Problem identified
Jeffrey Lim, Jan 24 2005
Who am I? More than just the title to a Jackie Chan film, that is a question that IT systems must correctly answer for anyone seeking to gain access. This issue of identity management has been around ever since users were allowed online access to computer systems, starting with the rudimentary user ID and password system.
Back then, access was limited to those who had access to terminals that were physically connected to the computer, providing an additional layer of physical security. Today, however, the demands for telecommuting and mobile computing have potentially thrown corporate IT networks open to anyone with Internet access.
Interestingly enough, the user ID and password system continues to be the most popular form of identification and access for IT systems. While this reflects on how well the system actually does work in managing the issue of identity and access management (IAM), there have been concerns on its adequacy, especially in the face of the openness of today’s IT networks. “In the past, security was a by-product or afterthought,” said Anthony Lim, CA’s brand director, security for Asia South. “But now, the threats have grown exponentially, and security, identity and access management are big issues.”
Various measures have been introduced to tighten the security of the venerable user ID and password system, including having different user IDs for different systems and applications, ensuring that passwords are of a minimum length with both alpha and numeric characters, and forcing users to change their passwords on a regular basis without repeating previously used passwords. But these are often at the expense of convenience to end-users, and may even result in a further expense to the organisation.
It has to be easier
“There were many cases where users could not remember their many different passwords to log on to multiple applications, and many password resets were requested,” said Melissa Foo, risk management service manager at the CIO office in Singapore’s Economic Development Board (EDB). “This increased helpdesk costs considerably.”
It is no wonder, then, that in seeking to balance security with convenience, organisations have turned to solutions that provide the convenience of single sign-on (SSO) with at least a two-factor authentication, using tokens, smart cards, biometrics, or some other physical device as a second factor to identify the user. EDB, for example, has deployed Encentuate’s TCI enterprise access security solution that has an access agent client software residing on the end-user’s PC that can only be logged on using a physical USB key and a passcode.
Once the user has logged on to the access agent, a server sends it a “wallet” containing the user’s personal identity profiles, including the user IDs, passwords, certificates and encryption keys to the various systems and applications the user has access to. The access agent then acts on the user’s behalf to login and logout of systems and applications automatically, even handling password changes according to the rules set down by the organisation. In this way, users need only have their USB key handy while only remembering a single passcode, while the various user IDs and passwords of the different systems and applications can be made as complicated and unrecognisable as the organisation wants.
“Users in EDB now enjoy a more secure and yet convenient way to logon to multiple applications with the simple two-factor authentication mechanism of a USB key and a passcode,” said Foo, adding that user’s feedback has so far been encouraging.
Over at Singapore’s JTC Corporation, the two-factor authentication comes in the form of the user’s mobile phone when a user does a remote logon. Here, after first logging on with a user ID and password via the Web, another one-time password would be sent to the user’s registered mobile phone which he then needs to enter, within a specified time limit, to gain access to the corporate network.
According to Yap Chee Yuen, JTC’s group CIO and chief knowledge officer, security with ease of use for the end-user was a key decision factor. “If it makes their life harder, it will not be acceptable to them,” said Yap, adding that JTC set up a forum for users to give their feedback when they implemented their remote access solution. So far, all the users seem to like the remote access solution, which combines Encentuate’s solution for identity management together with Citrix Metaframe to provide remote users the same look and feel as if they were logging in locally from the office.
JTC is currently in the process of implementing an SSO solution with a USB key as the second factor for authentication, whereby users need only remember their user code and PIN for the USB key. Desktop PCs within a secured office environment would be installed with software to provide the same functionality in place of a USB key. “It’s like going to a country club where you have a membership card that allows you to use all the facilities once you have identified yourself,” said Yap.
Yap highlighted that the ease of use of the IAM solution must also be extended from the end-user to the administration and set-up of the system. Self-service facilities, where users can update their profiles themselves, should be included as these would help reduce on-going administrative costs. There was also a need to ensure good communication with users during implementation, and to provide them with training and a user guide of the IAM solution.
EDB’s Foo added that it was important to have a good understanding of users’ computing patterns. There was also a need for good change management, where any teething problems could be addressed quickly and completely.
Do it once, do it right
CA’s Lim felt that it was important to pay attention to the implementation of an IAM system, which he felt could turn out to be a nightmare. Noting that an organisation would be made up of management who want to have a secure IAM system in place, the engineers and IT personnel who have to implement the system, and end-users who will be using the system.
He said that the starting point for implementing any IAM system was to have these different people groups agree on what they want to have and what they are going to do for IAM; and from there, define their requirements.
The requirements would subsequently be expanded to take into account the security considerations that the IAM should cover, for example, handling dead accounts when staff leave, and other considerations like whether the IAM would be extended to contractors or an extranet. Details like whether external access should be to a separate system or part of the corporate network would then be worked out.
As far as implementation is concerned, Encentuate’s CEO Peng T. Ong warned against having a “big bang” implementation. He suggested instead having a fast roll-out to some users, then subsequently expanding that in breadth to more users, and in depth with more security features.
Watch your back
Besides SSO, John Philips, corporate technology strategist at Novell, noted that an IAM solution should also encompass tidying up the back-end. When staff leave, securing the desktop to prevent unauthorised applications from running that could be used to attack the network is important. There is a need to have all three components in place if you want to streamline the organisation, said Philips, adding that a full implementation may extend over three to five years.
Elaborating on the back-end, Philips cautioned against having a central authentication portal or server, as that could become a potential performance bottleneck, preferring instead to have the various applications and systems continue to maintain their own access and authentication processes together with information like passwords and privileges.
The IAM server would contain user ID information together with linked systems and applications. These would provide provisioning, through defined user roles and policies, password management, the management of moves, adds and changes to maintain an audit trail for these applications and systems. Philips also stressed the need for self-service capabilities where users can reset their own passwords or HR can add users and assign them systems and privileges.
In looking at an IAM solution, it is clear that there is more to it than meets the eye. JTC, for example, looked at it for a year before moving ahead with implementation.
“IAM must be seen as part of the bigger security and infrastructure management practice of the whole organisation,” said CA’s Lim, a sentiment shared by Encentuate’s Ong who advised against buying and deploying multiple point solutions.
Ultimately, though, how well an IAM solution works will depend not so much on the technology and policies that are put in place, but on how well it is received and used by the end-user. “At the end of the day, it is the user’s responsibility. If they do not protect their mobile phone or token, there is a chance that security will be compromised,” said JTC’s Yap.
AI
