Practical use of alternative methods, such as smart cards and biometrics, remains two to three years ahead and depends on both pervasive availability of components directly embedded in computing platforms and maturation of operational models.
Until a ubiquitous, inexpensive, strong authentication method does emerge, organizations should control costs and management challenges by segmenting their user population according to who they are, where they are, and what data they are accessing. This segmentation facilitates limiting deployment of strong authentication to only the most critical user subsets (e.g., executives, network administrators, "gold-level" customers). Also noteworthy is the need to support multiple authentication mechanisms that enhance the value proposition of a unified identity and privilege management infrastructure. Taking such an infrastructural approach eases management in general and (importantly) also enables easy shifting between existing and new authentication mechanisms without a need to modify applications.
Once an identity infrastructure has been established to support revenue-generating e-business objectives, companies will then begin to leverage it across internal users to gain additional operational efficiencies. A somewhat coincident occurrence is the increasing externalization of internal users, in terms of traditional remote access paradigms and emerging pervasive computing options (e.g., wireless handhelds). The relationship between these trends is that they represent two substantial aspects of the computing experience where internal users will be treated similarly to external users (as opposed to having separate infrastructure and methods). This is important because such an approach is a critical component/tenet of a security solution that addresses threats from the "inside" - the often acknowledged, but rarely addressed source of greater than 50% of all security breaches.
To avoid any confusion, organizations should not turn their networks inside out, particularly because most systems are still incapable of self-protection; rather, organizations should consider a configuration where the internal users are not "among" the back-end resources, but instead have to traverse demilitarized zones and associated security mechanisms just like external users do. Despite the apparent security benefits, relatively few organizations will embrace this approach before 2003/04, citing an inability to spare resources from the external, e-business front. This is unfortunate, however, because costs would be more than offset by savings achieved by reusing some infrastructure and reducing losses due to internally spawned security breaches. Fortunately, in the meantime, security functions will increasingly be embedded in network, operating system, and application layer components, thereby enabling administrators to implement security solutions more cheaply, as well as more thoroughly.
|Copyright )2001 META Group Inc. GLOBAL NETWORKING STRATEGIES is published by META Group Inc., 208 Harbor Drive, P.O. Box 1200061, Stamford, CT 06912-0061. Web: http://www.metagroup.com. Telephone: (203) 973-6700. Fax: (203) 359-8066. This publication may not be reproduced in any form or by any electronic or mechanical means, including information storage and retrieval systems, without prior written permission. All rights reserved. Reprints are available. GNS 1 February 2001.839|