Security-vs-Convenience-160x160

Security and convenience – Can we have both?

4

Dilbert cartoons rarely fail to raise a laugh in the office, and last month, when I was catching up on the Security Nirvana blog, was no different. As a summary of the debate around security versus convenience, I think it sums it up perfectly:

I see so many companies and directors debating the issue of an absolute need for strong IT security, often at the expense of convenience for end users. In a perfect world we could find a way to balance both of these needs, but in reality both sides of the argument need to give a little to ensure the protection of corporate networks. This is where a number of exciting innovations are helping, by bridging the gap and making security easier than today’s cumbersome username and password standard.

First, there is identity-based strong authentication, an area where there is a growing trend to upgrade corporate identity badges to include logical access capability. While this technology is not new, with some of the recent challenges faced by one-time password (OTP), companies looking to provide strong logical access security are now also looking to certificate-based authentication as part of their corporate identity credentials.

Second, there is biometric technology. Many corporate laptops now come with fingerprint readers, letting your finger act as your password. This can help eliminate the age-old problem of resetting passwords and the associated helpdesk costs. However, not enough companies are adding another layer, which can easily be done by combining it with the certificate-based identity. As mentioned above, if a fingerprint profile can be stored within the identity credential, allowing for the verification to be “match on card”, it ensures that the user has complete control over their online access identity.

Third is the issue of mobile devices. Convergence in this area is inevitable. We recently demonstrated at CES 2012 the ability to store the user’s identity certificate on a near field communication (NFC) smartphone. This allows the user to use their smart phone to complete a two-step authentication process. The phone, using NFC, communicates the user’s certificate to the computing device (laptop) prompting them for a PIN. Once entered, the user gains full access to their network resources.

The strongest security obeys three main facets of authentication: something you know, something you have, and something you are. Striking the balance between usability and security is never easy, but there are technologies that are currently being deployed and in development that hold the promise of achieving this for end users and IT professionals alike. Until this is the case, organizations will have to accept a balancing act between the two. Those organizations which opt to impose security which is strong but not user-friendly will discover to their peril that the consequence of this is that these measures are by-passed altogether by their employees. Security has to be usable in order to be used.

Contact:


Leave a comment


  1. Comments

  2. I strongly believe that a well design information system with the proper rights management and a well-architected network will protect corporate assets and provide high availability appropriately.

    ~ Virginia Benedict
    Managing Curator/Vendor Alliance Program Director
    Information Security Community
    Professional Social Media Community Management (since 1992)
    Market Engineering Strategist
    Systems & Network Security/Computer Forensics
    Technologies Analyst (since 1989)

    http://www.linkedin.com/in/virginiabenedict

  3. Hey, and thank you for linking to my blog! :-)

    Good blog post from you, and I fully agree with you of course: Security has to be usable in order to be used.

    You reminded me here that are are several blog posts I need to write, covering corporate identity badges (actually; PIN codes used with them), as well as biometrics like you mention here: fingerprint readers on users laptops.

    Best regards,
    Per Thorsheim

  4. Thanks for commenting, Per. We’ve been following your blog for a while and would love to collaborate on a blog post in future. We’ve got some really interesting global research across CIOs that we’d be happy to share with you. Maybe we can invite you to do a guest post on our blog around this, tying into how security has to be usable to be used?

    Feel free to get in touch to discuss this further and so we can share some of the stats from the research with you.

    All the best,
    Ray

  5. […] all know how we are supposed to have strong, unique passwords for all of our online accounts, and how difficult it can be to remember all of them.  What we can do is securely store website login credentials into the UICC (also called a SIM […]

Related posts: