Passwords alone are no longer sufficient, and with the rapid rise in phishing, companies that host valuable assets are seeking more stringent methods of authentication. Helen Beckett reports
Confirming that someone is who they say they are has never been more critical. As more transactions are conducted over networks, the number of digital identities owned by individuals is mushrooming. So too is the amount of digital identity theft perpetrated in recent months by phishing or spoof websites. Finding a way to rationalise and secure digital identities is preoccupying IT directors, governments and businesses.
Common sense informs anyone making transactions online that a solitary password is not a strong deterrent against a determined fraudster with average intelligence. A recent survey of 2,000 consumers, conducted for secure ID and access management company
Entrust, found that 22% of customers would swap banks if they thought it would increase security. This anxiety is linked to a 50% month-on-month increase in phishing attacks.
"The truth is that passwords, used alone, are not that safe," says Richard Starnes, head of the Information Security Services Association.
The old axiom holds that changing passwords every 90, 60 or 30 days may be sufficient depending on how privileged the user account is. However, with a fair degree of knowledge about an individual, passwords can be guessed easily. The availability of programs such as l0phtcrack on the internet means that passwords can be cracked in 30 minutes.
Given the ease of access to such code-cracking programs, companies hosting valuable assets on their network or conducting high-value transactions online are progressing to stronger methods of authenticating users. "You can authenticate in three ways: something you know, something you have and something you are," says Starnes.
Digital identity is further strengthened by combining two or more of these factors: the use of password plus a physical token is becoming a de facto way of beefing up security.
"Most big city corporations use them for remote access," says Adam Westbrooke, consultant and former IT director with law firm Taylor and Wessing.
Although tokens have traditionally been considered as a means of securing remote devices, people are now taking them into the office. "They are becoming ‘an anywhere issue’, " says John Stewart, managing director of Signify, which provides managed identity services.
Tokens are partly a response to more pervasive use of wireless Lans. "Someone armed with a sniffer could attack a network from a car park [beside a company building]," says Stewart who advises, "even if you are within your own premises, you need to authenticate."
However, IT directors are realising that tokens have a part to play in preventing theft of digital IDs from within, as well as outside the organisation. "The reality is that most identity theft happens within the office," says Stewart. He describes the scenario of the salesman who wants to know what commission his colleague is on and hacks into the database using the sales director’s details. Identity theft is perpetrated by someone who knows the victim’s habits and privileges.
Starnes agrees, "The problem with the internet is that it has focused all our attention outwards. We are worried about the barbarians at the gate and we are unaware of the barbarians already in the courtyard."
Too few companies are implementing policies and technologies inside networks as well as the perimeter fence, he says. "However good we are at VPNs, intrusion detection and firewalls, internally you will generally notice very little of these plus there is often inadequate logging and auditing of networks."
The cost of implementing and maintaining a token-based authentication system on a large scale still discourages many companies from biting the digital ID management bullet. B2C consumers, even online banking customers, are not offered tokens because the margin on a current account does not warrant the cost of issuing customers with devices. At £35 each, costs ratchet up quickly.
In a bid to make two-factor authentication more affordable, Entrust has just launched an alternative to the token, still based on two-factor authentication but using a bingo-style grid of characters instead of key fobs. These cards may be easy and cheaper to deploy than tokens but they remain vulnerable to physical theft. As Westbrooke observes, all too often staff store physical authentication devices with their laptop, plus he has witnessed lax distribution too. This includes tokens issued on the strength of a call to the IT helpdesk and tokens sent out to "strange addresses".
However, it is the lifecycle costs of maintaining token-based ID management that companies find most daunting, according to Rupert Jennings, IT and communications manager for financial investment firm Pall Mall partners. With directors traversing the globe and needing to access sensitive data, Jennings dismisses "good old passwords" as "useless".
He identifies tokens as the best route forward but worries about the resource needed to manage situations of lost tokens among personnel travelling overseas. "We could not afford an in-house scenario," he says and instead bought a managed ID service for less than the price of a worldwide dial-up account.
The network and assets are further secured by mapping digital IDs onto the applications they are allowed to access. If someone tries to access an application for which they are not authorised, the user is locked out. Identifying someone at the perimeter fence is the crucial first step, but security can only be assured if authorisation privileges are maintained using internal firewalls, says Jennings.
Although sound identity management calls for up-to-date technology to be deployed at the perimeter of the network and throughout, it also requires someone to keep tabs on everyone. That in turn calls for good housekeeping routines, not least maintaining quality of data.
