As the social Web erodes privacy, so corporates will have to find ways to secure their networks without basing authentication purely on identity, says Jim Reno, distinguished engineer at authentication tech firm Arcot, which CA Technologies acquired last year.
With increasingly sophisticated technology comes increasingly sophisticated threats, says Reno, and the automation tools widely used to streamline business are also being used for more sinister purposes.
“These days you don't have to build your own virus anymore, there's a whole marketplace where you can buy viruses and receive support. And the same kind of automation being used for everything else is being used in attack efforts.”
He says another factor causing IT departments sleepless nights is the de-perimeterisation of IT, as networks spread beyond the corporate firewall.
“As businesses use more and more services in the cloud, some under their control and some not, they don't have an IT security boundary anymore. So while enterprises are making a conscious choice to use cloud applications, and can try to understand cloud service providers' security policies, it's still a relatively new, uncertain area for them.”
The borders are also becoming increasingly blurred as the social Web enters the corporate environment, thanks to the rise of personal mobile devices.
“For years, corporates would only allow BlackBerrys as additional devices because they have Enterprise Server and good security and encryption - it was pretty much like their own network. Then one day the CEO walks in and says 'I want to be able to use my iPhone', and then another three executives come in and want to be able to work on their iPads. So enterprises had to relax their perimeters.”
This brought new challenges for IT security professionals, who now had to secure a network that had multiple access points, many of which were outside the organisation's control.
Reno says this is where “identity access security for and from the cloud” can prove beneficial.
“Because a security problem is very disruptive to a business' IT schedule, delivering a security solution through the cloud really helps them. They don't have to install all new infrastructure and train staff; using a cloud-enabled service can reduce time to implementation enormously.”
He adds that delivering security as a software solution means services can be quickly and easily deployed, on any device, as opposed to hardware tokens or smart cards that are cumbersome and only work on specific devices.
They offer identity management capabilities, including single sign-on across domains, and enable authorised users within one organisation to securely access the data and applications or cloud services of another organisation.
Reno says plans for the future include working on products that are even more flexible and powerful, so security becomes less of an IT responsibility, and more a service the business owner can select and deploy - with minimal effort.
Death of anonymity
While social networking can serve as a powerful tool for enterprises to communicate and collaborate, the fact that these activities are out of enterprise control is a major issue for companies everywhere, says Reno.
“A hot evolving area in security at the moment is what to do about employees on sites like Facebook, who are exposing corporate information.
“There's an inherent threat when you start connecting things together. Networks create opportunities but they also create threats, so the more things that get connected, the more attack vectors you have coming in.”
He explains that threats to privacy are inherent to the increasing convergence of technology, and that this impacts on authentication policies.
“Security and privacy have an interesting relationship - if you base security on identity, in order to be secure you need to know a lot about the user, which brings in issues of privacy.
“Also, the information you need to know about is increasingly leaking out into the social Web. So if the authentication question is 'what's the name of your first dog?', for example, and you have a Facebook page all about your first pet Fluffy, then that information becomes widely available. Say a friend then posts a link to your page on a blog, and Google picks that up and makes it searchable... eventually, it comes to the point where all someone needs to do is type in your name and 'first dog', and they can access that information.”
For this reason, says Reno, enterprises have to find ways to identify people beyond just their identity. This requires verifying not only who the individual is, but what they're trying to do or the data they're trying to access, he explains. It can include checks like examining content and ensuring they're on a device that the network recognises or that's been used in the past.
“This is an important direction for the future - to find ways to base security on things other than identity.”
* Lezette Engelbrecht is hosted in Las Vegas by CA Technologies Southern Africa.
Share
