Users and Vendors Speak Out: Authentication and Biometrics

Similar documents
NGN: Carriers and Vendors Must Take Security Seriously

Central and Eastern Europe: Premises Switching Equipment Market Share, 2002 (Executive Summary) Executive Summary

Global Telecommunications Market Take, 1Q03 (Executive Summary) Executive Summary

Midsize Business Voice Service Spending Steady for 2003

SOHO and Residential Routers: Worldwide Market Share and Forecast, (Executive Summary) Executive Summary

NGN: The Evolution of Wireless Networks

Europe Wants Security Software, Despite Tight Budgets (Executive Summary) Executive Summary

Vertical Market Trends: Western Europe, (Executive Summary) Executive Summary

IT Services' IP Telephony-Related Growth Remains Strong Through 2007 (Executive Summary) Executive Summary

Firewall and IP Virtual Private Network Equipment: Worldwide, 2002 (Executive Summary) Executive Summary

IT Services: Identifying the Addressable Markets for Telecom Operators (Executive Summary) Executive Summary

DBMS Software Market Forecast, (Executive Summary) Executive Summary

Survey of Mobile Phone Users in Poland and Russia, 2003 (Executive Summary) Executive Summary

NGN: Enterprise IP Telephony

Mobile Terminals: Middle East, (Executive Summary) Executive Summary

Worldwide 2002 Security Software Market and Vendor Shares (Executive Summary) Executive Summary

Fixed Public Services Trends in CEE and MEA, (Executive Summary) Executive Summary

Trends in Fixed Public Network Services: Finland, (Executive Summary) Executive Summary

Asia/Pacific: Systems Consolidation, Hype or Reality?

Worldwide Workstation Shipments Rebound in Third Quarter

IP Backbone Opportunities in Asia/Pacific (Executive Summary) Executive Summary

FICON Drives Fibre Channel Security

4Q02 Update: Disk Storage Forecast Scenarios,

Finding Pure-Play Midtier ESPs: A Two-Step Process

Leased-Line Market Thrives in Asia/ Pacific Despite Bandwidth Glut (Executive Summary) Executive Summary

Mobile Terminals: Western Europe, (Executive Summary) Executive Summary

AIOs Displace Single-Function Printers in Latin America

Public Infrastructure: What s in Store for 2003?

Wireless Local Loop: Cellular in Waiting? (Executive Summary) Executive Summary

Trends in Fixed Public Network Services: Austria, (Executive Summary) Executive Summary

Current and Next-Generation Switching in Asia/Pacific and Japan, 2003 (Executive Summary) Executive Summary

Push-to-Talk Brings Voice-Based Instant Messaging to Europe

Semiconductor Market for Data Processing: Asia/Pacific, 3Q03

Trends in Fixed Public Network Services: Germany, (Executive Summary) Executive Summary

Hardware Decisions for Embedded Systems Design in Asia/Pacific

China: User Perceptions and Plans for PCs and PDAs in 2003

Huawei: China's Leading Equipment Vendor Returns to Growth

Mobile Java: A New Opportunity for Data Services (Executive Summary) Executive Summary

Final 2002 Asia/Pacific Semiconductor Market Share by Geographical Area (Executive Summary) Executive Summary

HDD Head and Media Markets Show Variable Growth and Decline, (Executive Summary) Executive Summary

External RAID-Based Storage System Analysis by Form Factor

Should You Use Liberty or Passport for Digital Identities?

Little Smart, Big Plans: PHS Storms Ahead in China

Choices Multiply in Midrange and High-End Color Printing

Mobile Phones, Poor Economy to Dampen PDA Market to 2007

Sizzles and Fizzles in the Server Forecast

Spending on Service Provider Routers Begins to Grow in EMEA

4Q03 Update: Global Semiconductor Forecast Scenarios

Asia/Pacific and Japan: Optical Network Equipment Market, (Executive Summary) Executive Summary

