And while that definition may seem exhaustive, to say the least, Ant Allan, research VP at Gartner, adds more still. "Identity management is a bag of markets, not a single market in itself."
Allan says such solutions, the basis of an integrated security plan (which unifies all security solutions and ties in with corporate strategy), are popular because they improve (process) efficiencies and satisfy regulation on good governance. The first concerns the removal of onerous administration tasks governing many security solutions, improvement of internal service levels (application `requests`, for instance) and speeding up the turnaround of change requests (such as when an employee leaves or joins the company). The second has to do with risk management.
"One problem in a heterogeneous environment is tying things down because you have different administrators on different systems. You get inconsistencies in the way users are set up, you lose track of them, you leave user accounts lying around with access that they no longer need or even [inactive] accounts belonging to former employees," he notes.
For Herman Singh, director: technology engineering at Standard Bank, these are very real issues, because, as is pointed out several times elsewhere in this issue, the biggest threat to an organisation is internal
And while he concedes that there is no cure-all solution, he says the only way to deal with the issue is through access control and monitoring, or identity management.
However, identity management alone is not enough. End-user organisations must authenticate users via more than just a password. To Singh`s mind this means using two-factor authentication, in other words, supplementing traditional password systems with other methods. In many companies this is not a reality yet, because of cost of extra layers and immaturity of technology.
Andrew Kellett, senior research analyst at Butler Group, agrees stronger methods of authentication are being sought in Europe too. He cites Lloyds TSB as an example. This financial institution is setting out on a trial of two-facet authentication, using one-shot tokens.
This method requires a separate device that, upon activation, will produce a one-time code that lasts for 30 seconds. That code, when used in conjunction with a password, provides two-factor, hence harder-to-crack authentication.
Standard Bank has developed a two-factor authentication scheme for its Internet banking service, one for which Singh says 110 000 customers have already signed up. It only requires a cellphone.
Certain transactions, such as loading new beneficiaries, changing your personal details or making a one-time payment, trigger a one-time code that is sent to the customer`s cellphone via SMS. Once the code is entered online, the transaction can proceed.
Down the road at First National Bank, a similar investigation is taking place. Dr Chris Kotze, CEO of FNB eSolutions, reports that various options are being considered for its electronic banking services. So far, he says, biometrics hasn`t featured very highly - primarily because of the complexity of supporting a large client-base.
However, he says, two-factor authentication for Internet banking is one thing, implementing stronger security with existing internal environments quite another. Singh reports that Standard Bank is looking at various alternatives including the cellphone model, smart cards and biometrics. "We`ll probably go for smart cards," he says.
Roy Blume, research manager at BMI-TechKnowledge (BMI-T), says the two chief inhibitors of biometric technology are cost and its perceived invasiveness. He describes it as a balancing act between security, cost and ease of use. So which will you use?
Post a comment
|