By Elizabeth Quirk
Companies and organizations rely on technology more with every passing day. The convenience it brings, however, is sometimes interfered most by security concerns. As more software moves to the cloud, and consumers become more comfortable with sharing information over the Web, security tools are a must. In order to protect data and transactions, identity management and authorization tools help enterprises to safeguard sensitive information and ensure compliance.
Identity management, according to TechTarget’s Margaret Rouse, is a broad administrative area that deals with identifying individuals in a system—such as a network or enterprise—and controlling their access to resources within that system by associating user rights and restrictions. A simple definition of identity management involves outlining what users can do on the network with specific devices, under certain circumstances. In an enterprise or company setting, identity management is mainly used to increase security and productivity, while decreasing cost and redundant effort. Authentication simply means if the credentials provided match the authorized ones, access is granted.
Safeguard Company Data
Authentication and identity management solutions for particular enterprises provide certain functions and protection. According to Jason Hart, CTO, data protection, Gemalto, the right authentication and identity management solutions essentially make IT administrators’ jobs a little easier, while providing extra security layers.
“Authentication protects data breaches and credential theft by securing user credentials and making sure only authorized and validated users are accessing certain information and resources. These technologies also automate and centralize administrative functions and streamline workflows, which reduce the burden on IT to keep track of who is accessing what information,” says Hart.
Virtually every facet of an organization is entwined with the digital world, so the assets that need protection have grown to an unprecedented scale. That includes applications, devices, communication channels, and the ever-increasing volume of valuable data.
According to Chip Epps, VP, product marketing, IAM Solutions business, HID Global, an authentication solution should make sure the right people are getting access to the right things. It is also a means to extend trust to varying degrees by verifying the identity of the person or resource asking for that trust. In order to achieve that, you need to know who is asking for access and to what level they are entitled to that access.
Password Concerns
Behind every security platform or identity management tool is a reason for having it. One of the biggest drivers pushing enterprises to rethink their current authentication solutions, according to Hart, is the growing prevalence and impact of data breaches. He suggests that not only are breaches more frequent, but hackers are getting more sophisticated, and the damage they cause is extensive.
To combat the latest security concerns, current authentications should be readdressed. Authentication solutions generally fulfill one of more of the three factors—what you know, what you have, and what you are.
The most basic and well-known security tool includes a user ID and password. However convenient it may be, there are downsides to using it as an authentication and identity management tool as well.
According to Epps, passwords are the foundation of what you know. Unfortunately, he says countless studies have demonstrated the challenges of relying on passwords alone. Passwords are hard to remember, change frequently, and may be subject to different policies that make it even harder to know which password applies where. Efforts to repeat the same ones over multiple applications, or take risks by writing them down, exposes potential risk to the user and data they access. Epps states that the majority of security incidents are caused by stolen passwords, so bottom line is, your security cannot depend on passwords alone.
Hart agrees, stating that companies are accepting that passwords are no longer to protect data. “Another key driver is IT consumerization. More organizations are relying on the cloud for their enterprise applications, and more employees are using mobile devices to access corporate resources,” says Hart.
Due to these drivers, authentication solutions are starting to extend beyond identity verification and entitlement to also incorporate intent. “Newer solutions can measure behaviors to better understand intent, and recognize and remove access in situations where intent could be malicious,” comments Epps.
Many organizations are turning to two- or multi-factor authentication, where you layer more of what you know, something you have, or something you are. “Some examples of something you have include tokens and one-time passwords, digital certificates, and smart cards. When you add something you are; that’s where biometrics comes in. You can use your fingerprints, face, or eyes,” says Epps.
Hart points out that two-factor authentication allows for lower barriers for end user adoption and allows organizations to get up and run quickly.
Central Protection
Organizations are looking for the ability to protect as many applications as possible, both on premise and in the cloud. This includes the ability to support mobile solutions, like laptops, smartphones, and tablets.
Employees are accessing sensitive corporate data anytime, anywhere—putting the organization at increased risk for a breach. Authentication secures corporate information so that workers can access information on demand without putting the business at risk.
According to Epps, the threat landscape is continuously evolving and threats posted to an organization are becoming more complex. Whether it’s creating efficiencies in business operations or enhancing customer engagement, companies see a countless number of benefits from going digital. He adds that while the payoff of going digital can be rewarding, it does raise the stakes for what companies need to protect.
Challenges
The primary challenges associated with authentication solutions tend to compound each other. The solutions are complex and the expertise to evaluate, select, and implement these solutions is scarce.
Epps notes that authentication itself is a simple concept—fulfilling that function can incorporate difficult models such as digital certificates, cryptography, and public key infrastructure. But, for the most up-to-date information, secure communications between multiple parties are necessary. Experts to help with these topics are a subset of an already small group of IT security professionals.
