Issue dated - 27th October 2003

-

Previous Issues
CURRENT ISSUE
INDIA NEWS
SME
COLUMNS
TECH FORUM

THE C# COLUMN
BETWEEN THE BYTES
TECHNOLOGY
SPECIALS <NEW>
Symantec Report
Security Headquarters
JobsDB
MINDPRINTS
HMA BANKBIZ
EC SERVICES
ARCHIVES/SEARCH
IT APPOINTMENTS
WRITE TO US
SUBSCRIBE/RENEW
CUSTOMER SERVICE
ADVERTISE
ABOUT US
 Network Sites
  IT People
  Network Magazine
  Business Traveller
  Exp. Hotelier & Caterer
  Exp. Travel & Tourism
  Exp. Pharma Pulse
  Exp. Healthcare Mgmt.
  Express Textile
 Group Sites
  ExpressIndia
  Indian Express
  Financial Express

 
Front Page > SME > Story Print this Page|  Email this page

Opinion

Strong authentication: Building trust into identity management

Organisations are increasingly recognising and leveraging authentication as the foundation for other critical services on which good business practices are built, says Surendra Singh

In their quest to gain a business advantage over competitors and to maintain their market position, organisations are now offering better services to customers, partners and employees alike—in the form of electronic access to applications and processes that were traditionally confined to manual operations. Such electronic environments are now governed by robust identity management strategies that rely heavily on strong authentication to ensure online trust.

Why focus on authentication?

An effective identity management solution establishes trust in an organisation’s online environment, and more specifically in identities. The cornerstone of this trust is strong authentication. Authentication—in the form of tokens, smart cards, digital certificates, etc.—establishes trust by proving the identities of the participants involved in a transaction beyond a shadow of a doubt. Without authentication how would an organisation know who’s at the other end of a transaction? Increasingly, organisations are recognising and leveraging authentication as the foundation for other critical services on which good business practices are built. Based on trust established through the authentication of the identity of a user, device, application, or transaction, for example, an organisation can then implement additional services such as:

  • Web services—Inter-application transactions that operate behind the scenes to take computing to new levels of productivity for individuals and organisations, as well as their customers and partners.
  • Access management—Based on business policies that define the relationships between authenticated users and information, an organisation can authorise and control access to resources, applications and services.
  • Accountability—The ability to know reliably who did what, where and when is the basis for complying with regulations and business policy regarding liability and assurance for transactions.

The need for authentication

There are many factors that contribute to the growing need for strong authentication within an identity infrastructure. The top issues can be grouped into three high-level categories. First, there is no argument about the impact of the trend towards process automation and Web services to work more efficiently in today’s challenging business environment. In addition, access requirements are expanding at staggering rates, while organisations make information available to an ever-increasing number of users, as well as extend that access beyond the enterprise network to include customers and business partners. The need for reliable and portable authentication credentials is increasing, simultaneously with an exponential increase in the size and complexity of our networks.

Second, the volume of sensitive and high-value information accessed by this growing population of users continues to rise. And where there is value, there are people who will try to obtain it. Reports and statistics on the high levels of compromise and theft of information abound, and there is a steadily growing awareness of the need for stronger information security. According to Gartner’s latest survey (July 2003) in the US, seven million US adults, or 3.4 percent of US consumers, were victims of identity theft during the 12 months ending June 2003. This represents a 79 percent increase over the 1.9 percent rate reported in a Gartner consumer survey concluded in February 2002.

It’s a known fact that individuals in relationship, such as family members, friends, co-workers, etc, commit more than half of all identity theft. In this an individual takes over a consumer’s entire identity by stealing critical private information, such as the credit card number, bank account number, driver’s license number or address. Using these details, anyone can obtain illegal loans or credit to buy goods and services under the stolen name. Such practices are mostly used in banks, credit card issuers, cell phone service providers and other organisations that extend financial credit to consumers.

The third factor that contributes to the need for strong authentication technologies can be referred to as ‘the problem with passwords.’ The proliferation of passwords has become unmanageable for end-users and administrators alike, and the authentication method once naively viewed as ‘free’ is actually surprisingly expensive in terms of ongoing management and support costs. And when organisations consider the inherent weaknesses in passwords—which make them easy to steal or even guess—the challenge is dramatically compounded.

According to a survey conducted by the Federal Trade Commission (FTC) in September 2003, 9.9 million Americans fell victim to identity theft in 2002. Identity theft losses to businesses and financial institutions totalled $48 billion; consumers reported $5 billion in out-of-pocket expenses. The survey also found that 3.23 million consumers discovered that new charge accounts were opened and other frauds had been committed in their name and that 6.5 million victims reported misuse of their credit card accounts.

What’s holding it back?

The market issues listed above are compelling, so what is holding back the adoption of strong authentication technologies as part of mainstream identity management strategies? Cost is certainly a consideration—acquisition costs, deployment costs and the perception (albeit not necessarily reality, especially when compared to passwords) of additional administrative burden. Where there are physical devices used for authentication (smart cards, tokens, biometrics devices, etc), some organisations also have concerns about the cost or inconvenience of lost/forgotten/broken/stolen authenticators. Deployability is sometimes a factor; take, for instance, the slow growth in the installed base of smart card readers; the challenge of implementing solutions that require software to be installed on every end-user system; the lack of interoperability with existing systems and general concerns about scalability to tens of thousands, hundreds of thousands or millions of users.

