|
Passwords alone don’t provide enough protection
Enterprise authentication used to be simple: passwords for everyone, expensive tokens for a small number who work remotely. But the world is changing. The workforce is now mobile, with large numbers of employees accessing the corporate network from hotels, coffee shops and their homes, putting confidential data at risk. New security practices and policies are being rolled out for regulatory compliance, and they all highlight the need for strong authentication. Experts agree that username/password authentication does not provide enough protection against unauthorized access. CIOs are challenged to increase authentication security while preserving operational and budget efficiency.
Challenge No. 1: Efficiently roll out strong enterprise versatile authentication to a growing number of users while controlling costs.
Beyond the single authenticator
When a limited community of users with the same basic requirements needed additional protection, a single authenticator such as tokens, though traditionally expensive and sometimes hard to manage, was a reasonable solution. That small community of users who need more than password protection has ballooned. The authentication requirements of users within an organization now may vary depending on a number of factors, including the level of security required, their usability needs and experience, and where and how they are remotely accessing the network. Often a component of layered security model, a versatile authentication platform with a range of authentication options, which can be matched to user constituency based on policy and risk assessment now and as organizational requirements change, is an important requirement.
Challenge No.2: Meet potentially diverse company authentication requirements now and in to the future with a single versatile authentication platform.
Balancing Act: Regulatory Requirements, Remote Workers and Reducing Costs
The boundaries of the corporate network are being challenged as more employees need access wherever they are. Extranets, intranets, Web mail and now, more than ever, desktops need strong authentication as they are being accessed from beyond the boundaries of the corporate network.
This increasing pressure to make more information available to employees anywhere, at anytime, must be balanced with increasing pressure for corporate and regulatory compliance. From the PCI-DSS (Payment Card Industry Data Security Standard) to SOX (Sarbanes-Oxley Public Company Accounting and Investor Protection Act) and HIPAA (Health Insurance Portability and Accountability Act), most organization are rolling out new practices to achieve regulatory compliance. Simple passwords, even for users operating exclusively internally, are no longer enough to prevent breaches, protect privacy and achieve compliance. Strong authentication must be deployed to a wider audience — efficiently and cost-effectively.
Looking at enterprise authentication as a whole, the flexibility to secure different users and their connectivity using different and appropriate authentication methods is critical. Using risk assessment and policy to determine when stronger security is required for access to resources with greater value allows authentication to be layered as needed. One single-authentication platform used across VPN remote access, Microsoft desktop and Web implementations can provide a suitable, cost-effective and easier way to manage enterprise authentication.
Regulatory Review
HIPAA
The Health Insurance Portability and Accountability Act (HIPAA), passed by Congress in 1996, seeks to protect the privacy and the security of health information. The HIPAA Security Standard covers the safeguards that should be implemented to protect electronic patient information. Organizations must ensure that private health information is protected both at rest and in transit. Multifactor authentication can play an important role in protecting health information by restricting who has access to that information.
“Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”
— HIPAA Security Rule
PCI
In response to member, merchant and service provider feedback on the need for a single approach to stronger information security for all card brands, credit card companies collaborated in creating common industry security requirements known as the Payment Card Industry (PCI) Data Security Standard. Compliance with the PCI Data Security Standard is a requirement for all merchants or service providers that store, process or transmit cardholder data.
|
