CMP Network Computing
Log In to Network Computing
   Techweb
 
Top 11 List Security Channel SpamOmeter Internet Threat Level
Live Lab Cams Storage Channel IT Pro Downloads Network Design Manual
 Site Map |  What's New |  Current Issue |  Past Issues |  Article Index |  Newsletters |  Content Feeds |  Subscribe
Welcome to Network Computing Networking News Product Reviews, Sneak Previews, Analysis Workshops, Primers, Tutorials Site Content According to Technology Covered Forums, Blogs, Opinions Site Tools for IT Professionals Centerfold Case Studies Interactive Buyer's Guides


IT Knowledge Made Simple
Stay on top of strategic IT infrastructure trends with our special IT StrategyCenter, powered by StudioOne Networks.
Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Resilient IT / Network and Infrastructure

Strong Authentication for Customers and Employees

By Mary E. Thyfault

Enterprises are under increasing pressure to protect their critical networks, applications, and systems from a rising number of threats, both inside and outside the organization. At the same time, given the rise of identity theft, certain industry sectors are also under pressure to protect customers who do business online. A growing number of CIOs are turning to strong authentication as a way to protect both their customers and their systems from attacks by hackers, terrorists, corporate espionage, thieves, and even their own employees.

A recent survey of 184 IT security decision makers found 50% use or plan to use strong authentication for employees, according to Forrester. Strong authentication refers to systems that require multiple factors to identify users as they access private networks and applications. The types of strong authentication tools that are in use today range from tokens to smart cards to biometrics.

The reason for the interest in strong authentication is that unauthorized access to information and the theft of proprietary information continue to rise, according to the Computer Security Institute/FBI Computer Crime and Security Survey released earlier this year. Unauthorized access to information led to an average loss of just over $300,000 per enterprise in 2005, up from just over $50,000 in 2004, according to the survey. Plus, the theft of proprietary information led to average losses of $355,000 per enterprise in 2005, up from $168,000 in 2004.

With more publicly acknowledged cyber-break-ins, the federal government is also putting additional pressure on organizations to move to multi-factor security. In October, federal regulators told the financial services industry that single-factor authentication alone is inadequate for high-risk transactions involving Internet access to customer information or the movement of funds to other parties.

"Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks," states the guidance by the Federal Financial Institutions Examination Council, an umbrella group for federal financial services regulators. 

This guidance will push financial services -- which already has the strongest security focus of all industries -- to move towards stronger security, including multi-factor authentication. "Financial services regard this as pretty close to law," says John Carlson, senior director of BITS, a nonprofit organization of financial institutions that focuses on technology and business issues. Regulators "will follow up on this during the examination to make sure that there is follow through," says Carlson. "There will be a lot of candid discussions."

The financial service industry is no stranger to such scrutiny. The Gramm-Leach-Bliley Act establishes financial institution standards for safeguarding customer information and imposes penalties of up to $100,000 per violation. The USA Patriot Act requires customer identity verification during account origination.

With the implementation of the Health Insurance Portability and Accountability Act to protect patient information, health care is another industry under increasing pressure. The law sets forth criminal penalties of up to $250,000 and/or 10 years imprisonment per violation of security standards for patient health information.

Despite all the regulatory and legislative pressure, cyber-criminals now have better tools for breaking into computer systems and networks than ever before, and they are breaking in much more quickly, using new techniques that law enforcement and industry are struggling to keep up with. Phishing attacks grew 28 % from May 2004 to May 2005, with 2.42 million people reporting losing money as a result, according to Gartner. Other forms of attack include pharming, which involves redirecting users from a valid URL to a spoofed site, usually for the purpose of infecting their computer with worms or Trojans. Then there is spyware, which is malicious code that is planted on users' computers without their knowledge for the purpose of reading keystrokes and data files.

While it seems clear that enterprises that move to strong authentication will have an easier time minimizing the risks, implementing stronger authentication can be costly, an unwanted hassle for employees, and a deterrent to potential customers, who may not want to jump through the additional hoops.

So far, in most industries, multi-factor authentication is in use by employees, not customers. While a BITS survey found 90% of financial institutions require some form of multi-factor authentication, it is employees or business partners -- not customers -- who use this additional layer of security

That is starting to change. In March, ETrade Financial Corp. announced that it will offer clients with accounts worth more than $50,000 a free secure token with a unique six-digit code that changes every 60 seconds. The tokens, which ETrade estimates cost $10 a piece to support, will eventually be available at a cost to other customers.
 
