A large number of commercial, environmental, regulatory and social changes are taking place to encourage firms to embrace remote working. In supporting the drive towards more flexible working practices, proven, affordable and easy-to-deploy solutions are available which avoid the risks of hacking and data loss, giving businesses full confidence that access to their network is secure.
Previously, the delivery of a highly secure remote access network using SSL/VPNs and two-factor authentication has been costly and time-consuming to support. Now, with the choice of managed authentication options, low-cost outsourced authentication brings this level of security within realistic reach of SMEs and not just large corporates. BusinessComputingWorld spoke to CRYPTOCard’s chairman and CEO, to find out more. Interview by Christian Harris.
BCW: How big are the risks associated with remote access and Web-based processes?
NH: The risks are huge, generating more column inches in newspapers and magazines than almost any other IT-related issue. There are two types of risk to be borne in mind here. Direct risks are typically the more obvious transactional threats of stealing money, IP, software music or otherwise obtaining data in an unauthorised way for financial gain. However, for many companies, indirect risks pose the greater threat, going to the heart of the business by damaging fundamental trust in the brand.
In an atmosphere in which the general public is often dubious about the security of online transactions, companies cannot plead ignorance of the risks and are expected to take the necessary preventative measures. The concept of securing remote access on the web is not new. Equally, it is not difficult to keep 99.99% of hackers out of your network if you take a number of simple, well-documented precautions. What customers or the public more broadly will not forgive therefore, quite rightly, is a failure to do those basics?because both the problems and the solutions are well-known.
BCW: How does CRYPTOCard help protect companies from hacking and data loss?
NH: There are many different ways of attacking a company’s network and at CRYPTOCard we deal specifically with identities?helping companies to be more certain that the people they are dealing with are who they say they are. Face to face, you can have a reasonable degree of confidence as to a person’s identity: if you are dealing with them electronically on the side of the world, this becomes much more problematic.
In an age where companies have already put in place firewalls and anti-virus defences, it’s important to recognise that for hackers ID theft and authentication represents the ‘lowest hanging fruit’ in attacking a network. In response, CRYPTOCard helps companies prevent ID theft by providing those people who validly need to get onto the network with credentials that make it much more likely they are who they say. CRYPTOCard has been doing this for over 20 years?including providing security for NASA and nuclear plants?and so has built up a high level of experience in helping organisations prevent ID theft through strong authentication.
BCW: What is the biggest security risk with SSL/VPNs?
NH: VPNs do an excellent job of encrypting data between two points, such as when someone working from home wishes to access corporate data. The VPN creates a secure tunnel which a hacker finds it very hard to penetrate or break that encryption. The problem is, the hacker doesn’t have to. In the case of an online banking transaction, for example, if by stealing a customer’s ID a hacker can persuade the bank that they are that customer, the bank will happily respond accordingly to a request such as transferring money from one account to another.
BCW: Businesses have been using static passwords to protect their networks and data flow for years. What’s wrong with that?
NH: Back in the 50s, when accessing a huge mainframe computer required multiple layers of physical security to sit at a terminal, there was nothing wrong with static passwords. They were primarily used as a means to identify an individual program or data, rather than as an aspect of security.
In today’s Web-based world things are very different. In an environment in which unauthorised access no longer requires specialist hacking expertise but can be achieved by an eight-year old of average intelligence, or by harvesting information freely available on social networking sites, static passwords offer a totally inadequate level of protection.
So why do so many businesses still rely on static passwords? Historically, two-factor authentication (2FA) was costly and time-consuming to implement and so the exclusive domain of large organisations with big budgets, IT expertise and 24/7 support. The underlying robust technology has remained unchanged. However, the development of automated provisioning and new types of software and SMS-based tokens has made strong authentication cheaper and easier to implement and administer.
And, with the advent of concepts such as Password-as-a-Service (PaaS)?bringing the concept of cloud-based Software-as-a-Service to authenticating identities?static passwords can be replaced rapidly, at low cost and with no technology required client-side, bringing strong authentication within reach of businesses of all sizes.
