When Passwords Are Not Enough for Security

By Maria Trombly | Securities Industry News | June 3, 2002

If cyber movies have taught Wall Street security experts anything, it's that passwords by themselves can't keep bad things from happening. These days, most companies need a three-tier access system-in addition to limitations on physical access to the most critical computers and company resources-that involves verifying users identities, setting them up with the access to the systems they need, and, finally, monitoring their status to make sure that they continue to have access to only the systems-and privileges-they're allowed to have.

This last level, called provisioning, is especially critical as companies start to open their extranets to partners and customers. It's a manageable administrative chore to set up new users-both internal and external with access to the systems they need.

It's a little more of a headache to have to manually reset the passwords they lose or forget, but what if they leave the company, or the partner company? Or simply change jobs within their organizations. Their new jobs may not have the same privileges as the old ones.

"A company that we talked to recently had over 4,000 business partners that represented some 70 plus active accounts behind their firewall," said Brian T. Anderson, chief marketing officer at security firm Access360, based in Irvine, Calif. "They would make 4,000-plus phone calls twice a year and say, Hey, are these people still with your company?'"

All these issues are particularly important for Wall Street companies not only because of general security considerations, but for legal implications as well.

"Wall Street is a very highly regulated industry," said Jonathan Penn, an analyst at Cambridge, Mass.-based Giga Information Group. "Breaches can bring sanctions. That's driving not just the technologies to give people the proper amount of access, but also technologies to audit what's happened."

The first building block of identity management is determining whether the users are who they say they are.

According to Chris Christiansen, an analyst at Framingham, Mass.-based International Data Corp., the smart card market is heating up in this regard. What was a $314.5 million market in 2000 will reach $2.2 billion in 2005, according to a November study by IDC. The biometrics market, dominated by fingerprint readers, is also starting to grow, from $119 million in 2000 to a projected $887 million in 2005.

Christiansen said Wall Street companies will likely use a range of security techniques, depending on the risk associated with given applications.

"A high-risk trading application may require that the trader not only supply a password but also a token or a smart card as well as a biometric reading, and may only do so from a certain terminal and a certain location at a certain time," he said.

For lower-risk applications, tokens and smart cards have the edge because since they cost from 25 cents to $60 per user as compared to $100 and up for biometric devices, which "also require external hardware readers or cameras that are difficult to carry around," Christiansen added. Biometric devices also have another downside-they may not always work.

"If you're looking for something really cool to impress somebody, biometrics are fun-until you actually start using it," said Richard Smith, senior principal engineer at San Jose, Calif.-based Secure Computing Corp. and author of "Authentication: From Passwords to Public Keys." "I've used these on my desktop and it's one of those things where you have to put your thumb down several times before it finally recognizes you," he said. "It starts to get really frustrating."

It's also possible for biometric security systems to be compromised. For example, researchers at the University of Yokohama in Japan recently demonstrated that common household items-such as Jell-O-can be used to make fake fingers with fingerprints lifted off of glass.

"If a biometric method is compromised, there's no way to revoke it," said Giga Information Group's Penn. "There's no way to change it like you change a password. You only have one right thumb, so what do you do?"

According to Merrill Lynch CTO John McKinley, it will take another two or three years for biometric device manufacturers to work out all the bugs in the technology.

"I think that it will be a part of the security solution going forward," he said. "The question is, when will it be ready for prime time?"

Tokens and smart cards can be revoked if compromised, and most work with a password or PIN or some other secondary identifying mechanism-including fingerprints. The cards and tokens usually work on the basis of the PKI (Public Key Infrastructure) encryption system the most security system currently available for the exchange of information. Other alternatives include tokens that automatically generate single-use passwords when a button is pressed, or which are synchronized with the host computer. One possible problem with this approach is that if the security mechanism is based on synchronizing clocks, then the token can drift out of synch with the host machine.

"As everyone knows, watches never match," Smith said. "If you're using it to connect to something you don't use every day, the chances are that it will drift out of synch and you have to call the help desk and they will have to resynchronize you."

However, just because users are who they say they are doesn't mean that they should be allowed access to a particular system. They could have left the company since access was first granted, or changed jobs-say, from accounts payable to accounts receivable. If they continue to have access to both systems, it could be a potential disaster in the making.

According to FBI statistics, some 80 percent of all network security breaches are "inside" jobs-current and former employees, not anonymous hackers.

"There's a company that did an evaluation with our software and discovered that they had 80,000 orphaned accounts," said Brian T. Anderson, CMO at Access360. "This was a financial company and their organization only had 10,000 employees. And they had just spent a tremendous amount on new security and a firewall-it's the equivalent of putting in a Tiffany-type vault, but having everybody still have the combination."

But the biggest provisioning challenge-and the one that is driving Wall Street firms to vendors such as Access360, Houston, Texas-based BMC Software and Bedford, Mass.-based RSA Security-is the move to allow external access to sensitive systems.

"The issue of provisioning was always a big challenge for organizations but they could delay automating it because they have had this problem all along," said Ran Tamir, business development manager at BMC Software, "But now that they're trying to expand access to outside the enterprise, this is the only way they can open and provide the right services to the partners."

The first step to allowing external access were Web-based single-sign-on access control solutions, he said. But this needs to be followed up closely with a provisioning infrastructure. For example, BMC uses a feed from human resources to maintain access levels and user privileges up-to-date. And, when HR feeds are not available from a particular partner, the company will allow administration rights to be delegated to the right people in the partner organizations.

"The next step, which we are working on right now, is to allow cross-organization collaboration of provisioning information using XML standards," he said. This standard, called SPML (Service Provisioning Markup Language) is due to come out later this year. The next step, he said, is to use SPML as the communication mechanism for Web Services.

"That's going to be the next challenge, in one or two years," he said. "I'm not sure Wall Street organizations are really ready for it just now."

The latest provisioning systems do more than just keep track of a staff member's employment status. At Cologne, Germany-based Systor Security Solutions, and other firms as well, provisioning increasingly means keeping track of the role that an employee plays with a company-and not only adjusting access levels and privileges to fit that role, but also screening new accounts to make sure they're allowed for that employee. This is the direction in which Systor customer T. Rowe Price Associates is moving.

"We [now] have the ability to manage accounts and groups in the major operating systems," said Randy Hulse, T. Rowe Price's enterprise security team member. "Now we are moving up to higher levels [of abstraction]. We are building [profiles] for application-based access control-identifying typical access requirements based on application use. These groups will coalesce into roles. Eventually, an employee will be identified by a role and will automatically receive all application accesses based on that role."

Meanwhile, both internal and external provisioning systems first require that complete and up-to-date employee directories be available.

"Ultimately, the directory plays an ever-increasing role," Merrill Lynch's McKinley said. "I think all organizations need to make sure that they've got a robust directory structure."

Password Particulars

The following information comes from the Center for Password Sanity:

Password: “Joe”
Some 3 percent of all passwords are simply the user’s name, according to Richard Smith.

Password: “Password”
This was the password of choice at the Los Alamos National Laboratory, as reported by a government official who had been assessing computer security there, following reports of security irregularities with computer files by researcher Wen Ho Lee.

Password: “Parc”
This was one of the “guest” account passwords at famous Xerox Palo Alto Research Center (PARC).

Password: “Buddy”
This is the “secret” password used to protect the private key assigned to former President Bill Clinton for producing a digital signature when signing the “E-SIGN” electronic commerce bill. Buddy was his dog’s name, and Clinton evidently shared the password with the dignitaries and reporters who were attending the bill’s signing.