Clearly, you need to protect your authentication systems from attack and sabotage. That may be obvious, but the consequences of overlooking the obvious are frequently catastrophic. When you build an authentication policy, you need to take into account both your data and your people.
Under the first category is the value of the resource users will be accessing. This is determined by the monetary loss, or exposure to loss, if the data were accessed by unauthorized individuals. The greater the value of the asset--and the higher the likelihood of a successful attack through impersonation--the stronger the authentication you should require.
You also need to assess the people factor: Who needs to access what information, and when do they need it? Identify groups, or roles, that share common authentication requirements. There shouldn't be any individual who has totally unique authentication requirements. Each group should have two or more users, so there is no single point of failure. Once users are assigned to groups, you can begin to build an authentication policy based on who accesses what.
...They Will Ignore It
Building an authentication policy is one thing. Implementing, managing and enforcing it is a different matter.
Many organizations simply settle for the authentication included with their operating systems and applications. In some cases, authentication can be consolidated through meta-directories, single sign-on software or applications that can leverage existing user directories. However, many times heavy lifting is required to integrate products with user directories.
Passwords are the favored mechanism for authentication because they are cheap, familiar and available. However, minimum password complexity enforcement varies widely across applications. Support for stronger authentication is available using tokens or biometrics, or a combination of methods.
But you know and we know that stronger is better and that investments in security will reap benefits. For example, enforced strong authentication provides a foundation for building access-control systems for internal and external users. However, you can't argue for better authentication by discussing ROI. The return is not monetary, only if you stop a theft. What you get with strong authentication and authentication management, such as that provided by the specialized tools we tested (see "PremiereAccess Heads a Pedestrian Pack"), is the assurance that users at all levels are being properly authenticated. Only then will the likelihood of malicious users impersonating others to gain unauthorized access to resources be reduced.
Mike Fratto is a senior technology editor based in Network Computing's Syracuse University Real-World Labs®; he covers all security-related topics. Prior to joining this magazine, Mike worked as an independent consultant in central New York. Send your comments on this article to him at mfratto@nwc.com.
RSS
