The evolution of the connected enterprise has opened up swathes of hitherto hidden back-office applications to the outside world. While benefiting all manner of trusted associates, this has also increased the risks businesses face from unscrupulous outsiders – a fact not lost on those trying to maintain security in a stricter regulatory environment.
Little surprise then, that the topic of security provokes strong feelings. From the struggle to stem the proliferation of firewalls across the business to the fight to get senior figures in the organisations to comply with the very policies they have mandated, delegates at the recent Information Age lunch debate were not short of security war stories. Their message: IT security is not getting any easier.
Alongside traditional efforts to provide a robust perimeter, many organisations are looking for at least part of the answer in role-based security, where an individual's ability to access data or applications depends on their authenticated identity.
The financial services industry has been at the forefront of much of the development of this kind of identity management. For example, in October 2005, high street bank Lloyds TSB announced that it was to begin trials of two-factor authentication, with the issuing of tokens to 30,000 of its online banking customers. The reason: Lloyds recognises that the issue of identification has become of strategic importance to its business.
The UK government has also seen the value in identity management. Its National High-Tech Crime Unit estimates that identity theft costs UK businesses £1.3 billion each year – one supporting argument for a national ID card.
Information Age roundtable debates
This article is based on a recent Information Age lunch, sponsored by BT, the global IT services and network company. In accordance with the ‘Chatham House' rule, attendees at the lunch are not identified in this article.
Information Age hosts monthly lunch debates for readers to discuss some of the top priorities in IT today and how they are meeting those challenges. If you are interested in attending future lunches, please email our events manager, Imogen Craig: email@example.com.
But there is little agreement over the best way to authenticate identity. The announcement from Lloyds was greeted with scepticism by some. At the lunch debate, the head of information risk at a rival bank said that tokens were likely to be too prone to loss, send helpdesk costs rocketing and ultimately be too alien a device to encourage widespread adoption. His bank were looking for alternatives.
As that suggests, the traditional approach to identity management – the password – is becoming a devalued entity. Organisations are trapped between wanting to mitigate risk by increasing the length and complexity of passwords and a desire to make their use practical. As Ant Allan, an analyst at IT advisory company Gartner, notes: "Complexity will reduce security if passwords are pushed beyond the peak of their effectiveness. They are reaching that now."
This is persuading some organisations to look at strong encryption and biometrics as the potential gateway for an enterprise single sign-on infrastructure. "But while biometrics can alleviate some of the problems associated with identity, it raises questions over acceptance," observed the security manager of a large media organisation.
For some, the privacy concerns over biometrics are expected to dissipate as users become familiar with using them. It is the reliability – the fact that biometrics need to provide definitive guarantees of identity – that is causing concern. "While the small failure rate for biometrics upsets some people, they should really think about where we are today. We have maybe 30% to 40% of users using inadequate passwords," said one delegate from a financial services company.
Despite the overwhelming evidence of the inadequacy of today's predominant password protection systems, getting board-level buy-in for investment is still tough.
"Some analysts talk about realising savings from ID management investment, but they're hypothetical – I'd be very surprised if any organisation had seen them," said the head of information security at a logistics company.
According to Gartner, only about 30% of information security budgets are allocated to buying technology: the rest goes on the associated human and services costs, with a chunk of that spent on resetting passwords. Until IT management can afford to embrace a more sophisticated approach to ID management that proportion is not going to shift much.