Market Analysis Users and Vendors Speak Out: Authentication and Biometrics Abstract: Authentication and biometrics play an important part in enterprise security. However, their overuse has spawned a lofty dream of single sign-on, but enterprises find reduced sign-on a more realistic choice. By Elroy Jopling and Bhawani Shankar Strategic Market Statements Single sign-on is a goal that enterprises will not achieve; however, enterprises can achieve reduced sign-on, which provides a positive return in the short term. Identity theft is a growing serious threat; enterprises have a role in ensuring that they are part of the solution rather than part of the problem, so for their customers, enterprises should not use government-assigned numbers (for example, social security numbers). Voice and data convergence on Internet Protocol (IP) networks will create a new level of security requirements of which enterprises must be aware and for which they must plan. Publication Date:4 August 2003
2 Users and Vendors Speak Out: Authentication and Biometrics Introduction As security requirements have increased, authentication has expanded to the point that too many passwords, instead of increasing security, have done the opposite. Many businesses will see single sign-on as a solution, but realities will dictate a move to reduced sign-on. Biometrics will have a role to play, but is, in itself, no cure. Authentication has two issues, which will take up our time over the next number of years: authentication from a personal perspective of how much we are willing to give up and for what and voice and data convergence will bring with it a new level of security requirements. (Note: The body of this Perspective reflects the thoughts of users and vendors, not specifically those of Gartner. The users' and vendors' thoughts are from the Gartner IT Security Summit 2003 as part of Sector5 telecommunications and information services users and vendors industry panel discussions.) Authentication and Biometrics Pursuing the "Holy Grail" of Single Sign-On Is single sign-on a realistic goal or an objective never to be reached? Within the enterprise, single sign-on will not be achievable because of the number of legacy systems already out there and the dissimilarities between corporate functional mandates. While single sign-on may be the vision, the reality and the corporate direction should be reduced sign-on a phased program for a steady decrease in the number of user authentications required and a concurrent move toward a harmonized security platform that makes this possible. The result of this should be to reduce the number of places from which enterprises manage user authentication and the number of means with which they authenticate them. The return on investment (ROI) for reduced sign-on is a combination of the benefits of keeping the "bad guys" out and the reduction of operational expenses. The former is effectively not identifiable, while the latter is real and can make a significant difference. The future is now for reduced sign-on. New applications and more passwords have overwhelmed the user, who resort to securitychallenged means of either writing passwords down or putting them on their personal digital assistants (PDAs). Forty percent of all help-desk calls are password- or user-lockoutrelated. Lowering these costs is realizable and tangible. From an operational perspective, the concept of reduced sign-on can pay for itself in eight to nine months. With reduced sign-on, as enterprises roll out Web services and selfservices, every new application efficiently spreads the cost over a greater base while reducing time to market. 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved. 4 August 2003
A key benefit for the drive to reduced sign-on is the inherent development of a corporate, enhancing identity-management system. A concern of the drive to single or reduced sign-on is that if you crack one code, you crack them all, opening up the entire enterprise system. Enterprises must separate applications into zones: More-sensitive information means more-secure levels of authentication. Enterprises must rationalize their overt need for passwords and the degree of authentication required. Is a password needed for everything? Does booking a conference room need ultra-secure authentication or will a simple password suffice for a number of applications? Security and authentication will always follow the concept of defense in depth, specifically in the layering of authentication. Biometrics Even though biometrics has significant potential, it has remained in the early adopter stage for a long time. Biometrics is not a cure-all. With biometrics, the adage that "technology is nothing and implementation is everything" is extremely applicable. A true-life example is using fingerprints for authentication, but transmitting the digital representation unencrypted over the network. If specific biometrics is compromised, an individual is not able to reset as with a password. Authentication Gets Personal A discussion of single or reduced sign-on in the enterprise is a dollarsand-cents discussion, but when it comes to the enterprise's authentication of the individual, it becomes a personal discussion. What is acceptable and doable for the corporate is different from a personal perspective. An individual's unique identifier is generally accepted as a justifiable goal, but the road to getting there is fraught with numerous problems. One of the greatest problems in the drive to a unique identifier has been the past and present promiscuity of the use of commonly available identifiers such as social insurance numbers. Initially devised as an income tax identifier, it is now overused and definitely not used for its original purpose. For instance, water utilities use social security numbers as a means of authentication even when water is not a taxable item. Drivers' licenses have also followed the same slippery slope of overuse and inappropriate use. Birth certificates are a core identity, but their process of being initiated is fraught with error and they do not provide enough verifiable information. 3 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved. 4 August 2003