He continues by explaining that the growing number of things that need to authenticate also complicate ongoing management. “Widespread adoption of technologies like NFC, Bluetooth, crypto processors embedded in mobile devices, push notification networks, wearables, and advances in machine learning are all technologies that will continue to pave the way for a frictionless user experience in the context of security.”
The proliferation of devices such as smartphones and tablets, which users expect to use to access companies resources and, most likely, include public cloud-based applications, expand the scope of what needs to be authenticated. Company applications are no longer only deployed on premise, and companies may have a mix of resources hosted both internal and external to the organization. Epps says these factors impose a fundamental challenge when designing and maintaining an enterprise’s security.
Interoperability is another challenge. Epps points out that it is often the case that enterprises have to take their legacy applications into account when rolling out a new authentication or access management solution. Many modern applications are built with standard security protocols in mind. However, older applications can pose interoperability challenges making it that much more difficult to adopt uniform security practices across the board.
Hart adds that one of the biggest challenges enterprises face when implementing and maintaining identity management is the cost of operations. With the increasing complexity of today’s enterprise IT environments, more monetary resources are needed just to operate the system, and the help desk costs that come with it add up quickly. He explains that enterprises also struggle to easily extend two-factor authentication beyond the traditional perimeter to offer the same capabilities in the cloud or on mobile applications. These challenges are often what cause enterprises to turn to solution providers.
User Considerations
User experience is an important consideration when it comes to adding authentication. This is one factor pushing enterprises to rethink their authentication and identity management solutions.
“Enterprises are beginning to realize that if security practices are too difficult or complicated to use, then productivity suffers or employees find a way around the security policies altogether,” says Epps.
Experience has emerged in the last couple years, particularly with trends such as the consumerization of IT. This is a result of enterprises “learning” what works and what doesn’t. “Much of this is being validated in the online consumer markets,” he adds.
“The past 20 years are littered with solutions that are very capable from a raw security standpoint, but in practice may not be that effective because users hate using it,” says Epps. He believes that balancing the security of an organization and data with the productivity of employees and customers is an on-going challenge.
“Depending on what solution or policy is in place now, such as passwords-only implementations, you could experience an immediate improvement in your corporate security profile, enhanced productivity of your employees, and the most satisfied customer’s experience,” states Epps.
A change in password authentication practices could also reduce help desk calls and the associated cost of those calls for the enterprise. He says that traditionally, the tradeoff between security and usability has resulted in a burden placed directly on the end user. “If a company improved its security around identity and access, this could translate to end users needing to take additional steps or carrying around devices they otherwise wouldn’t,” he explains, adding that over the past few years there have been advancements and standardization in a number of technologies that narrow the gap between security and usability.
Market Examples
By implementing an authentication and identity management solution, or upgrading their current software, enterprises benefit from increased flexibility and decreased cost, according to Hart. Today’s best-in-class authentication solutions offer the latest authentication methods and scalability, which enables enterprises to transition data securely to the cloud and mobile devices.
“Utilizing a solution provider also reduces the cost of operations as the authentication environment is fully managed by the solution provider,” comments Hart.
Gemalto, a digital security company, works with some of the world’s biggest businesses and governments. The company’s solutions enable them to deliver a range of secure services based on two core technologies—authentication and protection. Examples include mobile identity and banking, data encryption, and software licensing. The company provides easy to use technologies and services, authenticating identities and protecting data so they stay safe and enable services in personal devices, connected objects, the cloud, and everything in between.
The various types of authentication solutions available today differ in capability and infrastructure. According to Hart, some vendors offer cloud-based authentication, others are server based. Some support a broad range of authentication methods, such as fingerprinting, PKI smart cards, pattern-based authentication, or pin number, while other are more niche in their authentication offerings, focusing on one or two methods.
“Gemalto’s SafeNet solutions, for example, include cloud-based or server-based management platforms, advanced development tools, and the broadest range of authentications, allowing organizations to use strong authentication anywhere a password is currently used,” says Hart.
HID Global is the trusted leader in products, services, and solutions related to the creation, management, and use of secure identities for millions of customers worldwide. According to its website, the company focus is on creating customer value and is the supplier of choice for integrators and developers serving a variety of markets that include physical access control; IT security, including strong authentication/credential management; visitor management; government ID; and identification technologies for a range of applications.
Conclusion
Security is of increasing concern due to the reliance on data, as well as the increased methods of accessing it. The traditional password approach is becoming less acceptable from both a security and customer user experience. ISVs continue to fight the battle between security versus user experience.
Feb2017, Software Magazine
