News

12:00 PM
Connect Directly
RSS
E-Mail
50%
50%

Get Authentication Right

Passwords just aren't enough anymore. These five questions to help you choose the right technology.

When it comes to ensuring that users are who they say they are, there's only one idea that all security experts agree on: Passwords aren't enough.

Only 28% of the IT and security pros we surveyed who were using strong passwords considered them very effective, according to InformationWeek Analytics' 2010 Strategic Security Survey. But what to do about it? There's the rub.

Part of the problem is the number of choices. Strengthening authentication usually means adding a second factor (something you have) to an existing strong password (something you know). But what should that second factor be? Vendors are pushing everything from random-number generators to tokens to phone calls to biometric verification. What you pick depends on how foolproof you need the authentication to be--and how much you can spend.

The best way to design a secure authentication strategy is to do a comprehensive risk assessment that accounts for the sensitivity of the data, its potential exposure to unauthorized users, and any applicable regulations. Here are five questions to get you started.

1. What needs protection? Are you securing your corporate network, a sensitive database server, or a customer-facing Web site? Your risk assessment should analyze the impact that unauthorized access to those systems will have.

2. Who will be accessing the protected resource? Are they all your employees or will contractors and customers have access? Knowing the population is important.

DIG DEEPER
Tech Center: Authentication
Choosing the Right Authentication Strategy

3. Do you manage the workstations? Will users authenticate to your systems only from computers managed by your IT group? If the answer is yes, then you don't need client-side software for machine signatures or certificates. However, for customers and partners, the answer is almost always no, so you're left with options that don't require touching the computer, such as user name and password, knowledge-based authentication, and message replay.

4. Where will your users be when they access the protected resource? Are they all in the same office or scattered all over? If they're in one place, the risk is lower, but that's the unusual case.

5. What are your organization's future needs? Will you be adding new services, acquiring businesses, or hiring 1,000 new employees? It's difficult to predict future needs, but choosing authentication technologies that are standards-based and scalable is important to make sure you're prepared for what's to come.

chart: Options for authenticating users

Comment  | 
Print  | 
More Insights
Cartoon
Slideshows
Audio Interviews
Archived Audio Interviews
Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
White Papers
Register for Network Computing Newsletters
Current Issue
2014 State of Unified Communications
2014 State of Unified Communications
If you thought consumerization killed UC, think again: 70% of our 488 respondents have or plan to put systems in place. Of those, 34% will roll UC out to 76% or more of their user base. And there’s some good news for UCaaS providers.
Video
Twitter Feed