The Growing Challenge Of Identity Management

Identity management is a security issue which is becoming increasingly challenging as the perimeter of the network crumbles. This is well illustrated by the DTI Information Security Breaches Survey of 2006, which shows that one in five larger businesses had a security breach associated with weaknesses in their identity management, with the number of incidents being less for smaller companies.

The survey found that incidents were from staff gaining unauthorised access to data, staff obtaining and misusing confidential information, financial theft or fraud, and impersonation or phishing attacks. While the incidence of fraud was low, the impact was greater than for any other type of security incident. Several small businesses lost between £10,000 and £50,000 as a result of fraud and one large bank lost millions.

Identity management has been a problem for many years, but recent changes to the security landscape have made the risks greater. The growth of mobile computing and remote access are important factors. Couple this with the rapid rise of wireless and the growth in access to applications, then you have significantly increased the opportunities for unauthorised access into your network.

At the same time, the internal threat of staff gaining access to confidential information remains as high as ever. Alongside this, the range of potential breaches has materially increased with problems such as pharming, phishing, spyware, keyboard logging, war-driving, etc. on the increase.

A number of issues arise in this new landscape. How do you ensure that users activate security features when they connect to the Internet?

How do you get them to protect confidential information and guard against threats such as spyware?

And not least, how do you manage access to their machines by other colleagues, family or friends.

This is a challenging picture and the continued reliance on weak single-factor authentication looks increasingly ostrich-like. The DTI 2006 survey found that some 96% of large companies and 93% of all companies are still using single factor authentication to authenticate users.

There isn't a single answer to resolving these problems, but a number of options. There is one thing, however, which is certain — single factor authentication (passwords) is not enough.

There are a number of authentication options:

single sign-on is a step forward, but requires superior identity management

two-factor authentication is much better and involves the user of authentication tokens, biometric devices, etc.

three factor authentication is far superior and involves something you know (e.g. password), something you have (e.g. authentication token) and something you use (e.g. device authentication)

Article courtesy of Security Park