Dilbert cartoons rarely fail to raise a laugh in the office, and last month, when I was catching up on the Security Nirvana blog, was no different. As a summary of the debate around security versus convenience, I think it sums it up perfectly:
I see so many companies and directors debating the issue of an absolute need for strong IT security, often at the expense of convenience for end users. In a perfect world we could find a way to balance both of these needs, but in reality both sides of the argument need to give a little to ensure the protection of corporate networks. This is where a number of exciting innovations are helping, by bridging the gap and making security easier than today’s cumbersome username and password standard.
First, there is identity-based strong authentication, an area where there is a growing trend to upgrade corporate identity badges to include logical access capability. While this technology is not new, with some of the recent challenges faced by one-time password (OTP), companies looking to provide strong logical access security are now also looking to certificate-based authentication as part of their corporate identity credentials.
Second, there is biometric technology. Many corporate laptops now come with fingerprint readers, letting your finger act as your password. This can help eliminate the age-old problem of resetting passwords and the associated helpdesk costs. However, not enough companies are adding another layer, which can easily be done by combining it with the certificate-based identity. As mentioned above, if a fingerprint profile can be stored within the identity credential, allowing for the verification to be “match on card”, it ensures that the user has complete control over their online access identity.
Third is the issue of mobile devices. Convergence in this area is inevitable. We recently demonstrated at CES 2012 the ability to store the user’s identity certificate on a near field communication (NFC) smartphone. This allows the user to use their smart phone to complete a two-step authentication process. The phone, using NFC, communicates the user’s certificate to the computing device (laptop) prompting them for a PIN. Once entered, the user gains full access to their network resources.
The strongest security obeys three main facets of authentication: something you know, something you have, and something you are. Striking the balance between usability and security is never easy, but there are technologies that are currently being deployed and in development that hold the promise of achieving this for end users and IT professionals alike. Until this is the case, organizations will have to accept a balancing act between the two. Those organizations which opt to impose security which is strong but not user-friendly will discover to their peril that the consequence of this is that these measures are by-passed altogether by their employees. Security has to be usable in order to be used.