Four Partial Solutions for Remote Network Access

COM I. Keene, B. Hafner

Ericsson Rolls Out BT Next-Generation Switching Network

2002 Semiconductor Equipment Market Share Analysis (Executive Summary) Executive Summary

COM F. Troni, L. Fiering

2018 Trends in Hosting & Cloud Managed Services

Asia/Pacific: Embedded Systems Design, Software Decisions

4Q03 Update: Wireless Communications Semiconductor Forecast,

Leveraging China's Memory Market Opportunity

Sybase Executes on Its Partnership Strategy

Get Ready for the Revival of Large Data Centers

Apple Computer Unveils New Hybrid X Server Operating System

DRAM Forecast Outlook, 3Q03: Price Rises Force Forecast Up

TCPN-WW-CV-0102 Frank Fabricius

Production Surge Boosts Automotive Semiconductor Market

CIO Update: Security Platforms Will Transform the Network Security Arena

South Korea Ponders Its High-Speed Future

Spam Filtering Works Better With a Management Policy

Getting Off Windows XP Is More Important Than Windows Vista vs. Windows 7

Management Update: Information Security Risk Best Practices

Market Scope. Magic Quadrant Methodology

Midsize Businesses Slowly Warm Up to Storage Services

The Business Communications Landscape Is Ripe for Massive Disruption

Management Update: Wireless LAN Predictions for 2004

PC Manufacturing Is Surviving SARS-Induced Market Fears in China

4Q03 Update: Wired Communications Semiconductor Forecast,

NEXT-GENERATION DATACENTER MANAGEMENT

NetIQ's VoIP Management Products

U.S. Telecom Market's Future Depends on Carrier Capex

Governments Can Bring Moore's Law to Broadband Access

Pending U.S. Anti-spam Legislation: A Marketer's Guide

User Survey Analysis: Next Steps for Server Virtualization in the Midmarket

Continuing Weakness in Public Infrastructure Markets

COLOCATION AND THE ART OF RAPID-EXECUTION TRADING. Examining Low Latency, Colocation and Proximity Hosting

Prepare for Your Windows 7 Migration Crunch

Many Challenges Remain for Mobile Communications

HP Reveals Details About New Copier Lineup

Industry Research. Government in the Clouds

Enterprise Data Architecture: Why, What and How

Network-Attached Storage Market Shows Weakness

Software-Defined WAN Does Not Grow on WAN Alone

Host-Bus RAID Controller Worldwide Market Share, 2002 (Executive Summary) Executive Summary

Password-Handling Guidelines

14th Edition. Global Macrocell Radio Transceiver (TRx) Unit Market Analysis and Forecast, April 2018

IT Services in Malaysia in a State of Transition, (Executive Summary) Executive Summary

2017 Trends in Datacenter and Critical Infrastructure

Predicts 2004: The Future of Windows Server

These patterns include: The use of proprietary software

Keep the Door Open for Users and Closed to Hackers

Can you wait until 2010?

SONET Links Extend Fibre Channel SANs

Transcription:

Market Analysis Users and Vendors Speak Out: Authentication and Biometrics Abstract: Authentication and biometrics play an important part in enterprise security. However, their overuse has spawned a lofty dream of single sign-on, but enterprises find reduced sign-on a more realistic choice. By Elroy Jopling and Bhawani Shankar Strategic Market Statements Single sign-on is a goal that enterprises will not achieve; however, enterprises can achieve reduced sign-on, which provides a positive return in the short term. Identity theft is a growing serious threat; enterprises have a role in ensuring that they are part of the solution rather than part of the problem, so for their customers, enterprises should not use government-assigned numbers (for example, social security numbers). Voice and data convergence on Internet Protocol (IP) networks will create a new level of security requirements of which enterprises must be aware and for which they must plan. Publication Date:4 August 2003

2 Users and Vendors Speak Out: Authentication and Biometrics Introduction As security requirements have increased, authentication has expanded to the point that too many passwords, instead of increasing security, have done the opposite. Many businesses will see single sign-on as a solution, but realities will dictate a move to reduced sign-on. Biometrics will have a role to play, but is, in itself, no cure. Authentication has two issues, which will take up our time over the next number of years: authentication from a personal perspective of how much we are willing to give up and for what and voice and data convergence will bring with it a new level of security requirements. (Note: The body of this Perspective reflects the thoughts of users and vendors, not specifically those of Gartner. The users' and vendors' thoughts are from the Gartner IT Security Summit 2003 as part of Sector5 telecommunications and information services users and vendors industry panel discussions.) Authentication and Biometrics Pursuing the "Holy Grail" of Single Sign-On Is single sign-on a realistic goal or an objective never to be reached? Within the enterprise, single sign-on will not be achievable because of the number of legacy systems already out there and the dissimilarities between corporate functional mandates. While single sign-on may be the vision, the reality and the corporate direction should be reduced sign-on a phased program for a steady decrease in the number of user authentications required and a concurrent move toward a harmonized security platform that makes this possible. The result of this should be to reduce the number of places from which enterprises manage user authentication and the number of means with which they authenticate them. The return on investment (ROI) for reduced sign-on is a combination of the benefits of keeping the "bad guys" out and the reduction of operational expenses. The former is effectively not identifiable, while the latter is real and can make a significant difference. The future is now for reduced sign-on. New applications and more passwords have overwhelmed the user, who resort to securitychallenged means of either writing passwords down or putting them on their personal digital assistants (PDAs). Forty percent of all help-desk calls are password- or user-lockoutrelated. Lowering these costs is realizable and tangible. From an operational perspective, the concept of reduced sign-on can pay for itself in eight to nine months. With reduced sign-on, as enterprises roll out Web services and selfservices, every new application efficiently spreads the cost over a greater base while reducing time to market. 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved. 4 August 2003

A key benefit for the drive to reduced sign-on is the inherent development of a corporate, enhancing identity-management system. A concern of the drive to single or reduced sign-on is that if you crack one code, you crack them all, opening up the entire enterprise system. Enterprises must separate applications into zones: More-sensitive information means more-secure levels of authentication. Enterprises must rationalize their overt need for passwords and the degree of authentication required. Is a password needed for everything? Does booking a conference room need ultra-secure authentication or will a simple password suffice for a number of applications? Security and authentication will always follow the concept of defense in depth, specifically in the layering of authentication. Biometrics Even though biometrics has significant potential, it has remained in the early adopter stage for a long time. Biometrics is not a cure-all. With biometrics, the adage that "technology is nothing and implementation is everything" is extremely applicable. A true-life example is using fingerprints for authentication, but transmitting the digital representation unencrypted over the network. If specific biometrics is compromised, an individual is not able to reset as with a password. Authentication Gets Personal A discussion of single or reduced sign-on in the enterprise is a dollarsand-cents discussion, but when it comes to the enterprise's authentication of the individual, it becomes a personal discussion. What is acceptable and doable for the corporate is different from a personal perspective. An individual's unique identifier is generally accepted as a justifiable goal, but the road to getting there is fraught with numerous problems. One of the greatest problems in the drive to a unique identifier has been the past and present promiscuity of the use of commonly available identifiers such as social insurance numbers. Initially devised as an income tax identifier, it is now overused and definitely not used for its original purpose. For instance, water utilities use social security numbers as a means of authentication even when water is not a taxable item. Drivers' licenses have also followed the same slippery slope of overuse and inappropriate use. Birth certificates are a core identity, but their process of being initiated is fraught with error and they do not provide enough verifiable information. 3 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved. 4 August 2003

