I received an email from a journalist who wanted to discuss the trends in user Identification and Authentication as well as some best practices and prognostication.
Since my consulting tenure over the last 15 years has allowed for a broad exposure to these concepts, I felt I could provide some valuable commentary.
As a recap, my most recent clients had significant Identification and Authentication challenges. One was a Health Care client that focused on HIPAA, HITECH and PCI DSS compliance. I was also providing guidance on security best practices and processes, both of these included effective identification and authentication at the client location.
At the same time, I worked with a Financial client where I was responsible for their eCommerce Single Sign-on and Multifactor Authentication solutions. This included business process and practices alignment with Commercial and Consumer lines of business. Again this was a deep exposure to the concepts of user Identification and Authentication.
In your view what are some of your present concerns about Identification and Authentication management from the perspective of an IT manager?
The top concern regarding Identification and Authentication is the reliance on the antiquated User ID and password scheme. Savvy social engineering techniques can gather User IDs. Passwords can be readily cracked due to the difficulty of enforcing proper password protocol. Also, due to the increase in computing power, most passwords can be cracked via brute force.
Effective Identification and Authentication not only validates a user, but also the equipment assigned to that user. Should users and equipment always be viewed together whenever developing an identification and authentication program or policy?
I believe it is a best practice to view a users and equipment together as much as possible. This will facilitate effective asset management, a key foundational practice for information security. However, there will be exceptions, such as kiosk computers in healthcare with multiple users. [Read more…]