Infosecurity preview: Mobilising single sign-on

A single log-in will provide the best hope of protecting enterprise system security

I don't know if I am typical, but I am quite prepared to shop online. I buy a range of things, both for the home and for business, as well as taking care of my bank account and credit cards. What I have noticed is the number of different accounts I have ended up with, along with a variety of user names and passwords.

Although there are attempts by Microsoft with Passport and Google with Accounts to rationalise the process, the e-tailers I deal with all want their own user name and password. This leaves me wondering whether to go for credentials that are as common as possible, or to be completely random, reducing the consequences of a security breach.

With recent reports of massive credit card security breaches, you could be forgiven for wondering if going back to pound notes under the mattress might not be a safer alternative. Of course, since a large number of security breaches occur because of home thefts of laptop computers, the answer is "no", so what is an internet user to do?

Proliferation of passwords

The proliferation of user names and passwords is of course not limited to home shopping, as more applications are rolled out, users must remember more sign-in procedures.

Different systems will have different requirements for the password, including insistence on a particular length or the inclusion of hard to remember characters. Or they may issue a password as a random collection of letters, numbers and punctuation that is impossible to memorise.

Add to this the fact that different systems may have different time­scales for changing passwords, and it is no wonder users are resorting to Post-it notes, and lost password calls are clogging up IT helpdesks.

The solution is single sign-on, identified in a survey of IT staff by Freeform Dynamics as the number one project for the enterprise, followed by identity management. Essentially a proxy device, single sign-on takes care of the scripts to sign in to multiple systems using one user login and password.

Clearly, since this single set of credentials gets you into all your systems, some form of multi-factor authentication such as a smartcard or a token is highly advisable.

It is about to become even more interesting for users and IT staff, as mobile applications become commonplace. More and more enterprise-critical information is going to be beamed to handheld devices, which will probably store it to overcome interruptions in wireless communication.

Pulling in data

Standard applications such as e-mail, as well as ERP systems such as SAP, business activity monitoring and custom composite applications, will be pulling in data from a variety of back-end systems.

Clearly, it is bad enough making users' lives difficult when they are in the office, but the last thing you want to do is to have them writing their passwords on the back of mobile devices.

A compromised mobile device represents a key to the heart of any company's data, raising concerns on many levels: competition, compliance and the expensive consequences of loss of sensitive customer data.

David Perry is principal analyst at Freeform Dynamics. He will give the keynote Are You Even Remotely Secure? at Infosecurity Europe

Infosecurity preview: Knowledge is power >>

Infosecurity preview: Building blocks of trust >>

Infosecurity preview: Bridging the reality gap >>

Infosecurity preview: When a year is a lifetime >>

More information on the show, including free entry >>

Infosecurity Europe keynote sessions >>

David Lacey’s security blog >>
The latest ideas, best practices, and business issues associated with managing security

Stuart King’s risk management blog >>
Dealing with the operational challenges of information security and risk management

Comment on this article: [email protected]

Read more on Hackers and cybercrime prevention