4 Users and Vendors Speak Out: Authentication and Biometrics Biometrics provides the means for a unique identifier, but no one has provided a case pertaining to why we should provide the information. Enterprises will want to use their own authentication information and methodology. Typically, they won't compromise this drive to interwork with another enterprise (for example, your credit card company won't work with your motor vehicle licensing organization). Why should you trust the other guy with your customer's data? As with the enterprise, private individuals won't have a single sign-on or card. For them, even reducing the number of sign-ons or cards is questionable. As information is collected and propagated from database to database, it takes on a life of its own. Identity theft just becomes too easy. Generally, there is no problem with a central depository for an individual's identity, but it must be carefully guarded. A need exists for a Fort Knox for identities. Someday we must have a central depository: World events will precipitate it. The question of what one gives up for what one receives has not been answered. Without an overt government push, individuals simply won't buy in until the question is answered. Who will manage this central depository of identities in an environment where every institution has been compromised at some time or another? A single-identity depository in which the individual has control over how his identity will be propagated will evolve, but we will need new laws and new technologies, and the time frame will be at least 10 to 20 years. Authentication in a Voice- and Data-Converging World The convergence of voice and data has been a long time coming, but as it is becoming a reality, a new level of security and authentication complexity comes with it. Personal identification numbers (PINs) and dual-tone multifrequency (DTMF) signaling passwords are sent over the public networks unencrypted and people still trust them. Even though it would be easy to find this information out, with the volume of traffic comes "security by obscurity." With the move to Voice over Internet Protocol (VoIP), the front door to the network opens. How does the network determine that there isn't a data packet along with all the VoIP packets? Traffic can be examined, but with a real-time voice application one must not have these delays. Real-time media firewalls are essential. Paralleling data security, a new breed of security devices will arise (for example, telecommunications firewalls, telecom intrusion detection systems [IDS] and so on). 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved. 4 August 2003

Gartner Dataquest Perspective While the data industry has had its "hackers," the voice industry has had its "freakers," who specialized on hacking voice switches. Voice theft from private branch exchanges (PBXs) is estimated to cost enterprises $50 billion a year. With data and voice convergence, hackers and freakers will converge onthesametarget theenterprise. Even the hacking community has evolved. Rather than simply orchestrating an attack, hackers have moved into publishing the exploit script or tool to their confreres on the Internet, significantly expanding the rapidity and scope of attacks. Align Enterprise, Employee and Customer Perspectives "What are you trying to solve?" was an often-repeated question from users and vendors. Authentication is an obvious requirement for the enterprise and the individual, but technology is only an enabler. We must have adequately addressed what we are trying to solve and the answer must incorporate the rationale from the perspectives of the enterprise, the employee and the consumer. The Degree of Authentication Withadesiretoensuresecurity,theenterprisemayfindsitselfaspartof the problem rather than the solution. For incidental applications (for example, booking conference rooms), do away with passwords or allow the user to use simplistic repeatable passwords. You want the user to be vigilant on the critical applications, rather than being befuddled with a morass of authentication everywhere. Sign-Ons: Not One, But Fewer Within the enterprise, single sign-on is only a vision. The baggage we carry with legacy systems and corporate structures will predicate that enterprises must lower their aspirations. Reality will be reduced sign-on, and although this may not be total fulfillment of the enterprise's goal, its benefits can be real in the reduction of support costs and the combined evolution of the practice of identity management within the enterprise. Are Enterprises Perpetrating Identity Theft? Enterprises must ensure they are not part of the identity theft problem. Enterprises should not use government-assigned numbers especially social security numbers and drivers' licenses as unique personal identifiers for access to their operations. The U.S. Federal Trade Commission, statelevel consumer advocates and many U.S. Congress members are dedicated to stopping indiscriminate use of social insurance numbers for corporate or other identification. They believe that promiscuous use enables identity theft, "economic crimes" such as money laundering, and identity fraud, including use in terrorism and other crimes such as welfare fraud. 5 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved. 4 August 2003

6 Users and Vendors Speak Out: Authentication and Biometrics Next-Generation Authentication Voice and data convergence represents a brave new world for security. Hackers and freakers will converge to address it. The security tools for data will be mirrored to address a VoIP network and also to address voice's real-time requirement processing capabilities, which must be greatly accelerated. An often-used expression regarding security is the "layered" approach. With each new technology, a new security technology must be layered on, dampening innovation. The hacker's greatest detriment may not be their immediate attacks, but rather the long-term impact of technology advancement slowing to ensure security is addressed. Key Issue How are network security concerns impacting enterprise communications networks? This document has been published to the following Marketplace codes: TELC-WW-DP-0576 For More Information... In North America and Latin America: +1-203-316-1111 In Europe, the Middle East and Africa: +44-1784-268819 In Asia/Pacific: +61-7-3405-2582 In Japan: +81-3-3481-3670 Worldwide via gartner.com: www.gartner.com Entire contents 2003 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. 116569

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback