Before you succumb to this line of thinking, remember that an authenticated user is only the beginning of an authentication system; access control and accounting are what makes such a system effective.
Without all three processes, you're simply Band-Aiding. Effective authentication requires effort; whether you call it internal identity management or a unified authentication management (UAM) system, the principle is the same: Combine authentication, access control, and user accounting to build a policy that governs and tracks who can access what, where, when, and how. This should be the beating heart of any corporate IT security policy, and relegating it to a password list is simply begging for trouble.
True, you can build UAM in-house as long as you're running a reasonably strong back-end operating platform, especially if you already have a network directory resource in place. But calculate the man hours and the consulting expenses for the architecture, documentation, deployment, testing, retesting, and final implementation--then check your calendar. Start now and you'll probably have an in-house system functioning smoothly somewhere in 2004. Are you deploying business connectivity via the Web to partners or big customers? Running any wireless infrastructure? Playing around with Web services? All three are examples of state-of-the art network technologies in critical need of effective authentication. Building your own UAM around such technologies is prohibitive, both in terms of money and time, and implementing without authentication is asking for a future Advil addiction. New network services must be paced by adequate security, and this responsibility falls squarely on network administrators.
Network managers need to get much more involved with this aspect of network security because keeping data secure and protecting network resources is more important than ever, and can't be relegated to an ivory tower team. It's not simply a matter of IT vandalism anymore. Malicious users are hungry; they're on both sides of the firewall; and they've become educated on more than simply vandalizing your data. Identity theft, unscrupulous marketers, and illegal spamming are only three quick and easy ways for hackers to make a profit abusing your network. You can't wait a full year to build an internal UAM structure and expect to coast by unnoticed.
At the very least network managers and security managers need to come together and evaluate the available authentication/identity management systems. Check into products from vendors such as BioNetrix Systems Corp., Courion, Novell, and Secure Computing. All of these vendors provide UAM management products that provide single-screen user management, access control, and especially user accounting via detailed logs. They also integrate with a variety of domain and directory structures and some also talk to physical authentication devices such as SecureID tokens, biometric devices, or even radio badges capable of tracking users throughout a campus.
Getting the money for such products means doing your homework. A sour economy is certainly to blame for some IT budget woes, but much of it also comes from an "ask and ye shall receive" mindset left over from the dot-com boom days. That's all gone. If you want the money today you've got to show value first. Start with an authentication policy--not just a list, but an accurate process flow of who is accessing what on the network and why--a tall order sometimes, but invaluable. Factor in more than just software and implementation costs, remember testing and training. Then look for ways to mitigate both up-front expenses and time-saved expenses. Computer-based training is one example. Or, consider letting users enroll themselves in the authentication system during the normal course of their work rather than having the entire IT department work overtime installing or pushing new clients to every desktop.
A formula for ROI
Armed with a plan, it's always far easier to show ROI. Typically, this process is unique to individual businesses as each value their data differently. But if you want to try your hand at a generalized formula, this formula developed by a team at the University of Idaho provides a guideline for security investment ROI:
(R - E) + T = ALE, R - ALE = ROSI
"R" is the yearly cost of recovering from an intrusion; "E" is the savings gained from stopping an intrusion; "T" is the cost of an intrusion prevention or security system; "ALE" stands for annual loss expectancy; and "ROSI" is the return on security investment. Defining some of these variables accurately may mean quality time with the accounting department, but once it's done this tool can provide a compelling argument to senior management.
Finally, remember that returns on security investments are only the beginning. Turning your network into a competitive advantage is the real goal. That means deploying new technologies as they become available. Having a secure foundation on which to manage those rollouts isn't just valuable, it's priceless.
How does your company currently authenticate users? TalkBack below or e-mail us with your thoughts.