4 Users and Vendors Speak Out: Authentication and Biometrics Biometrics provides the means for a unique identifier, but no one has provided a case pertaining to why we should provide the information. Enterprises will want to use their own authentication information and methodology. Typically, they won't compromise this drive to interwork with another enterprise (for example, your credit card company won't work with your motor vehicle licensing organization). Why should you trust the other guy with your customer's data? As with the enterprise, private individuals won't have a single sign-on or card. For them, even reducing the number of sign-ons or cards is questionable. As information is collected and propagated from database to database, it takes on a life of its own. Identity theft just becomes too easy. Generally, there is no problem with a central depository for an individual's identity, but it must be carefully guarded. A need exists for a Fort Knox for identities. Someday we must have a central depository: World events will precipitate it. The question of what one gives up for what one receives has not been answered. Without an overt government push, individuals simply won't buy in until the question is answered. Who will manage this central depository of identities in an environment where every institution has been compromised at some time or another? A single-identity depository in which the individual has control over how his identity will be propagated will evolve, but we will need new laws and new technologies, and the time frame will be at least 10 to 20 years. Authentication in a Voice- and Data-Converging World The convergence of voice and data has been a long time coming, but as it is becoming a reality, a new level of security and authentication complexity comes with it. Personal identification numbers (PINs) and dual-tone multifrequency (DTMF) signaling passwords are sent over the public networks unencrypted and people still trust them. Even though it would be easy to find this information out, with the volume of traffic comes "security by obscurity." With the move to Voice over Internet Protocol (VoIP), the front door to the network opens. How does the network determine that there isn't a data packet along with all the VoIP packets? Traffic can be examined, but with a real-time voice application one must not have these delays. Real-time media firewalls are essential. Paralleling data security, a new breed of security devices will arise (for example, telecommunications firewalls, telecom intrusion detection systems [IDS] and so on). 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved. 4 August 2003
Gartner Dataquest Perspective While the data industry has had its "hackers," the voice industry has had its "freakers," who specialized on hacking voice switches. Voice theft from private branch exchanges (PBXs) is estimated to cost enterprises $50 billion a year. With data and voice convergence, hackers and freakers will converge onthesametarget theenterprise. Even the hacking community has evolved. Rather than simply orchestrating an attack, hackers have moved into publishing the exploit script or tool to their confreres on the Internet, significantly expanding the rapidity and scope of attacks. Align Enterprise, Employee and Customer Perspectives "What are you trying to solve?" was an often-repeated question from users and vendors. Authentication is an obvious requirement for the enterprise and the individual, but technology is only an enabler. We must have adequately addressed what we are trying to solve and the answer must incorporate the rationale from the perspectives of the enterprise, the employee and the consumer. The Degree of Authentication Withadesiretoensuresecurity,theenterprisemayfindsitselfaspartof the problem rather than the solution. For incidental applications (for example, booking conference rooms), do away with passwords or allow the user to use simplistic repeatable passwords. You want the user to be vigilant on the critical applications, rather than being befuddled with a morass of authentication everywhere. Sign-Ons: Not One, But Fewer Within the enterprise, single sign-on is only a vision. The baggage we carry with legacy systems and corporate structures will predicate that enterprises must lower their aspirations. Reality will be reduced sign-on, and although this may not be total fulfillment of the enterprise's goal, its benefits can be real in the reduction of support costs and the combined evolution of the practice of identity management within the enterprise. Are Enterprises Perpetrating Identity Theft? Enterprises must ensure they are not part of the identity theft problem. Enterprises should not use government-assigned numbers especially social security numbers and drivers' licenses as unique personal identifiers for access to their operations. The U.S. Federal Trade Commission, statelevel consumer advocates and many U.S. Congress members are dedicated to stopping indiscriminate use of social insurance numbers for corporate or other identification. They believe that promiscuous use enables identity theft, "economic crimes" such as money laundering, and identity fraud, including use in terrorism and other crimes such as welfare fraud. 5 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved. 4 August 2003
6 Users and Vendors Speak Out: Authentication and Biometrics Next-Generation Authentication Voice and data convergence represents a brave new world for security. Hackers and freakers will converge to address it. The security tools for data will be mirrored to address a VoIP network and also to address voice's real-time requirement processing capabilities, which must be greatly accelerated. An often-used expression regarding security is the "layered" approach. With each new technology, a new security technology must be layered on, dampening innovation. The hacker's greatest detriment may not be their immediate attacks, but rather the long-term impact of technology advancement slowing to ensure security is addressed. Key Issue How are network security concerns impacting enterprise communications networks? This document has been published to the following Marketplace codes: TELC-WW-DP-0576 For More Information... In North America and Latin America: +1-203-316-1111 In Europe, the Middle East and Africa: +44-1784-268819 In Asia/Pacific: +61-7-3405-2582 In Japan: +81-3-3481-3670 Worldwide via gartner.com: www.gartner.com Entire contents 2003 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. 116569