As solutions become easier to implement and maintain, the presence of compliance regulations coupled with rising external threats will likely drive their widespread adoption.
In earlier columns in MC Systems Insight and MC Tips 'N Techniques, I've written at length about the importance of having good, strong passwords, but we haven't talked about the importance of having secure answers to security questions. For those of you still in the dark about how Sarah Palin's Yahoo email account was hacked by a Tennessee teenager with the handle "rubico," it was via the password reset function.
According to his own admission, rubico researched Palin's birthday in Wikipedia.org, her ZIP code was available from the U.S. Postal Service because she lived in a small town that has only two, and her security question he guessed. The system asked him, "Where did you meet your spouse?" After a little online research, it didn't take rubico long to figure out the answer. The phrase "Wasilla High" got him into the Alaska governor's email account.
The breach is simply a highly publicized example of the types of intrusions and misrepresentations that are occurring every day. I recently got a call from the Bank of America, who asked me if I had been trying to use my credit card to purchase a $900 money order from Western Union. Unfortunately, the answer was no. The bank immediately canceled my card and ordered me a new one. The transaction request had been denied because the perpetrator didn't have the security code from the back of my card.
Recently, we here at MC Press Online received a status report on the number of spam emails coming into the company, many of which we have found carry viruses. On an annual basis, the number runs into the millions. Fortunately, our automatic spam filters catch most of them. As we all know, the problem of identity theft and fraud online is becoming more commonplace as electronic systems expand our vulnerabilities. The rapid pace at which this is occurring, however, makes the business of security and access management a growing industry. IT managers are being asked to evaluate and implement an ever-growing number of new solutions that focus on data security, authentication, access management, compliance, and identity assurance.
From the perspective of the systems administrator, the prospect of deploying and maintaining increasingly complex authentication solutions is somewhat daunting for no other reason than it means more work. An IBM executive told me recently that when systems create so much overhead for the oversight teams that they become a burden on the people charged with running them, people rebel. They will actually figure out ways to get around using the systems. So while some of these compliance systems are designed to ease inconveniences to users, the question remains as to whether they're easy enough for time-constrained administrators to deploy and maintain.
Security professionals gathered earlier this month at the Gartner Identity and Access Management Summit, which included two days of networking and presentation of technical papers delivered on the latest developments in compliance management and trusted identity. IBM used the forum to announce several new partnerships with independent software vendors that will help fortify its already-leading Tivoli identity solutions through better integration with other companies' products. Arcot is a SaaS software provider with a product called A-OK On-Demand that now integrates with IBM Tivoli Access Manager for e-business. The Arcot solution protects and verifies identities using a combination of risk-based and strong authentication so that only authorized users gain access to confidential, proprietary, or regulated data. Integration between the Arcot and IBM solutions allows companies to implement strong authentication significantly more easily than before and without changing a user's sign-on behavior. The result is further protection against phishing and man-in-the-middle attacks, according to the companies. This feat is accomplished without installing new hardware or software.
Another IBM partner, Gemalto, has worked with IBM and its trusted identity initiative to integrate strong authentication capabilities best practices and use cases for protecting and securing personal identities and assets. The company's Protiva Strong Authentication Solution features a broad range of personal security devices. They use smart-card technology for a one-time password (OTP) and public-key infrastructure (PKI) for certificate authentication. The devices are available in card and USB token form factors. The strong-authentication solution with identity and access management helps protect identities and enterprise information systems against phishing attacks, key logging, shoulder surfing, and stolen passwords, the company says.
Multi-biometric technologies from L-1 Identity Solutions include any combination of finger, face, palm, and iris recognition. These too are now integrated into IBM systems to help protect customer identities and assets. L-1's credentialing solutions help integrate personalization and enhanced security features into a variety of credentials, the company reports. Access control readers use state-of-the-art finger and face recognition technologies, including what's known as 3-D face, to control people's access to buildings and facilities. The company even has a set of mobile devices that capture a person's unique biometric features and use them to verify her identity.
Joe Anthony, program director for IBM Tivoli Security Compliance Management, told me that he believes every single Fortune 500 company today is using some form of enterprise identity management. The question is not whether these companies are using it--just how widely it is distributed within the company's infrastructure.
"I would be surprised if there is anyone in the Fortune 500 who is not using this [identity management solution]," Anthony said. "It's a matter of how broadly they are distributed.... With identity management, you may see some low-end systems that are not dispersed very broadly in the organization, but then there are others who have done a very thorough job and have a complete solution addressing all their applications and end-users. So for most of the Fortune 500, it's a matter of how broadly distributed they are, not whether or not they have it."
Anthony says IBM is investing heavily in its more than two dozen identity-security products and is also working to develop new offerings, including a new security policy manager that will allow customers to define the policies they want associated with their individual application authorizations. The field is growing, and it's being encouraged along by the group of government-mandated compliance-policy regulations. "Government regulations demand that enterprises take full responsibility for data security, and the linkage between data security and strong authentication should not be underestimated," said Al Zollar, general manager, IBM Tivoli Software. "Human identity and authentication systems are only valuable when they can be trusted. IBM's focus on identity assurance integrates access management, data security, and compliance capabilities into the critical processes that improve trust and confidence in business transactions."
Emerging areas of interest in the field extend beyond network and enterprise identity management to trading partner access management and trusted identity. The latter is best understood by thinking of taking something like a passport and transferring its authentication properties to the electronic domain. The fact that billions of people, each with a separate identity, all require and use various forms of identification and authentication on a daily basis--from employee badges to driver's licenses--suggests the business of ensuring that each of these can be trusted represents a major undertaking. IBM is working through its centers in Dallas; San Jose; Bangalore, India; and LaGaude, France--called IBM Trusted Identity Centers of Excellence--to extend IBM's identity management capabilities so as to improve trust and confidence in the broad spectrum of human identity-management devices.
To ensure acceptance of today's identity-management solutions, vendors must focus on two objectives, according to Anthony. "One, you want to ensure the cost of the technology, including the total operational costs and everything, has to be an order of magnitude less than the exposure the company faces as a result of fraud or failure of an audit," Anthony says. "In addition, it has to be very easy for either an application developer or the administrator running the system to implement it and maintain it.... Any barriers that you put in place in the overall deployment or day-to-day operations of the system by creating overhead for those who have to use it is just not a very good business decision on the part of vendors," said Anthony.
Integration with a company's current systems also apparently is a key to acceptance. "It's a matter of integrating with the customer's existing systems," Anthony says. "We can't expect the customer systems to be modified to work with our applications, so this requires ongoing investment on our part. The challenge is how to make it as easy as possible to drop into their existing environment."
While Anthony and others confirm there is not likely to be a revolution any time soon in identity management, there is, nevertheless, an evolution underway. It is toward broader implementation and easier deployment. Experts gauge that the movement will be ongoing for the next several decades, driven by compliance regulations and the need to thwart the increasing number of attempts to steal assets and counterfeit people's identities.