taylor and Wessing.
Although tokens have traditionally been considered as a means of
securing remote devices, people are now taking them into the
office. "They are becoming ‘an anywhere issue’, " says John
Stewart, managing director of Signify, which provides managed
identity services.
Tokens are partly a response to more pervasive use of wireless
Lans. "Someone armed with a sniffer could attack a network from a
car park [beside a company building]," says Stewart who advises,
"even if you are within your own premises, you need to
authenticate."
However, IT directors are realising that tokens have a part to
play in preventing theft of digital IDs from within, as well as
outside the organisation. "The reality is that most identity theft
happens within the office," says Stewart. He describes the scenario
of the salesman who wants to know what commission his colleague is
on and hacks into the database using the sales director’s details.
Identity theft is perpetrated by someone who knows the victim’s
habits and privileges.
Starnes agrees, "The problem with the internet is that it has
focused all our attention outwards. We are worried about the
barbarians at the gate and we are unaware of the barbarians already
in the courtyard."
Too few companies are implementing policies and technologies
inside networks as well as the perimeter fence, he says. "However
good we are at VPNs, intrusion detection and firewalls, internally
you will generally notice very little of these plus there is often
inadequate logging and auditing of networks."
The cost of implementing and maintaining a token-based
authentication system on a large scale still discourages many
companies from biting the digital ID management bullet. B2C
consumers, even online banking customers, are not offered tokens
because the margin on a current account does not warrant the cost
of issuing customers with devices. At £35 each, costs ratchet up
quickly.
In a bid to make two-factor authentication more affordable,
Entrust has just launched an alternative to the token, still based
on two-factor authentication but using a bingo-style grid of
characters instead of key fobs. These cards may be easy and cheaper
to deploy than tokens but they remain vulnerable to physical theft.
As Westbrooke observes, all too often staff store physical
authentication devices with their laptop, plus he has witnessed lax
distribution too. This includes tokens issued on the strength of a
call to the IT helpdesk and tokens sent out to "strange
addresses".
However, it is the lifecycle costs of maintaining token-based ID
management that companies find most daunting, according to Rupert
Jennings, IT and communications manager for financial investment
firm Pall Mall partners. With directors traversing the globe and
needing to access sensitive data, Jennings dismisses "good old
passwords" as "useless".
He identifies tokens as the best route forward but worries about
the resource needed to manage situations of lost tokens among
personnel travelling overseas. "We could not afford an in-house
scenario," he says and instead bought a managed ID service for less
than the price of a worldwide dial-up account.
The network and assets are further secured by mapping digital
IDs onto the applications they are allowed to access. If someone
tries to access an application for which they are not authorised,
the user is locked out. Identifying someone at the perimeter fence
is the crucial first step, but security can only be assured if
authorisation privileges are maintained using internal firewalls,
says Jennings.
Although sound identity management calls for up-to-date
technology to be deployed at the perimeter of the network and
throughout, it also requires someone to keep tabs on everyone. That
in turn calls for good housekeeping routines, not least maintaining
quality of data.
Any authentication method is more usable if it can be applied as
a single sign-on to gain access to multiple locations. This removes
the need for users to remember many IDs for different networks and
services and has a big appeal for companies dealing online with
business partners and customers. "Companies are very cognisant of
opening up their networks and back-end applications for B2C and B2B
transactions," says Rob Adams, ID expert with security firm,
Cybertrust.
A single sign-on, whether to access one enterprise’s
applications or many companies’ resources, requires applications
and parties to trust the "gatekeeper’s" ID management. When
different parties agree to trust each other’s ID management, it is
called federated identity. Parties agree to treat user data in a
consistent manner and to pass the details among other trusted
parties only.
