With the basic password for remote access no longer providing a strong enough lock for securing data, authentication and encryption technologies are now moving into the corporate spotlight. Spurring interest in these technologies is the need to provide access to corporate Web sites and the rising tide of mobile and remote workers that together are making LANs more vulnerable to unauthorised access.
Compounding this threat is the fact that dial-up phone numbers and passwords are often shared among users and are rarely changed. Passwords are also easily forgotten and are proliferating with the addition of online services and dial-up capabilities, leading users to write them down and often post them on computers.
And most consultants will tell you static passwords pose little challenge to hackers aiming to gain LAN access. As a result, IS managers are seeking out more advanced technologies and products that can provide user authentication, network authorisation rights, auditing tools, and simplified management.
According to Barry Wong, managing director of distributor Global Business Solutions, the opportunities in the security area are enormous. He cites a 1994 Gartner group estimate that the client/server market for security products is nearly $8 billion. "Security hasn't been an issue, because it used to be all housed in a glasshouse, and there was one point of control. Now the information's everywhere, on your desktops, on your LANs, and it has become much more difficult to control. There are many more areas of vulnerability."
Wong's company is the Australian distributor of OmniGuard, a suite of information security tools. He believes the issue now is in educating the marketplace. "People in it are realising that they have to do something. And so the market, I would say, is just beginning."
Securing a slice
To tap into the demand for advanced security, many companies - ranging from remote-access hardware companies to network operating system vendors to firewall vendors - are integrating more advanced features such as authentication into their products. The Internet is also driving increased interest in even higher- level security products, such as digital signatures, digital certificates, and encryption tools, to protect sent data and validate its receipt.
At the highest end of the spectrum, physical authentication is being employed to validate a specific user's fingerprint, retina, or facial features.
As the integration of security features unfolds, passwords still remain the prevalent security measure, but large companies are moving to add token-based authentication systems for stronger verification of users logging into a network.
Token-based systems combine something you know (a password or ID name) with something you have (the token).
Hardware-based tokens include time-synchronous solutions, such as Security Dynamics Technologies' SecurID card. The card generates a random passcode (or "token") via an algorithm at regularly timed intervals, which is synchronised with a server generating the same number for validation.
Users view the number in an LCD on a credit-card-size card and enter the number when logging in. Personal identification numbers (PINs) can be used to activate the card as an extra precaution.
Challenge-and-response technology can also be used, such as that found in Racal's TrustMe cards. When logging in, the server sends out a passcode that the user enters into the card. The card then generates a corresponding passcode that is sent back to the server to complete the log-in.
PC Cards are also available that integrate token-based authentication with fax modem capabilities.
Although hardware-based tokens certainly provide a higher level of security than simple passwords, they do increase management tasks, especially in large deployments. Analysts suggest using hardware tokens for very mobile users who have a higher risk of system theft, while considering solutions with less overhead for remote users in static locations.
An alternative is two-factor authentication through software-based tokens, which, in theory, are easier to manage. The software simply needs to be securely provided to a user; once loaded on a system, the token is then either generated automatically by the log-in procedure or when a user types in a PIN for added security to access the token. The jury is still out, however, on whether software-based tokens provide a level of security comparable to hardware-based tokens, because both the log-in program and the token reside on a system.
New levels of advanced security are within reach of IS. Yet the most important security advancements will have more to do with ease of use and management than pushing the security technology envelope any further.