Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
Passwords, SecureID cards, pass cards, yet more passwords? I have
corporate accounts with my clients, tens of personal accounts and
overwhelming numbers of passwords, not to mention the secure ID cards,
bank Personal Identification Numbers (PIN) and other accoutrements of
the modern connected life. How can we possibly remember all our
passwords? Yes, I admit it. I do maintain a written file of all my
PINs and passwords.
Is there a better way to keep track of them all? What if I only
needed to memorize one password or even better, use a special card
that would tell the computer how to access all of my accounts. The
technology to allow a single network identity or ?single signon?
already exists today. For some it is the holy grail of network
security. For others it can be a nightmare. Imagine if your network
identity was appropriated or stolen. It can potentially cost thousands
of dollars and months of effort to clear your name. Is single network
identity a good idea in this age of network security breaches and ID
fraud?
What is single network identity?
The old computer geek joke “on
the Internet nobody knows you are a dog” is an apt description of
account and network identity information. How do computers “know” you
are who you say you are? For decades, computers have recognized who
uses them with user login accounts and passwords. There are two parts
to the recognition process. First, the system administrator must grant
you authorization or access to the system by creating an account with
a username and an associated password. UNIX systems store the
information in a text file unimaginatively named /etc/passwd. Once the
account exists, the system must authenticate you when you access
it. Jim Johnson, a systems administrator formerly at University of
Pennsylvania writes, “Authentication answers the questions ‘Who am I?’
and ‘Who am I talking to?’, While authorization answers the questions
‘Do I have access to this server?’ and ‘What are my access
privileges?”
The overall theory of single sign-on is that you have one network
identity for access to all of your various networked systems and
accounts. Johnson continues, “Single Sign-on represents the concept
that a computer user can be authenticated once during a session. Any
systems or networks connected to the security database would check to
determine privileges, with no need for any further interruptions or
passwords.” This would theoretically mean that you could have the same
password for all your on-line access requirements. For example at
work, you would login once in the morning and not worry about how to
access your files. Sounds great, I can never remember where all my
files are located anyway. Before you commit too hastily, think of this
alternate scenario, you could also have the same password for your
on-line bank account, 401k plan, and your home network. Whoa, this
sounds dangerous to me! What happens if someone takes over my
identity?
Is it secure?
As long as there have been computers and computer login accounts, the
potential has existed for people to steal identities or harm data. Of
course, pre-Internet it was much more difficult to access computer
systems. Unless you had a dialup modem connection, which was expensive
and very slow, the only way to break into a computer was to sit at a
terminal or console that was directly attached to the
machine. Government agencies still use limited physical access or “air
gap security” as an effective means of maintaining their computer and
data integrity.
In the new hyper-security conscious world, does single network
identity security still make sense? The answer is yes and no. When you
think about it, all networks are ultimately insecure. Security
professionals are all paranoid, that is their job. For the rest of us,
it is a matter of how much risk can we tolerate. If someone steals
your wallet with all your credit cards, it can be a very traumatic
experience. If you forget to pick up the change at a newsstand, you’re
likely not terribly concerned about the loss. Think of computer
and network security in the same way. If your Yahoo! e-mail account
gets spammed, that is just part of using a relatively public
address. If your credit card information is appropriated after you
have made a secure purchase on Amazon, you’ll be justifiably upset.
Single network identity does make sense in the workplace
environment, where the IT department must keep track of literally
thousands of people and machines. Having a system that allows staff to
log in with one account name and one password inside a corporate
firewall, where the users are protected by the security systems
maintained by the corporate IT department, can be very cost
effective. More importantly, the vulnerable data is not personal
information, but company property. The company is balancing the risks
of compromising important company records and the costs of maintaining
thousands of accounts.
David Lavenda, Vice President of Marketing & Product Strategy
at Business Layers Inc., remarks, “Network security is not only about
pulling the plug when employees leave but limiting the access while
they are in the company. In today’s volatile business environment,
departments and teams are built and changed constantly.” Their
product, eProvision, allocates appropriate resources to employees
based on business rule sets. The digital identities stay with the
employee as they move through the company. If (or when)people leave a
company, they are securely and systematically disconnected from all
resources – providing companies with an added level of
security. Business Layers in Rochelle Park, N.J. and Cupertino, Calif.-based
Oblix, Inc. are just two of a number of companies who sell
comprehensive network identity products, mostly to larger enterprises.
“Universities are another case where the interest in single
sign-on technology is high. Because of their limited resources and the
huge amount of account turnover, they are attracted to self-serve
account administration. The burden is on the student customer to get
the account information correct,” says Lavenda.
In general, the consensus among the experts seems to be for
individual accounts that single network identity is just too
risky. The June 17, 2002 Scientific American article “Who’s Who, Can
digital technology really prevent identity theft” suggests “Instead
of spending more resources on a holy grail of perfect identification,
governments and businesses should accept that ID failures will occur
and make reporting identity fraud as easy as reporting a single lost
or stolen credit card. For personal computer access stay with more
limited forms of identification — each suited to a small range of
transactionsthis might turn out to be more cost-effective and secure
than a single overarching digital persona.”
Beth Cohen is president of Luth Computer Inc.,
a consulting practice specializing in IT infrastructure for
smaller companies. She is currently writing a book
about IT for the small enterprise and pursuing an Information Age MBA
from Bentley College.
This article was first published on CrossNodes, an internet.com site.