Federated identity is being explored by banks, governments and
commercial organisations as a means of making it more secure - and
therefore easier - to sell bundled services online. Potential
applications include travel deals that consist of different
components, and a consortium of Scandinavian banks is piloting the
use of mobile phones to purchase goods. One early example of
federated identity in action, cited by Adams, is a US airline whose
engineers, once authenticated by its network, can move to
manufacturing partner sites to write technical specifications.
Supplier and user consortium Liberty Alliance is drawing up
technology and business protocols to enable digital IDs to be
portable between different networks. "Today almost randomly
personal information is requested by a site that you may or may not
trust. That is what Liberty Alliance wants to change," says Bjorn
Wigforrs, vice-president of Liberty Alliance. The specification
makes it possible for users to decide which pieces of information
they want to share, whether it is a home address or credit card
details.
Whether IT directors are focused on securing the enterprise
network or sharing resources with other parties, identity
management is becoming a key part of their armoury. Setting and
policing strategies is every bit as vital as installing appropriate
technology, say the security experts. This calls for
persistence.
"The problem with identity management is that it is not an
architecture that you can go into and implement and then consider
done and dusted," says Adams. "It’s a living document that has to
reflect the changing culture of an organisation."
The three steps of identity authentication
Identities can be authenticated in three ways: something you
know, something you have and something you are. Combining two or
more of these components exponentially increases the security of
any digital identity.
Passwords are something someone knows, a piece of knowledge that
only the user should know and they are given something they
uniquely "have" and keep safe, such as a physical token.
This is the concept behind the RSA token, a physical device that
can either be plugged into the USB port of a device, or take the
form of a key fob, which generates and displays a new number at
defined intervals.
The token is a sealed unit and its "seed record" - or key - is
time synchronised with the authorising device, which alone knows
the number that should be showing on the token. The e-mail server
requests the one-time password from the authenticating server, and
if the password provided matches its record, then the user is
logged in.
For safety-critical installations such as nuclear power plants
or data that affects national security, the risk of a breach
warrants adding a third factor of authentication. Incorporating the
component of information unique to an individual takes
authentication into the field of biometrics. This works by
addressing the "something you are" component using information
unique to an individual such as the structure of the iris, a thumb-
or handprint or even voice modulations.
Authorising access to applications
Rationalising multiple IDs makes it easier to authorise users to
access different sets of applications within the enterprise. This
was the chief reason for the Metropolitan Police to implement a
single directory repository. With 45,000 staff on its payroll and
5,000 contractors, managing levels of privilege and access to
different applications was a major headache. Using DirX, Siemen
Nixdorf’s LDap/X.500 directory server, the Met has synchronised
access across multiple databases.
"The most important thing will be the much greater control we
have over security and legitimate access to data," says Vince
Freeman, technical security manager for the Metropolitan Police.
"We should also achieve considerable savings on software licensing,
which at the moment we are not able to control as closely as we
would wish, given the problems with multiple identities."
Case study: Royal Liverpool Hospital uses two-factor
security for access to x-ray images
Scanning x-ray images is a crucial part of a diagnosis and
consultants have to do this as and when the situation arises. This
is one of the applications that the NHS is having to deliver more
flexibly. The Royal Liverpool Hospital was under pressure to find
ways of allowing authorised people from outside the hospital to
access the network and systems and it was up to the IT team to find
a solution.
IT selected a two-factor security fob solution from Cable &
Wireless. Having the ability to prove digital identity has enabled
consultants to work much more flexibly and introduced new
efficiencies, says Brian Rowlands, clinical director of radiology.
"Consultants can look at scanned x-ray images. This used to take 20
minutes using a dedicated ISDN line, but now a full resolution
image can be viewed within 30 seconds from an ADSL line."
In the past when Rowlands needed to give an opinion on an x-ray,
it required a visit to the hospital. Two remote consultants can
discuss a case by having the same web browser open. The possibility
exists for highly specialised work to be done remotely.
This article is part of Computer Weekly's Special Report on
network security produced in association with
Microsoft
www.microsoft.com/uk/security