Ayaaz Janmohamed and Matthew Todd manage IT operations in two
very different environments, but their identity and access
management challenges aren't different at all.
 | | | | | The urgency of people getting
information is such that people put passwords on a sticky note, or
several people try to share passwords on one machine, and so
accountability is tossed out.
Ayaaz Janmohamed
City of Edmonton Police |
| | | | | |
| |
|
Janmohamed, IT infrastructure manager for the City of Edmonton
Police Service in Alberta, Canada, worries that online outlaws
could access electronically stored information on suspects, victims
and police officers and put everyone's safety at risk. Todd, CISO
and VP of risk and technical operations for Palo Alto, Calif.-based
Financial Engines Inc., worries that someone with unauthorized
access could steal investors' sensitive financial data and use it
for identity fraud and other crimes.
Both have invested plenty of time, money and energy to keep
these scenarios from ever happening. And along the way, both have
determined that passwords are nothing but trouble.
"The urgency of people getting information is such that people
put passwords on a sticky note, or several people try to share
passwords on one machine, and so accountability is tossed out,"
Janmohamed said. Plus many
organizations allow employees to choose simplistic passwords
that attackers can easily crack, and if an employee needs multiple
passwords to access different applications, the problem is
exacerbated.
Janmohamed and Todd are not alone. A majority of 358 IT
professionals who took a SearchSecurity.com survey on identity and
access management in April said passwords are obsolete and want to
replace them with stronger methods that include
two-factor authentication and
single sign-on.
Respondents are also looking to replace traditional passwords
with tools like
tokens and smart cards.
"Whatever we can do to reduce the number of passwords will help us
reduce the human impact," Todd said. "Fewer passwords mean fewer
opportunities for things to go wrong."
By the numbers
The drumbeat against passwords has grown louder in recent months.
Even Microsoft Chairman Bill Gates has
called for their demise.
That mood is clearly reflected in the survey responses.
- About 74% said their users must remember too many passwords,
and 63% said coping with multiple password policies is a problem or
a significant problem.
- More than 56% said they're handling too many password
resets.
- 79% said their organizations are spending the same or more on
password management this year.
Spending on authentication alternatives is also steady or on the
increase at many organizations.
- Sixty-four percent said they are spending the same or more on
authentication tokens.
- Seventy-six percent are spending the same or more on digital
certificates and nearly 50% say they're spending the same or more
on smart cards.
- Seventy percent are spending the same or more on enterprise
single sign-on and 63% are spending the same or more on Web single
sign-on.
Spending has declined though in some areas.
- Fewer are investing in biometrics as an alternative. Just 39%
of respondents said they will spend the same or more on biometrics
this year, and more than 56% said they're not spending on the
technology at all.
- There is also less spending on federated ID management, with
47% saying they're spending the same or more on federation ID
management and 48% saying they're not spending at all.
From passwords to PINs and tokens
Janmohamed plans to move beyond his organization's current password
system toward one that relies on two-factor authentication and
enterprise single sign-on.
"We hope to marry up
[Microsoft] Active Directory and
PKI to create a single sign-on process," he said. This way, the
network won't prompt for a full username and password. Instead, he
said, it will prompt each user for a PIN and token, and the token
will have to be in the machine for the user to get access.
The department will use a PKI server from Addison, Texas-based
security firm Entrust Inc. for authentication.
 |
Access (out of)
control? | | About this special report: You've heard
about the need for companies to ensure that network users are who
they say they are, and that employees can only access what their
jobs require. In this special report, IT professionals surveyed by
SearchSecurity.com share the pain points and solutions they've
experienced on the way to better and more practical ID and access
management.
Special report menu:
Day 1: When access management becomes rocket
science
Security can be a hard sell beyond the IT realm, even for security
pros at NASA. But nothing motivates people like regulatory pressure
and a fear of being the next data breach headline. Day 2: Looking ahead to life without
passwords
Security pros know that passwords are nothing but trouble. For
them, single-sign on, two-factor authentication and federated ID
represent the path to stronger authentication. Day 3: Active Directory users finding their
way
Many IT shops use Microsoft Active Directory to manage network
access. Some say it's difficult, but others are using it as a key
tool in successfully managing network access. Inside the numbers: Access (out of)
control?
In April, SearchSecurity.com surveyed 358 IT professionals from a
variety of industries regarding their identity and access
management programs. Here is a look at some of the questions we
asked and the answers they
gave. |
|
| |
|
Until then, the police force is taking other measures to reduce the
likelihood of password-inspired security problems. If there's no
activity on a user's computer for 15 minutes, for example, the user
must log back in so that passers by can't walk up to the machine
and help themselves.
Itching to federate
For Financial Engines, stronger authentication is also necessary
for the company's plans to share applications with business
partners through
federated ID management, Todd said.
More than 40% of survey respondents said giving partners and
suppliers access to their systems would enable a more efficient
supply chain process. But for this to work, Todd said, companies
must have total confidence that their partners are using ironclad
authentication methods. In this regard, most organizations no
longer trust the password system people have been using for the
last 20-plus years.
For that reason, among others, federation ID management's push
toward the mainstream has been slow.
"It's a huge challenge," Todd said. "We have data for millions
of people that is sensitive. We are dealing with vast companies not
used to smaller companies like us. So it's a bit of a battle
getting the bigger guys to federate with a smaller company. We're a
tugboat trying to steer the aircraft carrier in another
direction."
Cultural change inevitable
While federated ID is a long-term goal, Todd outlined steps the
company is already taking to strengthen authentication, which
include rolling out SecureID from Bedford, Mass.-based RSA Security
Inc. That may be key to getting rid of traditional passwords in the
future. But there will probably be some hiccups early on.
"If we replaced the Windows password with a SecurID PIN code,
cultural challenges would be involved," he said. "It would be much
stronger than passwords but there would of course be some
resistance to change."
While some might resist when change ultimately arrives, Todd
said, eventually everyone would adjust to life without passwords.
To get there though, department heads must be on the same page.
"Anything you do with access control, it's all about mitigating
risks to the business, so when I implement sweeping change, team
leaders are involved," Todd said. "There may be early grumbles, but
eventually everyone adjusts."
Stronger authentication no longer a choice
A move beyond traditional passwords isn't really a choice for
companies anymore, especially those doing business online. In fact,
financial firms are being
required to have two-factor authentication by the
Federal Financial Institutions Examination Council (FFIEC).
For that reason, two-factor authentication with a single sign-on
capability is priority one for Keith Gosselin, IT officer for
Biddeford Savings Bank in Biddeford, Maine. It's a change he's not
complaining about.
"Passwords are simply not enough anymore," he said.