I don't know if I am typical, but I am quite prepared to
shop online. I buy a range of things, both for the home and for
business, as well as taking care of my bank account and credit
cards. What I have noticed is the number of different accounts I
have ended up with, along with a variety of user names and
passwords.
Although there are attempts by Microsoft with Passport and
Google with Accounts to rationalise the process, the e-tailers I
deal with all want their own user name and password. This leaves me
wondering whether to go for credentials that are as common as
possible, or to be completely random, reducing the consequences of
a security breach.
With recent reports of massive credit card security breaches,
you could be forgiven for wondering if going back to pound notes
under the mattress might not be a safer alternative. Of course,
since a large number of security breaches occur because of home
thefts of laptop computers, the answer is "no", so what is an
internet user to do?
Proliferation of passwords
The proliferation of user names and passwords is of course not
limited to home shopping, as more applications are rolled out,
users must remember more sign-in procedures.
Different systems will have different requirements for the
password, including insistence on a particular length or the
inclusion of hard to remember characters. Or they may issue a
password as a random collection of letters, numbers and punctuation
that is impossible to memorise.
Add to this the fact that different systems may have different
timescales for changing passwords, and it is no wonder users are
resorting to Post-it notes, and lost password calls are clogging up
IT helpdesks.
The solution is single sign-on, identified in a survey of IT
staff by Freeform Dynamics as the number one project for the
enterprise, followed by identity management. Essentially a proxy
device, single sign-on takes care of the scripts to sign in to
multiple systems using one user login and password.
Clearly, since this single set of credentials gets you into all
your systems, some form of multi-factor authentication such as a
smartcard or a token is highly advisable.
It is about to become even more interesting for users and IT
staff, as mobile applications become commonplace. More and more
enterprise-critical information is going to be beamed to handheld
devices, which will probably store it to overcome interruptions in
wireless communication.
Pulling in data
Standard applications such as e-mail, as well as ERP systems
such as SAP, business activity monitoring and custom composite
applications, will be pulling in data from a variety of back-end
systems.
Clearly, it is bad enough making users' lives difficult when
they are in the office, but the last thing you want to do is to
have them writing their passwords on the back of mobile
devices.
A compromised mobile device represents a key to the heart of any
company's data, raising concerns on many levels: competition,
compliance and the expensive consequences of loss of sensitive
customer data.
● David Perry is principal analyst at Freeform Dynamics. He
will give the keynote Are You Even Remotely Secure? at Infosecurity
Europe
Infosecurity preview: Knowledge is power
>>
Infosecurity preview: Building blocks of trust
>>
Infosecurity preview: Bridging the reality gap
>>
Infosecurity preview: When a year is a lifetime
>>
More
information on the show, including free entry >>
Infosecurity Europe keynote sessions
>>
David Lacey’s security blog >>The
latest ideas, best practices, and business issues associated with
managing security
Stuart King’s risk management blog
>>
Dealing with the operational challenges of information security and
risk management
Comment on this article:
computer.weekly@rbi.co.uk