The relentless addition of passwords to business applications is causing a major productivity fallout at many organizations and may be putting securities firms at significant -- and underestimated -- risk.
"When we ask a room full of IT professionals how long it takes them to remove all authorized access for a single terminated employee, we see the most consensus around the ‘weeks, months or more' time frame," asserts Mark Diodati, identity and privacy strategies analyst for research and advisory firm Burton Group. "Even in small organizations it's problematic."
Indeed, managing multiple tiers of data access across employees, contractors and partners -- both on-site and at remote locations -- has spawned a new IT security category known as "identity and access management." Commonly referred to as securing the front door to enterprise data, this mushrooming category will grow to $5.1 billion by 2010 according to IDC's most recent research.
The Glenmede Trust Company, a wealth manager for ultrahigh-net-worth individuals, began logging unacceptable levels of productivity and security overhead resulting from password management early in 2005. At the time, password-protected applications regularly accessed by the firm's 250 employees approached 30. "As we scaled up our client offerings, we needed more tools and more protection layers," says Nicholas Voutsakis, the firm's CTO. "But some tools were negatively impacted because people couldn't remember yet another password, and we experienced a steady flow of help desk calls for password resets."
Due to his firm's emphasis on client service, Voutsakis says, finding a user-friendly solution was critical. "Fortunately the technology was mature enough by late 2005," he says. "Then it was simply a matter of prioritizing it into our project portfolio."
Coincidently, new banking regulations stipulated implementing two-factor authentication by the end of 2006. There are three universally recognized authentication factor categories: something you know -- a password, PIN or similar code; something you have -- a security token/badge, credit card or mobile phone; and something you are -- a fingerprint, retinal scan or other biometric. Using two or more factors is considered strong authentication. "Irrespective of specific regulatory requirements, if your peers are using strong authentication strategies, ignoring the trend means you're dead in the water if you're ever in court," points out Burton Group's Diodati.
Glenmede used its authentication project as an opportunity to review security strategies enterprisewide, as well as for our clients who access their data via the Web, explains Glenmede's Voutsakis. "Although regulatory requirements framed our solution search, they weren't the primary driver. We were also analyzing security enhancements to our remote log-in capabilities via an SSL [secure socket layer] VPN by Cisco. So hardening our front door was part of a larger implementation. This, in turn, was part of an even broader strategy to integrate and secure a range of enterprise technologies while making them all easier to use."
Anne Rawland Gabriel is a technology writer and marketing communications consultant based in the Minneapolis/St. Paul metro area. Among other projects, she's a regular contributor to UBM Tech's Bank Systems & Technology, Insurance & Technology and Wall Street & Technology ... View Full Bio