Any authentication method is more usable if it can be applied as a single sign-on to gain access to multiple locations. This removes the need for users to remember many IDs for different networks and services and has a big appeal for companies dealing online with business partners and customers. "Companies are very cognisant of opening up their networks and back-end applications for B2C and B2B transactions," says Rob Adams, ID expert with security firm, Cybertrust.
A single sign-on, whether to access one enterprise’s applications or many companies’ resources, requires applications and parties to trust the "gatekeeper’s" ID management. When different parties agree to trust each other’s ID management, it is called federated identity. Parties agree to treat user data in a consistent manner and to pass the details among other trusted parties only.
Federated identity is being explored by banks, governments and commercial organisations as a means of making it more secure - and therefore easier - to sell bundled services online. Potential applications include travel deals that consist of different components, and a consortium of Scandinavian banks is piloting the use of mobile phones to purchase goods. One early example of federated identity in action, cited by Adams, is a US airline whose engineers, once authenticated by its network, can move to manufacturing partner sites to write technical specifications.
Supplier and user consortium Liberty Alliance is drawing up technology and business protocols to enable digital IDs to be portable between different networks. "Today almost randomly personal information is requested by a site that you may or may not trust. That is what Liberty Alliance wants to change," says Bjorn Wigforrs, vice-president of Liberty Alliance. The specification makes it possible for users to decide which pieces of information they want to share, whether it is a home address or credit card details.
Whether IT directors are focused on securing the enterprise network or sharing resources with other parties, identity management is becoming a key part of their armoury. Setting and policing strategies is every bit as vital as installing appropriate technology, say the security experts. This calls for persistence.
"The problem with identity management is that it is not an architecture that you can go into and implement and then consider done and dusted," says Adams. "It’s a living document that has to reflect the changing culture of an organisation."
The three steps of identity authentication
Identities can be authenticated in three ways: something you know, something you have and something you are. Combining two or more of these components exponentially increases the security of any digital identity.
Passwords are something someone knows, a piece of knowledge that only the user should know and they are given something they uniquely "have" and keep safe, such as a physical token.
This is the concept behind the RSA token, a physical device that can either be plugged into the USB port of a device, or take the form of a key fob, which generates and displays a new number at defined intervals.
The token is a sealed unit and its "seed record" - or key - is time synchronised with the authorising device, which alone knows the number that should be showing on the token. The e-mail server requests the one-time password from the authenticating server, and if the password provided matches its record, then the user is logged in.
For safety-critical installations such as nuclear power plants or data that affects national security, the risk of a breach warrants adding a third factor of authentication. Incorporating the component of information unique to an individual takes authentication into the field of biometrics. This works by addressing the "something you are" component using information unique to an individual such as the structure of the iris, a thumb- or handprint or even voice modulations.
Authorising access to applications
Rationalising multiple IDs makes it easier to authorise users to access different sets of applications within the enterprise. This was the chief reason for the Metropolitan Police to implement a single directory repository. With 45,000 staff on its payroll and 5,000 contractors, managing levels of privilege and access to different applications was a major headache. Using DirX, Siemen Nixdorf’s LDap/X.500 directory server, the Met has synchronised access across multiple databases.
"The most important thing will be the much greater control we have over security and legitimate access to data," says Vince Freeman, technical security manager for the Metropolitan Police. "We should also achieve considerable savings on software licensing, which at the moment we are not able to control as closely as we would wish, given the problems with multiple identities."
Case study: Royal Liverpool Hospital uses two-factor security for access to x-ray images
Scanning x-ray images is a crucial part of a diagnosis and consultants have to do this as and when the situation arises. This is one of the applications that the NHS is having to deliver more flexibly. The Royal Liverpool Hospital was under pressure to find ways of allowing authorised people from outside the hospital to access the network and systems and it was up to the IT team to find a solution.
IT selected a two-factor security fob solution from Cable & Wireless. Having the ability to prove digital identity has enabled consultants to work much more flexibly and introduced new efficiencies, says Brian Rowlands, clinical director of radiology. "Consultants can look at scanned x-ray images. This used to take 20 minutes using a dedicated ISDN line, but now a full resolution image can be viewed within 30 seconds from an ADSL line."
In the past when Rowlands needed to give an opinion on an x-ray, it required a visit to the hospital. Two remote consultants can discuss a case by having the same web browser open. The possibility exists for highly specialised work to be done remotely.
This article is part of Computer Weekly's Special Report on network security produced in association with Microsoft