Manage Learn to apply best practices and optimize your operations.

Enterprise security in 2008: Assessing access management

Access management troubles were hardly few and far between in 2007, and according to IAM expert Joel Dubin, access management challenges aren't going away in 2008. In this tip, Dubin outlines this year's key issues, including remote access, provisioning and Web authentication.

This tip is part of's Enterprise Security 2008 Learning Guide.

If your organization struggled with access management in 2007, expect more of the same in 2008. The key issues confronting companies haven't gone away; remote access, provisioning and Web authentication will still be top of mind. Compliance pressures will continue to drive adoption of multifactor authentication. However, new technologies will add some excitement to the mix. In this tip, we'll review the access management landscape and what's likely to change as the year unfolds.

Let's start with a key piece of the remote access and endpoint security puzzle: network authentication for mobile devices like laptops, BlackBerrys, PDAs and other wireless equipment. For road warriors armed with laptops, the old standby VPNs -- both IPsec and SSL -- will continue to grow and dominate because of their successful track record, ease of deployment and reasonable cost, though SSL will still outpace IPsec.

Do you have a burning IT question?
Contribute to IT Knowledge Exchange and you could win an Xbox 360 Elite, iPod Touch or $100 Amazon gift certificate. Earn the most Knowledge Points by asking, answering or discussing a question in order to win. Contest runs from January 28th to March 15th.
Key VPN players will still include SonicWall Inc., following its purchase of Aventail, and Citrix Systems Inc., among others, but the pace of acquisitions may narrow the field. Web sites that allow remote access over the Internet and act like third-party SSL VPNs, such as GoToMyPC (owned by Citrix) and LogMeIn, will gain attention as they grow at the expense of traditional VPNs, particularly IPsec. These Web-centric offerings will be perceived as easy and cheap VPN solutions. But scalability for larger enterprises, competition from other similar services and security will still be issues for these products in 2008.

As for PDAs and other handheld devices, the biggest challenges will remain user provisioning for diverse devices connected to the network. The days of authentication meaning just desktops and workstations are over. Companies will meet the challenge with authentication products geared toward just this market segment, such as those offered by Credant Technologies Inc., which specializes in securing mobile devices of all kinds.

Authentication aside, the biggest security threat facing companies in 2008 is Web and application security. Last year saw the rapid growth of bots designed to exploit holes in Web applications, along with the growth of keystroke logging Trojans and the continued nuisance of phishing sites. Expect to see new forms of Web site authentication structured to combat these plagues in 2008. Some of that activity will be driven by compliance, most notably a 2005 directive from the Federal Financial Institutions Examination Council (FFIEC) recommending multifactor authentication for all Web banking sites.

But traditional multifactor authentication, involving devices like one-time password (OTP) tokens, smart cards and biometrics won't take off in 2008, which had been predicted right after the release of the FFIEC guidance. Lack of customer acceptance of devices and the cost of deployment and maintenance for companies will hinder their growth. Security concerns about increases in man-in-the-middle (MITM) attacks against OTP tokens will also slow their adoption.

For more information:
Contributor Mark Diodati explains why implementing a common authenticator can be a difficult task.

In this Identity and Access Management Security School podcast, learn about the top five consumer Web authentication vendor options.  

Joel Dubin discusses the security risks associated with using Web-based remote access systems.
Instead, financial institutions will continue to roll out "soft" authentication technologies, like security questions and back-end fraud-monitoring systems. The trend will move from authenticating the user to authenticating the transaction. Ironically, though not true two-factor authentication as understood by information security professionals, such methods still meet the FFIEC directive.

Ongoing browser attacks via cross-site scripting (XSS) and cross-site request forgery (CSRF) will highlight the need to further improve Web authentication in 2008. As attackers get more creative, so must defenses.

Single sign-on (SSO) adoption will continue to grow in 2008, just as it did in 2007, gaining considerable ground with a multitude of vendors and products. Tools supporting SSO, like management GUIs and directory stores, matured and became more sophisticated in 2007. The challenge in 2008 will be for companies to continue to innovate in a maturing market and to be able to differentiate themselves from competitors with similar offerings.

Leaders in SSO include Citrix and Passlogix Inc., with its V-GO product, and Imprivata Inc., which offers a hardware appliance geared to smaller companies and organizations. Other companies to watch are ActivIdentity Inc., CA Inc. and Novell Inc.

A close cousin of SSO, federated identity management, will only see modest growth in 2008. While SSO allows a single login for multiple applications within one company, federated identity management extends that across multiple organizations. The idea is to allow a user to authenticate once on his or her own system, but still have access to, say, a networked partner without having to log in via the partner's system.

The Liberty Alliance, one of several groups working to set unified standards for federated identity management, is expected to begin verifying a new framework for sharing electronic transactions by mid-2008.

So expect access management in 2008 to be a key focus area that enterprises can use to stay ahead of attackers. As in past years, some market growth will be driven by compliance -- as with Web authentication -- some driven by the challenge of keeping up with securing access to newer technologies like those on mobile devices, and some driven by changing requirements for user provisioning.

Enterprise Security 2008 Learning Guide
  Malware trends suggest new twists on old tricks
  Addressing VoIP and virtualization
  Assessing access management
  Building trust into the application development process
  Security management in 2008: What's in store

About the author:
Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP, specializing in web and application security, and is the author of The Little Black Book of Computer Security available on Amazon. He also hosts a radio show on computer security on WIIT in Chicago and runs The IT Security Guy blog at

This was last published in February 2008

Dig Deeper on Two-factor and multifactor authentication strategies

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.