No need to beat around the bush—passwords stink. No one—users, administrators, security pros—likes them, and for good reason.
Despite password policies, users persist in repeating poor password choices— their dog's name, birthdays, favorite colors. Getting them to apply fixed alpha-numeric combinations at least seven characters long is a security fantasy, but shops trying to enforce strong password policies often discover that passwords aren't free. Heck, they aren't even cheap.
According to recent statistics, 25 to 30 percent of all help desk calls are password-related, the average cost per call is $25, and the average user makes roughly four of these calls per year. Then, there are the omnipresent dangers of skilled social engineers who are able to con even the savviest of users into revealing their passwords.
It's time to place authentication in its rightful place as an important component in a comprehensive identity and access management (IAM) architecture.
But, since IAM goes beyond security, it should be approached with a holistic enterprise perspective and not just focused solely on authentication.
After years of languishing on the back burner, IAM will become a major enterprise focus area in the next 24 to 36 months, driven by new business initiatives, regulatory compliance and the need for process efficiency.
Security managers must seize this
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
opportunity and provide IAM leadership on four levels: building a planning team, mapping access requirements, designing an access control architecture and implementing the solution.
The IAM Team
When embarking on an IAM project, security managers must gather a team of application, systems, access, network and directory managers and administrators from various business units across the enterprise. Of course, each department's security should have strong representation within the IAM team.
This team's purpose is to define the IAM business requirements—not to architect a technical solution. Each participant must represent his department's needs while collaborating to address overall business requirements. The team's ultimate goal is threefold:
During this initial phase, the security group's job is to help the organization fully appreciate the business risks associated with current IAM architectures—weak passwords, poor controls and multiple identity stores. Security managers should avoid the temptation to play "Chicken Little" with constant warnings about security breaches and identity theft that don't amount to much.
Rather, security managers should balance paranoia with hard operational facts—the process of managing and monitoring multiple RADIUS servers, VPNs and network directories requires loads of financial and human resources and is strewn with costly inefficiencies—both human and technical. Quantifying security inefficiencies, loses as a result of breaches and future savings—or as some call return on security investment (ROSI)—will be important and well-received input.