BCW: CRYPTOCard technology is based on Two-Factor Authentication (2FA). What are the alternatives and why are your solutions more effective?
NH: The term 2FA implies a single solution, yet this is far from the case. Most platforms include a variety of authentication methods, designed to suit different budgets, levels of security and types of user experience required. In addition, a new set of technologies are emerging which are currently described as ‘1.5 factor authentication’. Here, when a user logs in, they are presented with a generic picture with (in the case of CRYPTOCard) a grid-based mix of characters to form their password.
As with 2FA, each password is different, so conforming to the ‘one time password’ (OTP) principle. Though ultimately not as strong as the 2FA approach, 1.5 factor authentication is cost-effective and easy to use for smaller businesses and provides an appropriate level of security. Another option is certificate-based authentication. Though championed by Microsoft, many in the industry believe this to be less secure and more cumbersome than 2FA, with high running costs. Some enterprise businesses combine the two, using certificate-based authentication for local log-ins, but relying on 2FA when remote access is required.
BCW: Deploying and managing remote access security sounds time consuming and complicated. Is it?
NH: In the past this was undoubtedly true, but is no longer the case. With cloud-based PaaS options is it no longer necessary to install an authentication platform within the user’s business without compromising the level of security which can be achieved.
With server-based solutions too, the development of new token types?including SMS, BlackBerry and tokens which can be incorporated on USB flash drives?offers options suited to the needs of individuals. Self-service portals making tokens available for immediate use, for example, also make 2FA simpler and easier to use. The net result of PaaS available at the back end and new authentication methods on the front end is that 2FA is now seeing much greater penetration, in businesses of all sizes.
BCW: Does CRYPTOCard offer a hosted security solution?
NH: In CRYPTO-MAS, CRYPTOCard offers a hosted PaaS solution. The key difference with other hosted authentication offerings is that CRYPTOCard is the only major vendor to have implemented a managed solution itself, rather than through Value Added Resellers (VARs). CRYPTOCard was the first company to launch a cloud-based PaaS solution and we took the view that, by developing and managing the technology ourselves, we can offer an unrivalled SLA in what is a mission-critical part of the user’s business. At the same time, this is managed via a single point of contact, which is especially attractive to many companies.
BCW: What are the major challenges facing your business today?
NH: Historically, the market was slow to catch on to the concept of a hosted PaaS approach to authentication, which was frustrating. However, though there is still a long way to go, we have seen a dramatic change over the past year or so and this is now less of a challenge for us. People undoubtedly have greater confidence in the general concept of cloud-based computing in general?and in the area of authentication in particular?and momentum is now building strongly. The technology is inherently robust and reliable and the challenge we have set ourselves is to be the first company to deliver a full enterprise authentication service in the cloud?something we hope to achieve in 2010.
BCW: How do you expect to overcome those challenges?
NH: We will continue to evangelise PaaS, as we are convinced that it represents the missing link in taking authentication to the mass market. In this we go along with Gartner’s view, that hosted solutions will account for 20% of the authentication market by 2011. At the same time, we are also committed to working with partners in the development of 1.5 factor authentication as an important way forward in enabling all businesses to access affordable authentication.
BCW: You must have some alarming stories about easily-cracked passwords. Care to share a favourite?
NH: Every sector has many of these nightmare stories. My personal favourite is the case of a head teacher who apparently downloaded thousands of ‘adult’ videos?at a time when he was sunning himself in Florida. It’s easy to see the funny side, but had he been in the country he could have found himself in a difficult, career-threatening position while trying to defend his innocence!
BCW: Would you like to add anything?
NH: Just one thought. I would simply ask anyone to cast aside any historic experiences or preconceptions regarding authentication and take a fresh look at both the costs and the benefits to be had today. I am certain that they will be in for a pleasant surprise.