Enterprise Authentication: How to Deploy Appropriate SecurityInterview with Steve Neville of Entrust
Steve Neville, Director of Identity Products and Solutions at Entrust, discusses:
Neville draws on more than nine years of hi-tech marketing and product management experience to drive the strategic direction of both products and solutions for Entrust. Prior to joining Entrust, Neville was Director of Marketing at an innovative Web technology company, NetPCS Networks, where he was responsible for all market-facing activities, including direct, channel and corporate marketing. He also was responsible for the company's critical web presence and oversaw the launch of NetPCS' leading-edge online interaction product.
TOM FIELD: Hello, this is Tom Field, Editorial Director with Information Security Media Group. We're talking about enterprise authentication. With us today is Steve Neville, Director of Identity Products and Solutions with Entrust. Steve, good to talk to you again.
STEVE NEVILLE: Hi. Great to talk to you as well, Tom.
FIELD: Let's set some context here for the topic and speak sort of broadly about enterprise authentication. How do you define this topic for financial institutions?
NEVILLE: The typical way that people think about it is enterprise authentication equals internal use. A lot of times that's true. But often it can extend to partners as well, and of course financial institutions will oftentimes have partners. Common examples of what people think about for enterprise authentication are things such as VPN type environments, where people are coming in from the outside. But the reality is that enterprise authentication is an all-encompassing issue across the enterprise for all users at financial institutions.
FIELD: What do you find to be the chief challenges that financial institutions face today regarding enterprise authentication?
NEVILLE: The biggest changes and challenges are that username and password is not good enough in a lot of cases now for their applications. It's been talked about for many years by leading analyst firms like Gardner. Usernames and passwords are truly not appropriate for a lot of applications. That's fundamentally because of the ease with which usernames and passwords can be compromised, and the corollary damage that can be done as a result. All you have to do is look at some of the types of breaches that are out there today.
If you look on privacyrights.org, in the 200 and some-odd million user identities that have been breached over the past several years, you know that there is typically a story that goes along with it that is fairly negative. So you've got to go beyond username and password. Rather than just a small amount of users that are coming into a bank VPN today, you have to go wider and you have to go to users with more than username and password. The idea of simply expanding those small deployments through very expensive hardware tokens from people like RSA doesn't sit well in today's economic times.
FIELD: Steve, I know you're out there talking with lots of global institutions. What are some of the ways that they're tackling some of these challenges you've talked about, and doing so successfully?
NEVILLE: The biggest point of success is that these financial institutions are abandoning that legacy, single-purpose token, authentication platform that they've had for years in favor of something more versatile, or as Gardner defines it, a "Versatile Authentication" server. They are buying a platform that can deliver a wide variety of authenticators from that single platform. And the real value of these is that beyond just the flexibility and versatility of the platform, these are much more cost-effective solutions. They can manage all of the users and all different types of authentication in a single platform for a fraction of the cost of what their old authentication provided.
This is where financial institutions are really focused on evolution versus revolution, as well as to get some of that success. They aren't moving from username and password for some, or token for a small amount, to iris scanning for all. They are doing things like adding questions and answers to online applications and leveraging device authentication to ensure users on a specific machine. They are still leveraging physical second factors like tokens and other alternatives, but they are deploying much more cost effective versions of the traditional token where appropriate. Some newer options like Entrust have a patented grid card authentication. And there are other options out there. More options and more flexibility is really what's driving success out there for financial institutions.
FIELD: You used some key words there such as flexibility, versatility and cost effectiveness. When I speak with banking security leaders, they always want to know where the "gotchas" are. So, when they are trying to find the versatility, the flexibility and the cost effectiveness, what are the "gotchas" they've got to look out for?
NEVILLE: The biggest "gotcha" is found in the definition of versatility. Don't assume one size is going to fit all, or even two sizes are going to fit all. All users are not created equal. You think about a normal banking employer, a financial institution employer, and an HR application gets launched online. Perhaps ask questions on device authentication or IPG location, questions that are going to give them more than username and password, ensuring that compliance is met. Obviously there are a lot of regulations out there in terms of what can be exposed and not. And it's definitely better than username and password. Then you look at an executive. Maybe you give them a token or you give them a smartcard. You've got to have the range that can start from one end of the spectrum and go all the way to the other. The second "gotcha" is to not try and purchase solutions that will only be single purpose, in terms of where you deploy. What I mean by that is don't buy a solution that can only work inside the enterprise and serve internal users.
Buy a solution that can serve internally well so it will fit in the enterprise and integrate with your applications effectively, but also fit in the external world where we know a lot of organizations have deployed stronger authentication. There is a true need for more than just what has been deployed. Because of FSIC, escalations have happened throughout the globe in terms of level of risks. You need something that can stretch beyond that. And the value there is that the knowledge you gained from either environment where you deployed a platform can drive increased efficiency and literally take costs out of the business. Finally, from a "gotcha" point of view, look at some of these pandemics that are out there, the H1N1 virus, natural disasters, those are always a possibility. Don't deploy a solution that can't adapt to different types of solutions; for example, the idea that normally I come in and log in on my desktop and tomorrow I can't come in because there's a pandemic. You need a solution that can work in that environment. Perhaps you want something that can, as a backup, use mobile devices that you have issued to your end users, whether that is storing something on it, like an electronic grid, or using out-of-band password with e-mail or SMS. You need that flexibility to be able to adapt because those are some pretty big "gotcha" moments when you still need to run your business but the world is in a bit of a shambles.
FIELD: That's a great point. Now Steve, there's a lot of interesting things happening on the consumer side of the world. What are some of the lessons that can be learned from the consumer side of the experience and applied in the business?
NEVILLE: You've had some experience now deploying to these consumers. And ultimately consumers are like employees; you just have a little bit more control over employees. At the end of the day, username and password is not enough. But not everyone wants or needs physical authentication. You need to have a range, you need to be flexible and you need to be able to address multiple user communities without having to stand up new infrastructures. I will give you an example. For normal users inside the enterprise, don't burden them with unnecessarily painful options. Perhaps give them choices, and one of the great things about people and choices is when you combine those two together, security can be much more effective because the user now feels like they are a part of the solution. They've made a choice to be more secure in a way that fits with who they are. And if you have a solution that is flexible, you can do that without a lot of undue cost. You don't have to spend the traditionally exorbitant fees that have been there in the past for tokens. There are solutions out there today that give financial institutions a choice of whatever they want, even tokens, at a fraction of what the cost was. Those are all lessons coming from the consumer side that can be applied well inside the enterprise.
FIELD: Steve, last question for you, and it's sort of looking at the bottom line. You know we're in tough times now, with people having to go the extra mile to make a case for any kind of a solution. For a banking security leader, what is the best business case that they can make for addressing these enterprise authentication issues now?
NEVILLE: Going beyond username and password is a given. What you go to is not. You've got to pick something flexible, cost effective and open. And it needs to fit in your applications and address your security needs for a variety of user types. It needs to be able to evolve and adapt to new projects, whether they are internal or external. You think about that last point, and a business case could be simply made by saying, "You know what? I can leverage a single infrastructure for both my enterprise as well as my consumer environments. That's going to lower the cost of my business, both operationally as well as in the acquisition of the solution, both today and over time as I expand." The flexibility, the cost effectiveness of an initial purchase and being able to leverage it across applications, internally and externally, is a pretty strong business case in the face of times that are demanding stronger security.
FIELD: Well said. Steve, it's always a pleasure to talk with you. I appreciate your time and insight today.
NEVILLE: Thanks very much, Tom.
FIELD: We've been talking about enterprise authentication. With us has been Steve Neville of Entrust. For Information Security Media Group, I'm Tom Field. Thank you very much.