Most IT security managers of blue chip organisations face a major problem when it comes to ensuring the legitimacy of access to their company's network and the information stored. We advocate the use of advanced authentication methods combined with single sign-on as the answer.
In the past few years, the private sector has witnessed scandals that have resulted in much new legislation. Enron, WorldCom and Tyco are but three high profile examples. At the same time, we've also welcomed new legislation designed to foster the progression of – and protection from – the Information Age.

Take North America. In October 1998, then-President Bill Clinton signed the Electronic Signatures in Global and National Commerce Act. Also known as the Digital Signatures Act – or 'e-sign' – this law states that electronic signatures on commercial contracts are the equivalent to handwritten signatures.

European telecommunications ministers approved similar legislation in 1999, while in the European Union the Data Protection Act 1998 sets guidelines for privacy and security governing electronic transactions.

Fostering the Information Age
The good news is that the respective Governments have recognised the need to create new legislation. The Digital Signatures Act aims to foster the Information Age. The US-devised Health Insurance Portability and Accountability Act and the Gramm Leach Bliley Act serve to protect us from the pitfalls of the Information Age, while the Sarbanes-Oxley Act shelters employees and shareholders from company executives.

If all of this legislation aims to protect us from the Information Age, what legislation or standards exist to ensure that the chief executive who has to vouch for the validity of his or her books is protected from the network administrator who set up his or her password to the company's accounting application? What legislation or standards exist to prove who authorised a multi-million pound transaction, or prescribed drugs to certain patients?

Alternatively, consider Mr Clinton, who signed the Electronic Signatures in Global and National Commerce Act with a password-protected smart card. A network administrator set up his password (which, by the way, was 'Buddy' – the name of his chocolate-coloured Labrador retriever... a very poor choice as it could easily be guessed).

All of this new legislation assumes that we trust the strength of current authentication methods (in this sense, 'authentication' is the process a user undertakes to identify who they are to the network, and to 'guarantee' that they are indeed who they say they are).

A major security problem that most organisations encounter is ensuring the legitimacy of access to the network and the information stored. Log-on, which is the authentication to the computer network or application, is often secured by nothing more than a password. Passwords, though, have three significant downfalls – they can be easily guessed, they're prone to a culture of sharing and users have a tendency to write them down – often in obvious places.

Traditionally, high security and ‘user friendly’ have been poles apart. Users have always wanted easy access to their applications and information, as they need to perform their daily work. They’re fed up with forgetting passwords, being locked out of sys

The inherent weaknesses of traditional password systems render the network and the information it contains insecure. A person can simply say that someone guessed, changed or hacked their password and the case will be thrown out of Court.

Making use of single sign-on
Thankfully, implementing advanced authentication methods combined with single sign-on (SSO) solves those problems and puts the security and IT teams firmly back in control. Through the use of tokens, smart cards and/or biometric devices, user identity may be much more firmly established.

While passwords are based solely on what a user knows (their username and password), advanced authentication methods offer multi-factor authentication based on combinations of several security principles: what the user knows (password, PIN), what the user has (token generator, smart card, biometric reader) and who the user is (fingerprint, retina, voice).

Instead of using a password to log-on, a person would authenticate themselves using an advanced authentication method (which is also logged and audited). Once that person authenticates to the network, SSO kicks in to provide individuals with fast and seamless access to their applications.

SSO remembers a person's application log-on credentials (such as user names and passwords) and handles log-on to the application – entering the user's credentials such that they don't have to. SSO also handles password changes, password policies and any other messages generated by an application.

Simple, single fingerprint scans
Before granting access to an application that attempts to transfer money, for instance, you can force the user to re-verify who they are by prompting them to authenticate with an advanced authentication method. From a user point of view, people log-on to the network (and thus all of their applications) with a simple fingerprint scan.

Source

SMT

Postscript

Jason Hart is chief executive officer of Protocom Development Systems (www.protocom.com)