QUESTION

Our company can no longer rely on using usernames and passwords to access our networks and different systems. Due to the number of passwords people need to remember, our technicians are forever dealing with forgotten passwords, our employees writing them down to remember them or using easily guessed words. What alternatives are there for a company with around 2000 desktops?

Asked by:   Bob Smith, Charles Street Buildings


  Cliff May, Principal Consultant, Integralis

Increasingly, the use of username and password as a combination to authenticate a person onto a network is viewed as an administrative burden, insecure and failing to provide a strong audit trail. People are at the end of the day fallible. Users forget passwords often leading to costly password resets by the help desk. Worse still users may feel the need to write the passwords down and even give their username / password combinations to colleagues for ease of use. The matter is made worse by the need to authenticate to multiple systems, variable password standards on different systems, and the overall complexity of maintenance that this presents.

A frequently deployed, convenient and effective solution to these significant problems is the use of smartcards which enable simplified sign-on to multiple systems, plus physical security measures such as door access controls. Authentication is stronger than a simple userid/password combination as any potential user requires both the physical card and a PIN to sign on to multiple systems. With the identity of the person who has logged on assured, an organisation can enforce access controls to applications and provide audit trails that are being increasingly demanded by regulatory compliance. One significant security benefit of the deployment of smart cards is the fact that the user only knows their PIN and not the passwords that are used to log onto the systems they use. Solutions providers in this market include RSA and ActivIdentity.

Smart cards can significantly reduce the administrative burden for organisations of the size of yours and from a user viewpoint the whole complexity of dealing with multiple systems, multiple passwords and differing passwords standards is vastly simplified. Security 'tokens' are another alternative that has been popular for strong authentication applications, e.g. remote access over some years.

Solutions vendors with good track records in this area include RSA and Actividentity. Alternatively, where a token or card free solution is required Arcot, which provides a secure software approach, may be considered.



  Mark Kacary, UK Sales Director, Aladdin

Without a doubt, this is a major issue for many organisations. Bill Gates even commented on this during the RSA conference earlier this year. The research firm IDC have reported that, on average, each user is now having to remember something in the region of 20 passwords to access all the websites and applications that are now essential for everyday working practice.

As we are all aware, the ideal password should probably be at least, if not greater than, 8 characters in length; it should contain alphanumeric as well as additional characters, such as & and *, etc. It is also good to intermix the upper case and lower case characters. What we would typically find, therefore, would be a password that looks something like this: H7f%j4$M. The ideal password policy would see this password being changed every 30 days (at least) and that each application has its own unique password.

It is little wonder, therefore, that, if an individual has to try and keep to this system, they are either going to write down or forget their passwords, which results in help desk calls.

Many companies are using some form of 2 factor authentication for their remote VPN users, but they are relying on the classic one-time password solution. However, what you should consider is using a USB token smartcard type solution. It can integrate into an existing user repository, such as Active Directory, and, as an administrator, you can issue each user with their own unique certificate. Smartcard technology like this enables users to store multiple password credentials to a number of applications, therefore providing simple single-sign-on capabilities. One user, one password, one token and a vastly reduced call upon helpdesk resources.



  Udo Kerst, Senior Product Manager, Astaro

Password management is definitely one of the major issues any IT administrator has to deal with but no matter how your company wide password policy looks like, the most annoying factor for end users is that they repeatedly have to enter passwords in order to get access to various information sources.

One way out is to use Single Sign-On (SSO) capabilities. For instance when using SSO for controlling access to web sites (e.g. by using a UTM appliance), users will only need to authenticate once at initial client login to gain web access to the Internet. Based on the SSO authenticated user, user-/group- access control profiles can be assigned.

Once authentication is complete, the entire Web security capabilities provided by the UTM appliance can be applied to traffic flows based on the user, including prevention of phishing, virus and spam attacks, without the need for further authentication at the browser level.

SSO Integration with directory services, e.g. with Active Directory delivers improved administrator productivity, vastly enhanced security and excellent end-user transparency.?