By David Mount, director, security solutions consulting EMEA, Micro Focus
Data breaches have shown time and again that one single point of authentication – a password – is a poor choice for security teams looking to secure and govern their networks and data. With users increasingly concerned about data security, businesses are being forced to recognise that traditional authentication methods have been failing for some time and more effective processes are required.
The inadequacy of the password
Using a password as a single point of authentication remains a de-facto security control, yet ultimately it is no longer fit for purpose. Research consistently shows that passwords are continuously recycled and misused by users. However, many businesses seem determined to rely on end users – the least-trained and least security-savvy individuals – to secure their data. Organisations often attempt to address this issue by enforcing strong password policies but when asked to remember very complex passwords, users often resort to writing them down. With an increasing number of UK businesses falling victim to a data breach, it’s time for us to admit that passwords are no longer sufficient as the sole method of authenticating who we are. As we undertake more complex interactions online, businesses must use a more sophisticated approach if they are to keep corporate information secure.
Using just a password ultimately places our entire trust in one single factor of authentication. With this one piece of information, we prove we are who we say we are. Unsurprisingly, attackers focus on this weak link in the security chain, aided by companies which place responsibility on the end user yet allow them to use inadequate passwords. As passwords reach the end of their useful lifespan, we’re seeing the enterprise shift towards more secure methods of authentication.
How to successfully prove user identity
Passwords may not be sufficient alone but when used in conjunction with other authentication security measures –from tokens and behavioural indicators to biometrics – businesses can quickly improve security measures. The rise in mobile-first and BYOD strategies may have increased end user expectations but it has also opened the door to the much more widespread use of multi-factor authentication. By adopting more advanced authentication methods, companies can ensure cyber criminals find it more difficult to access sensitive corporate data. It is, however, imperative that IT selects strong authentication solutions which offer minimal inconvenience to the end user. If not, employees may be deterred from using these solutions and look for alternative, less secure options.
As more devices enter the workplace, organisations must accept that policies based on specific devices are impractical. Controls should be focused on aspects of identity used in conjunction with the device – from the user’s identity to the location – instead of just the device itself. By further increasing the security levels according to the type of information which the user is authorised to access, IT can minimise the risk of a breach while simultaneously enabling employees to take advantage of BYOD policies and work more effectively. Those with access to the most sensitive information must be required to enter more than one form of identification, such as a password in conjunction with another form of authentication such as a code. End users trying to access less sensitive information may continue with just one form of authentication.
Some businesses are now considering how biometrics – such as a fingerprint or heartbeat – can be implemented to simplify access for users while effectively proving user identity. By investing in innovative hardware, software and biometric technology, banks are leading the charge in biometrics. While HSBC is planning to implement voice recognition and touch security software, Halifax announced that it would trial ECG technology to record a person’s cardiac rhythm. Innovative technology now exists which can enable businesses to carefully examine specific biometric details, making it as difficult as possible for a criminal to impersonate an end user.
There is no ‘one size fits all’ when it comes to an enterprise security strategy. Many factors need to be considered, including number of users and the sensitivity of data being accessed. While we can expect to see greater use of biometric authentication in future, from iris and retina scans to behavioural elements, biometrics will not work for every organisation. Yet as biometrics start to permeate the consumer world – only consider the millions of people now using Apple’s Touch ID on a daily basis – user demand and expectation will shift. In turn, many organisations will consider implementing some form of biometric technology as a result.
Security in an “always on” world
Our 24/7 connected world is also leading to the rapid growth of the Internet of Things (IoT). As this trend begins to takes off, many companies are considering how to prepare for the security challenges this will bring. Employees will be increasingly connected to the IoT – through connected hardware in the office, wearables and any number of new devices – so the concept of “Identity” will be key when ensuring the correct security measures are in place to protect corporate data and user privacy. The need to quickly and securely prove our identities will increase as we spend more time online while the increasing number of IoT devices will simultaneously begin to play a large role in authenticating who we are. We will start to see a form of continuous authentication required, based on both the data that they collect about us and the way we interact with the devices and services constantly around us. Multi-factor authentication will come into its own in this new digital “always on” world.
Businesses are searching for the right balance between streamlining the authentication process and ensuring security controls are sufficient. The rising cost of fraud and breaches is a major concern for the C-suite, and the more secure the authentication process, the more those losses can be limited. Passwords as a single-point of identification are clearly no longer secure enough to safeguard sensitive corporate data. As such, businesses must identify where multi-factor authentication – and potentially biometrics – can come into play to ensure employees can quickly access data in a secure fashion.