The Landscape

Easy and cost-effective remote access for employees to business applications and resources is de rigueur. Increasing demand has led to great advances in remote access technology. Organisations have transitioned from noisy, slow, and unreliable modems, through to expensive VPN access with poor throughput, and now to fast broadband connections, using SSL VPNs (Secure Socket Layer/Virtual Private Networks). Organisations understand that SSL VPNs are cost effective. The lack of software clients for remote users increases flexibility, enabling people to work from hotels, coffee bars, and any other remote locations. But no matter how the technology changes or cost effectiveness improves, one thing remains constant - that to provide true security and the ability to audit, an organisation must be able to positively identify every user attempting to access the system.

The Issues

While SSL VPN technology has allowed organisations to simplify access to their networks and data, many overlook the fact that these access points are secured with static passwords. Static passwords are proving to be the single weakest link in IT security today. With last year’s problems at Twitter as a reminder, hackers find it easier than ever to guess or crack passwords - and their skills evolve as well. Often, hackers don't even need to employ keyloggers or password cracking software to discover a user's details, they simply guess. With the advent of social networks, people are broadcasting more personal information than ever, and statistics show that eighty percent of passwords relate to interests or hobbies. Add to this the fact that users often use the same password for business and personal applications, and the risk of identity theft and fraud increases. The threat posed by hackers and identity thieves has put data security onto the political agenda. Attention from government departments is driving the creation of new policies, such as the Information Commissioner's power to fine organisations up to £500,000 for a data breach. Without doubt, organisations find themselves under more pressure than ever to ensure their networks are adequately protected.

Resolving the Issues

To control admission of users into a VPN there are a choice of solutions. One is to implement a stronger password policy, requiring employees to change their passwords regularly, say every thirty days, for passwords to be of a certain length, and to contain certain character types. The downside of such policies is that they can be very time, and therefore cost, intensive. Gartner research finds that password reset requests and other user identity-related problems, accounts for up to thirty-five percent of all help-desk incidents. Another approach to offering secure access is two-factor authentication. It replaces static passwords with a PIN and a token by generateing a password that is valid only once. As a result, the user login details become utterly useless to hackers. In addition, the fact that it also helps organisations meet compliance requirements brings additional peace-ofmind increasing the popularity of twofactor authentication. We now see two-factor authentication being deployed by organisations of all sizes, across a wide range of markets. Independent consultancy group Quocirca says, "To protect themselves from the security threats that they face today, we recommend that organisations should boost their identity and access assurance procedures by deploying stronger methods of authentication than user names and passwords alone, in the form of security tokens." In conclusion, while remote working solutions are of great value, it also means that network borders are no longer defined as they once were. An organisations' network is as accessible as the internet, and the only line of defence against hackers and ID thieves is the access control that protects it. Therefore, unless the necessary controls and solutions are added to manage or replace passwords, SSL VPN security is compromised, and we are leaving organisations open to the invisible threat of unsecure passwords.

In the next issue of Network Computing, CRYPTOCard will continue this Masterclass by asking, do you really know who is accessing your data? Network Computing and CRYPTOCard invite reader comments and questions relating to items discussed in
this series. Mail: Ray.Smyth@BTC.co.uk