Tokens are just one of many solutions enterprises are looking to for multi-factor authentication. Below is a summary of the other methods of strong authentication that CIOs need to be familiar with:

USB Token. These plug into an USB port, are the size of a key, and can store digital certificate information from a public key infrastructure (PKI). There is no need for additional hardware.

Smart Card. These credit card-sized devices contain a microprocessor that stores and processes data, enabling software developers to use more robust authentication schemes. While these are easy to carry, they require the user to carry a smart card reader and install a software driver on their computer. Energy companies and governments are adopting these.

Password-Generating Token. These tokens produce a one-time passcode that changes every 30 to 60 seconds. Customers use this passcode after the system first verifies their user name and password. The tokens last 4 to 5 years.

Biometrics. Biometrics authenticate based on physiological characteristics, such as fingerprints, iris configuration, and facial structure, or physical characteristics, such as how quickly someone types into a keyboard.  The biometrics industry is expected to grow to nearly $2 billion by 2006, according to the International Biometric Industry Association. Recently, one in three banking customers in the United Kingdom said they would like their bank to start using biometrics, according to a survey by Fujitsu. Health care firms are also adopting biometrics.

However, biometrics is not currently based on open standards and does not always work well with other systems. And civil liberties groups worry that biometrics systems leave people too vulnerable. The reason: if the system is compromised, a customer can't change their fingerprint the way they can their password or token.

Another hassle: users must be enrolled, usually in person. When enrolled, their characteristic is converted to a mathematical model or "template." Later, customers provide a live scan of the characteristics, which is matched against the stored templates.

One way to make multi-factor authentication simpler is to move to enterprise single sign-on technology. This enables users or customers to enter one password, and using back office technology, have that password linked to additional passwords. The additional passwords can be changed and tracked, without the user having to remember a new password every week.
 
"There is a myth about this that it isn't secure -- that it is one key to the kingdom," says Jonathan Penn, a principal analyst with Forrester.  "That is not true. This is actually more secure, very easy to roll out and a lot easier for users."

Still, while an enterprise can implement stronger authentication, the financial services industry argues that unregulated Internet service providers need to be held to higher security standards.

"A weak link in the system can create problems for many organizations," says BITS' Carlson.

Mary E. Thyfault is a freelancer writer in Fairfax, Va., whose work has appeared in InformationWeek, TechWeb, and the National Journal's TechDaily.

 

IT Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Network and Infrastructure
Analytics and ROI
Strategies
Related Content

Features

View More


Metrics

View More

Fast Fact

"There is a myth about this that it isn't secure -- that it is one key to the kingdom. That is not true. This is actually more secure, very easy to roll out, and a lot easier for users."

-- Jonathan Penn, a principal analyst with Forrester

Sponsor Tools

White Papers

View More


Resources
Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:


Mobile and Malicious
Playtime: 10 min 10 sec



Download | Subscribe

Copyright © 2008 Studio One Networks. All rights reserved.
Advertisement
Site Navigation
Home | Article Index | Newsletters | RSS Feeds | Site Map | IT Tools | Reviews | Technologies | Workshops/Tutorials | News | Forums/Blogs/Opinion | Bookstore | Jobs | RFP/RFQs | White Papers | Audio | Downloads | Editors | Webmaster | Sales and Marketing | Magazine Media Kit | Online Media Kit | Events | Reprints | Editorial Calendar
Technology News and Opinion
Small Business Pipeline | IT Utility Pipeline | Business Intelligence Pipeline | Desktop Pipeline | Compliance Pipeline | Server Pipeline | Storage Pipeline | Security Pipline | Mobile Pipeline | Linux Pipeline | Advanced IP Pipeline
Companion Sites
Independent Testing Services | Network Magazine | IT Pro Downloads | UnixWorld | Interactive Buyer's Guide | InternetWeek | InformationWeek | Transform Magazine | Pipeline Technology Sites | Intelligent Enterprise | TechWeb | Shop-Marketplace.com



TechWeb is brought to you by CMP Media LLC, Copyright © 2004
Privacy Statement | Terms Of Service