Article posted: Oct 06, 2016
By Joakim Thorén, CEO
A recent NetworkWorld blog raised some relevant points about identity management for enterprises. In the article, author and ESG Cybersecurity Analyst Jon Oltsik stresses that "strong authentication is a requirement," saying that "all organizations should have a plan in place for totally eliminating user names and passwords."
His words are music to my ears. It's what we at Versasec have said over and over again to our customers, prospects and anyone else who will listen. Our mantra is that "Strong authentication shall no longer be optional." As Mr. Oltsik says, "Everything that touches the network should have a pair of asymmetric keys and a digital certificate." In other words, the right way to do authentication is by using a PKI - not a one-time password (OTP) solution. This is an important point: every authentication level has a grade, and, just as in school, not all grades are the same.
That's what is frustrating about a trend that calls OTP solutions using password tokens or messenger services "strong authentication." In truth, these solutions are not strong enough any more. OTP solutions often become simply proof of possession of a mobile device. And in some instances, they cannot do even that for open mobile device (SMS often shows on the lock screen and some people don't even have locks on...).
In his article, Mr. Oltsik points out, correctly, that PKI is the solution to many of today's security woes. We can take that discussion a step further and also discuss how the private keys in the PKI are protected. In my mind, servers, services and users shall all have hardware-protected private keys - without compromise. I realize I'm preaching to the choir here since every security professional has known this to be true for 20 years or more. Still, it's worth mentioning since we see a lot of SW key stores - even in (of all places) security products.
The NetworkWorld column also points out that "Business and security people need to think about identity at a deeper level." This is vitally important. Identification of users/services and access control for the same shall be dependent upon business logic, and what's required are security products that can better understand this logic. Every time a security policy inhibits a user from being productive in his or her job should be viewed as a major failure.
In fact, my preference is that strongly authenticated users have greater access than not enough. The right tools make it clear to users that when in the enterprise environment every action is logged, audited and traced. This alerts the users that they are responsible and accountable for everything they do. It's a behavior change that is very important and will come as a surprise to many: talk with CIOs and you'll hear that many users still mistakenly believe their actions on company equipment is anonymous.
"Users have to be active participants rather than passive IT entities" is the final point I'd like to explore from the NetworkWorld blog. At Versasec, we continually push toward self-service because it is better for the enterprise. Mr. Oltsik adds that, "End users must have the ability to protect their privacy and decide who gets to see their data and who does not." I certainly agree with this, but it's important to note that users must separate their work and social life.
And regarding those social activities, we all must realize that while there are plenty of no-cost services, nothing is truly free. Think about social media services like Facebook, Twitter and Skype, and even search engines like Google and Bing: there's no monetary charge for users, but the secure aspects of those services is paid for in other ways, including with our data (which opens another Pandora's box of privacy issues) and / or with ads.