Convenience must weigh into the equation. Any security measure that is rejected by the user is doomed to fail. Although user acceptance should not dictate all security policies, organisations must consider the impact that authentication methods have on users and their productivity.

Finally, there is often the reality of short-term focus on other business objectives, where stronger security takes a back seat to other priorities such as time-to-market. Business justification can sometimes be difficult, especially where security awareness is lacking, and it is an understatement to note that it can sometimes be difficult to quantify the return on investment for authentication technologies.

Authentication scorecard

Creating an authentication scorecard will help organisations choose the most appropriate authentication technology from a wide selection of alternatives.

Why an authentication scorecard? In light of expanding access, the increasing value of information and the problem with passwords (not to mention the numerous authentication technologies already available), as well as ongoing technical innovation, companies are frequently re-evaluating their authentication strategies. But with so many authentication alternatives available, how can they be objectively positioned?

Vendors, who quite naturally emphasise only the strongest aspects of their particular solutions, tend to exacerbate the problem by creating (either directly or indirectly) apple-and-orange comparisons between various authentication technologies. For example, how can an organisation objectively compare the multipurpose value proposition of a ‘smart badging’ solution (such as combining photo ID, building access, network/ application access and stored value on a single physical device) with the low-cost, zero-footprint, zero-deployment value proposition of a one-time passcode delivered in real-time as a text message?

But there will be no one silver bullet for all authentication challenges, no single technology or approach that will optimally address all scenarios, no universal solution that will meet all requirements. On the contrary, there will continue to be a rich diversity of authentication technologies—from traditional time-synchronous tokens, to digital certificates, to smart cards and USB tokens, to virtual credentials and virtual containers, even passwords.

What is needed, therefore, is a consistent, structured framework that will help organisations to understand, evaluate and select the most appropriate authentication technology from a wide selection of alternatives. That’s where the authentication scorecard lends a helping hand—making an otherwise arduous process virtually painless and always personal.

The authentication scorecard—three major categories, ten basic attributes

The authentication scorecard reflects a fair comparison of various authentication technologies available in the marketplace.

In the authentication scorecard framework, there are three high-level categories—total cost of ownership, strategic fit (users), and strategic fit (corporate/system)—each of which can be broken down slightly for a total of 10 basic attributes. Any authentication technology can be compared—in a consistent, apple-to-apple manner—using this simple framework.

Taking a personalised approach, an organisation’s business requirements are easily factored into the evaluation, resulting in a technology comparison that reflects an organisation’s unique needs.

In conclusion, as an increasing number of applications are exposed to more and more users, organisations need to consider their identity management requirements as they apply to their unique business objectives. They need to provide strong authentication and manage multiple authentication methods in order to ensure the trust in identity they need to empower users.

A comparison of various authentication technologies
Total cost of ownership Acquisition cost
  • What are the initial acquisition costs?
  • Include all additional hardware, software, servers, readers, services, etc., associated with acquiring the authentication solution.
  Deployment cost
  • What does it cost to deploy the authentication solution?
  • This includes the distribution of any necessary hardware or software; ease of installation; ease of set-up and configuration; training of end-users, etc.
  Operating cost
  • What are the ongoing operating costs?
  • This may include costs for replacement (e.g., expired/lost/stolen/broken) authentication devices; ongoing management; upgrades; vendor support; help desk support; etc.
Strategic fit (users) Convenience/ ease-of-use
  • How easy is it for end-users to learn how to use the authentication method?
  • How convenient is it for end-users to use the authentication method, day in and day out?
  Portability
  • How portable is the authentication method?
  • Can it reliably be used to gain access from multiple locations (office, home, airport hotel, kiosk, etc.)?
  Multi-purpose
  • Can the authentication method be used for more than one purpose? e.g., network access, physical access, application access, photo ID badge, electronic signature, stored value, etc.
  • Does the authentication method leverage a device that is itself used for multiple purposes? e.g., PC, PDA, phone, etc.
Strategic fit (corporates) Relative security Interoperability/
  • How strong is the authentication?
  • How secure is the implementation?
  • Is it adequate for the information being protected?
  • Does it meet regulatory requirements (if any) for the protection of information?
  Back-end integration
  • Does the authentication solution work natively with multiple products?
  • Does it work only with the installation of additional software?
  • How easy is it to integrate with back-end resources or applications? What resources and applications need to be supported?
  Robustness/scale
  • Does the authentication solution scale to the degree required now?
  • Three years from now?
  Future flexibility
  • What future options may be available from the selection of this authentication solution (whether you currently intend to use them or not)?
  • What future options might be of interest?

The author heads the South Asian operations of RSA Security, BV. He can be contacted at ssingh@rsasecurity.com
<Back to top>


© Copyright 2003: Indian Express Group (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in
Mumbai by The Business Publications Division of the Indian Express Group of Newspapers.
Please contact our Webmaster for any queries on this site.