By Morgan Slain
April 15, 2010
While the cost for breaches of security when it comes to passwords, account numbers, PINs and web logins requires solutions, the solutions themselves raise problems for IT managers.
There are well-known standards for creating and maintaining secure passwords, including specifying length, type of characters, and frequency of password changes. Unfortunately, these standards become a hassle for users. The frustration and inconvenience of remembering multiple secure passwords can lead employees to compromise prudent standards.
Even if all of your employees adhere to your password policy, outside identity thieves can still pose security threats to your organization. Identity theft is a serious and widespread problem, one that has grown with the proliferation of online services and information. After obtaining a valid username/password combination, identity thieves can access your organization’s databases at will and are difficult to detect.
A strong password policy can be an effective deterrent, but it cannot completely stop the threats of keylogging (using specialized software to record a user’s keystrokes), password hacking and phishing (thieves create fraudulent sites that ask for information such as account numbers, passwords, and Social Security numbers).
Costs to an organization from a data security breach can skyrocket from lost business that can be traced directly to accounts fleeing to a “safer” environment, and lost productivity of the non-IT staff, who must work in a degraded mode while the IT staff tries to contain and repair the breach.
Then there are the intangible costs of security breaches, which may include your customers’ loss of trust in your organization, failure to win new accounts due to bad press associated with the breach, and your competitor’s access to confidential or proprietary information.
Parts of the Password Security Solution
A three-pronged approach to password security offers the solution: strong password policies, multiple-factor authentication and an electronic password administration system.
Most companies start to solve their password challenges by adopting and attempting to enforce strict password policies (passwords must be at least six characters long, should never be a common word, contain a mix of upper-case and lower-case letters, etc). A password policy is an essential step, but the problem with this solution on its own is that the stronger the password policy, the harder it is for employees to keep track of username/password combinations. This generally leads to employees taking shortcuts that compromise security and can lead to significantly increased calls and costs to the IT department.
Multiple-factor authentication means there are at least two different types of credentials that must be submitted in conjunction to be authenticated. There are three categories of authentication factors: something you have (a hardware or software token), something you know (a password), and something you are (a thumbprint, retina scan or voice print).
Each factor in the authentication mechanism should be from a different category. By layering on additional factors in your authentication process, you can make it very tough for hackers to force their way into your systems.
Multiple-factor authentication can be an effective addition to security, but it can be cost prohibitive for many organizations and even in larger enterprises it is often used only for the most secure facilities or systems. And even when multiple-factor authentication is in place, one factor usually is still a password covered by a password policy, which can lead to the same associated risks described above.
The answer to the security issues raised by passwords is a password administration system. To date, most advanced enterprises have used a system called Single Sign-On, or SSO. SSO is an authentication mechanism to gain access to multiple independent software systems, although those systems are often related. With SSO, a user logs in once and gains access to multiple systems without being prompted to log in again at each of them. SSO does effectively enhance security, but SSO solutions often take months to deploy across an enterprise, require extensive application integration, and due to high costs typically do not provide immediate ROI.
Even when an SSO system is in place, there are almost always legacy systems in the enterprise that are not covered by the SSO system. Or there are Web sites outside the SSO system that employees need to regularly access. Or there are client or partner systems not covered by the SSO system. In fact, this situation is so common that there is an acronym for it - RSO for Reduced Sign-On. Most SSO systems are in fact RSO, leaving security gaps.
Despite the risk and costs associated, digitizing and storing critical information in databases is now fundamental to how organizations operate. So sound policies and secure technologies that protect confidential data are essential.
Morgan Slain is CEO of SplashData, a developer of mobile and desktop productivity applications.