Table of Contents

Editor’s Corner

Featured In This Issue

New Partnerships

Best Practices For Securing Your DNS Architecture

The Problem and Growth of Spyware

Cipher Trust’s IronMail Spam Profiler Tool

Five Steps to Enforcing Your Endpoint Security

The Costs of Managing Internal Passwords

Case Study

Akibia Partners

Contact Akibia

The Costs of Managing Internal Passwords
By RSA Security

On a typical Monday, morning, Joe Employee logs on to his desktop with his user name and password; the password is his daughter’s name. After signing into e-mail with yet a different password (his German shepherd’s name), he finds he needs to access his company’s CRM application and gather some information to send to a customer. But because his CRM password is different from the other two, he can’t remember it: Did he use his wife’s name, his son’s birthday or his favorite Ben & Jerry’s flavor? He calls the helpdesk—which is already busy servicing other employees in the same password predicament—and waits seven minutes for assistance. Once he gets his CRM password, he writes it down—right next to his computer. No sooner does Joe Employee have that issue sorted out, the IT department issues its monthly “password reset” mandate. And so it begins again.

Enterprises spend huge amounts of time and money on security. Much of this spending focused on secure access for companies’ remote and mobile users, as well as their partners and customers, all of which are outside the firewall. Just as important—but frequently overlooked—is the question of how to handle user authentication inside the enterprise. Companies for the most part have concentrated their efforts inside the enterprise by promoting password-based methods of authentication, but as those methods become more complex, users have responded by making them less secure. “Inevitably, users write down passwords, or maybe a department has one password that everybody shares,” says Bill McQuaide, senior vice president for enterprise products at RSA Security. “All of those things add more risk to what IT is trying to secure inside company walls.”

“Organizations have reached a point where they’re drowning in complexity,” notes Earl Perkins, vice president for security and risk strategies in the Technology Research Services division of Meta Group Inc. “They want to streamline security practices and try to save some money, so many of them are going after a cleaner, simpler environment.”

Forces For Change
Among the catalysts prompting enterprises to take a new look at inside-the-firewall authentication are external pressures.

New legislation, (Sarbanes-Oxley Act, Gramm-Leach-Bliley Act, as well as Data Protection Directives of both the European Union and Japan), is forcing companies to take greater care of sensitive employee and customer information, and that means guaranteeing appropriate scrutiny of internal users as they access that data and providing a concrete audit trail of user activity.

Global enterprises face powerful internal demands. “Roughly 70 percent of unauthorized access to a company’s information comes from inside company walls. It’s not sufficient just to prove the identities of people coming from the outside,” McQuaide says. Without creating tough policies and methods for authenticating users within the enterprise, companies leave themselves vulnerable.

The Password Puzzle
Organizations that are aware of these sobering numbers often respond by implementing password policies that become increasingly stringent — and complicated — as time goes on. “All of the mechanisms that malicious individuals have for attacking password-based systems have caused passwords to become mentally complex if they are to be at all secure,” says Michael Atalla, group manager of the security business and technology group for Microsoft.

That’s precisely where the paradox lies: passwords need to be so technically secure that they become difficult to remember, so people begin to write them down or otherwise circumvent password policies, which ultimately makes the entire enterprise less secure. “There’s a constant struggle between usability and protection of the assets of a company,” says McQuaide.

The Bottom Line
While internal password authentication methods are generally considered to be free, the costs of managing those passwords can drain IT departments. In a typical day, a user might sign on to five or 10 different applications, with a different name and password for each. “As the number of passwords rises, so does the number of calls to the helpdesk,” says McQuaide. “A single call to a helpdesk can cost in excess of $50, when you consider the helpdesk personnel, the systems that are needed on the back end to recover passwords and the lost productivity of the users.”

“There is a definite ROI attached to the notion of reducing the complexity of user authentication, notes the Meta Group’s Perkins. “You have a lot of different platform environments that have been deployed over the years, where there are many different ways to authenticate people,” he explains. “Many enterprises have reached a point where they are hopelessly lost in a maze of passwords
and IDs.”

Simple, Secure, Solutions
Once companies recognize the importance of improving authentication methods inside the firewall, they have several different techniques and technologies to consider. Among them:

  • Token Authentication
  • Certificate Authentication
  • Smart Cards and USB’s
  • Biometrics

By implementing any of these authentication techniques, organizations can realize some tangible benefits. First, authentication methods that are the same for users both inside and outside the enterprise, companies can enhance the user experience and offer simplified, consistent sign-on methods.

“When compared to the current state of password-based systems, [stronger user authentication methods] will reduce the requirement to remember long, complex passwords, and in theory reduce the load on IT departments that have been overrun with having to reset passwords,” says Microsoft’s Atalla.

Strong user authentication offers the potential to make more systems and applications accessible, while at the same time keeping those applications secure. “The idea is to make security comfortable and easy for the end users,” says McQuaide “as opposed to trying to disrupt the work flow and upset the
user community.”
www.rsa.com