Cloud to boost managed authentication in APAC

Growing adoption of cloud computing and cost-conscious mentality of businesses in the Asia-Pacific region will boost uptake of managed authentication services but concerns remain over service reliability and lack of control by user companies, note industry voices.

Growing security awareness and need to improve access security in light of new technologies such as cloud computing have spurred authentication to become a very important part of security, Naveen Hegde, software senior market analyst at IDC Asia-Pacific said in an e-mail interview with ZDNet Asia.

Aliza Shima, ICT research analyst at Frost & Sullivan Asia-Pacific, concurred. Cloud adoption by enterprises in the Asia-Pacific region has given rise to opportunities for authentication-as-a-service (AaaS), in particular, she noted in an e-mail.

Organizations, explained the Malaysia-based analyst, are beginning to realize the need to have strong authentication for their business but are reluctant to invest large amounts on it. To build and maintain the authentication system in organizations, enterprises must spend a huge sum of money and effort, and require a right person with the capability to manage it.

"The shift toward [a] hosted authentication solution is to help reduce the operational expenditure (OPEX) and total cost of ownership (TCO) for the enterprise in the current economic situation," Shima pointed out, adding that some organizations also do not have the expertise to build their own authentication system.

Uptake from governments, banks
Banks and governments are the biggest adopters of managed authentication services, Shima noted, listing retailers, manufacturers and service providers as other major adopters of AaaS.

Tan Teik Guan, CEO of Data Security Systems Solutions (DSSS), cited Singapore's SingPass as an example of a managed authentication service used by the government.

SingPass, a single ID and password for citizens and businesses to transact electronically with the government, is managed by Singapore-based IT provider CrimsonLogic.

The island-state, he added, is also in the midst of rolling out a National Authentication Framework (NAF), a nationwide platform for strong authentication for online services. DSSS is part of the consortium awarded a five-year contract to design, build, operate and maintain the NAF infrastructure.

The financial industry's use of outsourced authentication services is not new, just "not well known", Tan added. Mastercard and Visa have already been operating authentication services to verify online card and ATM (automated teller machine) transactions on behalf of their member banks.

British Telecom (BT) last month announced a new managed authentication service targeted at financial institutions, where the company provides the hardware or software to generate one-time passwords as well as process authentication requests between BT's clients and their customers. Peter Gunning, head of business development at BT Security, told V3.co.uk that the service would also be relevant for sectors such as insurance and retail.

However, IDC's Hegde pointed out that "highly sensitive verticals" such as financial institutions preferred traditional standalone authentication products.

Sandeep Lal, managing director for e-business and consumer banking at DBS Bank in Singapore, told ZDNet Asia that the organization has reservations utilizing managed authentication services, and its main security concerns are around confidentiality of customer information, system integrity and availability of services.

"We would only consider moving from what we have today, which is run by us, to one that is managed if the service provider passed all the critical hurdles and has a well-established track record," he said.

The DBS executive added that managed services "may increase the concentration risk" as the provider could become a more likely target of attack.

DSS' Tan agreed. "In an obscure way, the more successful an authentication provider is, the more 'insecure' the authentication service can become."

Frost & Sullivan's Shima added that the lack of control over the authentication service was a major concern. For instance, if a provider suddenly went out of business, the enterprise would be left to handle authentication issues on its own or have no way to authenticate clients.

Hegde of IDC maintained that the AaaS market is still niche and yet to take off, and the need for priviledged authentication management will continue to be recognized across industries.

Managed authentication services will continue to evolve over a period of time and increasingly work as part of a multi-layer security platform, he said.

In terms of authentication providers, Tan noted that big-name social networks and content providers such as Google and Facebook may be better positioned to offer AaaS globally and in the Asia-Pacific region since they already have a large user base, and offer federated technologies such as OpenID and OAuth. But it remains to be seen how businesses will accept such an arrangement, he pointed out.