This tip is part of SearchSecurity.com's Enterprise Security 2008 Learning Guide.
If your organization struggled with access management in 2007, expect more of the same in 2008. The key issues confronting companies haven't gone away; remote access, provisioning and Web authentication will still be top of mind. Compliance pressures will continue to drive adoption of multifactor authentication. However, new technologies will add some excitement to the mix. In this tip, we'll review the access management landscape and what's likely to change as the year unfolds.
Let's start with a key piece of the remote access and endpoint security puzzle: network authentication for mobile devices like laptops, BlackBerrys, PDAs and other wireless equipment. For road warriors armed with laptops, the old standby VPNs -- both IPsec and SSL -- will continue to grow and dominate because of their successful track record, ease of deployment and reasonable cost, though SSL will still outpace IPsec.
As for PDAs and other handheld devices, the biggest challenges will remain user provisioning for diverse devices connected to the network. The days of authentication meaning just desktops and workstations are over. Companies will meet the challenge with authentication products geared toward just this market segment, such as those offered by Credant Technologies Inc., which specializes in securing mobile devices of all kinds.
Authentication aside, the biggest security threat facing companies in 2008 is Web and application security. Last year saw the rapid growth of bots designed to exploit holes in Web applications, along with the growth of keystroke logging Trojans and the continued nuisance of phishing sites. Expect to see new forms of Web site authentication structured to combat these plagues in 2008. Some of that activity will be driven by compliance, most notably a 2005 directive from the Federal Financial Institutions Examination Council (FFIEC) recommending multifactor authentication for all Web banking sites.
But traditional multifactor authentication, involving devices like one-time password (OTP) tokens, smart cards and biometrics won't take off in 2008, which had been predicted right after the release of the FFIEC guidance. Lack of customer acceptance of devices and the cost of deployment and maintenance for companies will hinder their growth. Security concerns about increases in man-in-the-middle (MITM) attacks against OTP tokens will also slow their adoption.
Ongoing browser attacks via cross-site scripting (XSS) and cross-site request forgery (CSRF) will highlight the need to further improve Web authentication in 2008. As attackers get more creative, so must defenses.
Single sign-on (SSO) adoption will continue to grow in 2008, just as it did in 2007, gaining considerable ground with a multitude of vendors and products. Tools supporting SSO, like management GUIs and directory stores, matured and became more sophisticated in 2007. The challenge in 2008 will be for companies to continue to innovate in a maturing market and to be able to differentiate themselves from competitors with similar offerings.
Leaders in SSO include Citrix and Passlogix Inc., with its V-GO product, and Imprivata Inc., which offers a hardware appliance geared to smaller companies and organizations. Other companies to watch are ActivIdentity Inc., CA Inc. and Novell Inc.
A close cousin of SSO, federated identity management, will only see modest growth in 2008. While SSO allows a single login for multiple applications within one company, federated identity management extends that across multiple organizations. The idea is to allow a user to authenticate once on his or her own system, but still have access to, say, a networked partner without having to log in via the partner's system.
The Liberty Alliance, one of several groups working to set unified standards for federated identity management, is expected to begin verifying a new framework for sharing electronic transactions by mid-2008.
So expect access management in 2008 to be a key focus area that enterprises can use to stay ahead of attackers. As in past years, some market growth will be driven by compliance -- as with Web authentication -- some driven by the challenge of keeping up with securing access to newer technologies like those on mobile devices, and some driven by changing requirements for user provisioning.
Enterprise Security 2008 Learning Guide
Malware trends suggest new twists on old tricks
Addressing VoIP and virtualization
Assessing access management
Building trust into the application development process
Security management in 2008: What's in store
About the author:
Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP, specializing in web and application security, and is the author of The Little Black Book of Computer Security available on Amazon. He also hosts a radio show on computer security on WIIT in Chicago and runs The IT Security Guy blog at http://www.theitsecurityguy.com.