Network environments in business are changing on a constant basis, but the typical system to authenticate and verify users' identities tends to be inflexible. Many packages that seek to deliver secure authentication assume that the environment is homogenous, which implies that it is unchanging as well. Directory integration, however, can be streamlined and improved using virtualization technologies that go beyond the assumption that all systems are operating on an SSO (single sign on) basis.
The need for robust IT solutions became ever more clear this week when none other than internet giant Google announced that it would be alerting specific users that their Gmail accounts may be become the target of determined hacking attacks. Eric Grosse, speaking as Google's vice president in charge of security engineering, made the announcement on the firm's official security blog: "When we have specific intelligence, either directly from users or from our own monitoring efforts, we show clear warning signs and put in place extra roadblocks to thwart these bad actors." It is believed that the need for a warning has been prompted by an increasing level of hacking sponsored by foreign governments.
According to Google's representative, users who receive a warning should not automatically assume that their account has already been hacked or hijacked. Instead, such users should have a heightened awareness that their email account may be targeted for a variety of attacks. Some of these attacks may try to compromise an account through malware, while others do not seek control of a user's email settings, but rather try to entice an account holder into disclosing personal information such as bank account numbers, birth dates, and Social Security numbers. These phishing attacks are becoming more prominent in recent years, but it is a new development for large numbers of them to be considered ‘state-sponsored’ rather than the work of individual malicious actors not affiliated with any national government.
Google, acting as a responsible IT company, is providing its users with strategies they can use to help better secure their Gmail accounts. One important step to take is to create a password that consists of more mixed characters. When upper-case letters, numbers, and symbols are mixed into a password, it is much more difficult for hackers to either guess or determine. Google also recommends that users update their browsers to the latest versions and keep their operating system, as well as all browser add-ons, fully up to date.
While these steps may be sufficient for personal users, small and medium businesses have a more intense vested interest in making sure that email accounts are not compromised. Internal company communications may detail proprietary information and trade secrets that could negatively affect a company's bottom line if released. Companies, therefore, should consider a managed services approach to email services. A managed services model through an outsourced IT approach can build in a variety of methods to provide heightened security for business users.
The recent huge password breach at social media networking site LinkedIn provides an object lesson in the need for improved IT risk management. After all, if a huge business such as LinkedIn can find itself with millions of users whose passwords may have been hacked, it only means that small and medium-sized businesses with access to fewer resources must be all the more diligent to use those resources to their maximum capacity.
Remote access to business systems opens up huge potential in terms of efficiencies. With the ability to access a computer or network from a remote distance, many workers appreciate the flexibility that the modern workplace can offer. On the other hand, however, this immense flexibility can also bring with it new challenges in terms of identification, authentication, and access management.
The new era of cloud computing brings with it tremendous advantages in terms of scalability, cost savings, and employee efficiency, but it is not without its challenges. One of the greatest challenges is the need for robust security. In order for businesses and other organization to operate at their full capacity, the cloud solutions they employ must be appropriate for the threat environment as it currently exists, as it is likely to evolve in the near future.
Legislative gridlock and wrangling is nothing new, but one of the projects currently caught in a tug-of-war between Congress and the Executive Branch is an initiative known as the National Strategy for Trusted Identities in Cyberspace (NSTIC). Funding in excess of $24 million, originally intended to help the National Institute of Standards and Technology (NIST) create an online system of trusted credentials to aid in the authentication of online identies during web transacations, is now in doubt.
Researchers working for the National Institute of Standards and Technology have taken a huge step forward in the spread and implementation of biometric systems for user authentication. These systems rely on information derived from the physical body of a user in order to verify his or her identity. Common biometric markers include images of the iris of the eye, fingerprints, and facial imaging scans. All of these physical markers are unique to most individuals on the planet.
The issue of authentication has been a challenge for businesses for at least as long as computers have been an integral part of the workplace. Newer technologies, however, are beginning to provide much more secure means of authentication than the typical user name/password combination or the use of a dongle or special card. Text input, after all, can always be compromised and physical objects that a user must supply can be misappropriated or misused.
Employees often want to visit social media sites such as Facebook on their breaks or lunch hours, or even during working hours, although many company policies prohibit such access. It can be difficult for companies to lock down such sites, however, because all too often, firms are making valuable business use of social media. These factors complicate life when malware programs such as the Ramnit worm begin to target those who log onto Facebook.
Business organizations should be aware of the revised guidelines that have emerged from the National Institutes of Standards and Technology regarding electronic authentication methods. Special publication 800-63-1 explains how both government agencies and private entities such as business can use web-based technologies for verifying the identity of the people who use their networks and systems. This publication is an update of the 2006 guidelines and reflects how the information technology world has evolved over the course of the past five years.
Layered security is at the core of the new guidelines being offered by the FFIEC (the Federal Financial Institutions Examination Council), which defines the term as “the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control.” Layered security most often refers to IT solutions in place in the banking industry, but it is also a useful strategy for any business or organization that deals with financial matters. Since nearly every business and non-profit needs to both take and issue payments, this includes virtually every business in the United States.
The National Institute of Standards and Technology has released a new set of electronic authentication guidelines designed to assist businesses with methods to secure themselves from insider threats to the security and integrity of data. The last time such guidance was issued was back in 2006, but during the years that have elapsed, both threats and the computing environment have evolved into new forms that require new levels of protection.