Identity management is a security issue which is becoming increasingly challenging as the perimeter of the network crumbles. This is well illustrated by the DTI Information Security Breaches Survey of 2006, which shows that one in five larger businesses had a security breach associated with weaknesses in their identity management, with the number of incidents being less for smaller companies.
The survey found that incidents were from staff gaining unauthorised access to data, staff obtaining and misusing confidential information, financial theft or fraud, and impersonation or phishing attacks. While the incidence of fraud was low, the impact was greater than for any other type of security incident. Several small businesses lost between Ј10,000 and Ј50,000 as a result of fraud and one large bank lost millions.
Identity management has been a problem for many years, but recent changes to the security landscape have made the risks greater. The growth of mobile computing and remote access are important factors. Couple this with the rapid rise of wireless and the growth in access to applications, then you have significantly increased the opportunities for unauthorised access into your network.
At the same time, the internal threat of staff gaining access to confidential information remains as high as ever. Alongside this, the range of potential breaches has materially increased with problems such as pharming, phishing, spyware, keyboard logging, war-driving, etc. on the increase.
A number of issues arise in this new landscape. How do you ensure that users activate security features when they connect to the Internet? How do you get them to protect confidential information and guard against threats such as spyware? And not least, how do you manage access to their machines by other colleagues, family or friends.
This is a challenging picture and the continued reliance on weak single-factor authentication looks increasingly ostrich-like. The DTI 2006 survey found that some 96% of large companies and 93% of all companies are still using single factor authentication to authenticate users.
There isn’t a single answer to resolving these problems, but a number of options. There is one thing, however, which is certain – single factor authentication (passwords) is not enough.
There are a number of authentication options: single sign-on is a step forward, but requires superior identity management, two-factor authentication is much better and involves the user of authentication tokens, biometric devices, etc. three factor authentication is far superior and involves something you know (e.g. password), something you have (e.g. authentication token) and something you use (e.g. device authentication)
Identity Trust Management is another key step in identity management. It’s about managing and trusting the identity of the person, as well as the device, accessing the network. It’s about protecting against someone acquiring the name and identity of the normal machine user, as well as ensuring that the device requiring network access complies with company security policies. You need to be sure the device is free of any unauthorised applications such as IM, peer-to-peer or Skype, and that it is secured against current threats.
There are many components to meeting this challenge. Endpoint security systems are part of the solution. With growing numbers of remote and mobile users, EPS systems can secure those accessing the network and ensure, for example, that security policies are actually implemented on individual devices. There is a significant growth of interest in this area and a range of solutions from companies such as Check Point, Cisco, Symantec and Skyrecon is available.
Some EPS solutions enable you to decide which level of access to provide, based on the current level of security of the user´s machine, as well as ensuring that all wireless is encrypted and that USB downloads are managed. EPS can move organisations from weak policy statements to active policy delivery and enforcement.
Physical device authentication (as part of a multi-factor authentication approach) is another powerful component. There are solutions which ensure that the device accessing the network is the one that is authenticated. This provides a useful defence against many of the current methods of identity theft. Remotely stealing log-in details doesn’t work if you have to be on the authorised device. Similarly, there are SIM identification methods for other mobile devices.
These are all steps on the longer road to identity trust management, where the overall level of access that you provide is based on trust in the authentication and the current level of security, of both the user and the device, coupled with location-based rules.