Cloud Breaches Show Need for Stronger Authentication

As organizations increase their reliance on cloud-based services, collaboration tools and enabling users to access networks, the number of security breaches is on the rise. A new study by Forrester Research shows that more than half of the 306 companies surveyed (54 percent) reported a data breach in the previous year.

Also see our "Cloud security survival guide"

Even with the growing security threats, most enterprises continue to rely on the traditional username and password sign-on to verify a user's identity, rather than strong authentication, according to the study.

Cloud Computing: 2011 Predictions
Defining Cloud Security: Six Perspectives

The report, "Enhancing Authentication to Secure the Open Enterprise," was conducted by Forrester late in 2010 on behalf of Symantec Corp. (SYMC) The vendor wanted to evaluate how enterprises are evolving their authentication and security practices in response to changing business and IT needs as exemplified by cloud and software-as-a-service (SaaS) adoption, the business use of Web 2.0 services, and user mobility trends.

Password issues are the top access problem in the enterprise, according to the study. Policies on password composition, expiration, and lockout that are put in place to mitigate risk have become a major burden to users, impeding their ability to be productive. They also result in help desk costs due to forgotten passwords.

The Forrester study recommends that organizations implement strong authentication throughout the enterprise, not just for select applications.

Mauricio Angee, VP and information security manager at Mercantil Commercebank N.A., agrees that passwords have become a problem.

"Today, there is a high percentage of calls and service requests related to password resets in our environment," Angee says. "Two-factor authentication has been implemented for network sign-ons, in addition to the deployment of single-sign-on, which has helped us [reduce] the amount of password management."

The concern with passwords, Angee says, "is that we have given the user the responsibility to change passwords, remember long complex pass-phrases, secure PINs, carry tokens, etc. This is a practice that has proved to be a huge weakness to keep our environments secure, not to mention the huge challenge to information security professionals who have to enforce policies and maintain an expected level of security."

Moving the entire infrastructure to strong authentication requires time and resources dedicated to assessment, analysis and testing systems and applications in order to determine if these systems have the capability to be integrated, Angee says. "Often, constraints are found, mostly with legacy systems, which has been the major [reason] to avoid moving forward with strong authentication. This is definitely an initiative we will be focusing our efforts to determine the feasibility, impact, and the ROI."