Rid your business of weak passwords and get collaborating

Quocirca's Straight Talking: Cure security headaches with ID management

Quocirca's Straight Talking: Cure security headaches with ID management

How can businesses collaborate with partners and customers securely? Quocirca's Clive Longbottom and Fran Howarth have the answer.

The number of websites is growing fast. Netcraft reports there were 231.5 million websites in operation as of April 2009 - an increase of 46 million in just three months, with the greatest growth coming from sites that encourage social collaboration and blogging in particular.

All this collaboration brings up security worries. As these applications and services become more personalised, many require users authenticate themselves - usually with a username and password. Passwords are notoriously insecure and, as a rule of thumb, a password that can be easily remembered is unlikely to be a strong password.

This leads to such problems as users writing down complex passwords, using easy-to-remember passwords such as their favourite football team, or using the same password for multiple services.

Malicious applications have also been developed that capture keystrokes as passwords are typed in, allowing an attacker to access applications and services that they should not through direct impersonation of others.

Businesses have long realised the need to securely authenticate users as they access sensitive information on corporate networks. Thankfully there is now a cure for collaborative businesses' security headaches.

key lock

Weak passwords, the key to IT insecurity (photo credit: Mirko Macari via Flickr under the following Creative Commons Licence)

We all know that today no organisation is an island. Our increasingly connected world requires business partners to have access to another firm's information, such as a supplier checking a customer's inventory levels or a business accessing healthcare policies or expense management applications online.

Businesses are also opening themselves up to consumers, as financial services companies do when offering online banking. Mobile technologies are further extending the walls of the organisation, as they are providing remote access to network resources and allowing users to work from wherever they happen to be.

All this has led organisations to turn to stronger forms of authentication than simple usernames and passwords, often in the form of security tokens that provide an extra layer of assurance that users are who they say they are. Such tokens generate a one-time password (OTP) that is entered into a computer keyboard or mobile phone keypad. The password is useless to hackers since it is good for only one access attempt. The OTP also alleviates the problems of users forgetting complex passwords or choosing those that are easy to remember.

But this method is generally usable for just one service: for another service, another security token is required. With multiple physical tokens being required, the majority of users just give up - the chaos of passwords has just been replaced with a chaos of physical tokens.

The answer to this problem is an identity protection authentication service. This means an organisation no longer needs to worry about provisioning and managing internal systems to provide strong authentication credentials or about the issues involved with including external users in the system.

Rather, it can use services managed by a separate organisation, staffed by experts who adhere to stringent quality of service assurance levels. Such services are provided on a subscription basis in the cloud without the overheads associated with managing systems and services in house.

On signing up to the service through a controlled corporate agreement, users need merely access the service via an online portal, request the credentials be provided to them according to the permissions associated with them, and then a connection is made to the services they are entitled to access.

The service acts as a broker, authenticating the OTP input by the user with the profile associated with them, and then granting access to the resources required, whether this be access to a corporate network or services provided via websites.

As such services continue to be developed, they will be broadened out to become managed shared authentication products used by multiple organisations that accept security tokens from a variety of manufacturers - rather than the proprietary services seen today.

By having access to shared services supplied on a single platform, organisations will be able to allow their customers and partners to use just one single token for a variety of services, websites and applications. This will also benefit organisations opening up their services to authorised users, in that they will not have to provide a separate token for access to each service they offer.

By providing a managed, shared authentication product, users will be able to interact with a variety of applications, from accessing corporate networks to social networking sites, in a secure manner, thus preventing unauthorised access to resources.

The themes in this article are discussed further in a free Quocirca paper.

A leading user-facing analyst house known for its focus on the big picture, Quocirca is made up of a team of experts in technology and its business implications. The team includes Clive Longbottom, Bob Tarzey, Rob Bamforth, Louella Fernandes, Fran Howarth and Simon Perry. Their series of columns for silicon.com seeks to demystify the latest jargon and business thinking. For a full summary of the consultancy's activities, see www.quocirca.com.