Gary Walker, solutions manager at Telindus looks at an ever-growing problem.

Protecting IT systems against unauthorised access has become an essential requirement for every business. 

With the growth of e-business and legislation such as the Freedom of Information Act, applications and services need to be available to an increasing variety of users: office-based workers, remote users, suppliers, customers and the general public.

But the plethora of firewalls, encryption and authentication systems that companies are investing in do not seem to be enough to prevent security breaches and identity theft. 

According to IDC, poor password control accounts for the vast majority of security breaches, with 50 per cent of business having their security compromised due to weak passwords. 

So however effective a company's IT security may seem, a simple mistake such as sharing a password can leave key data exposed. 

Careful password management is essential

Because of the vulnerability of static passwords, it is imperative that access to systems or networks be managed properly, with the utmost attention given to controlling the generation, distribution, retrieval and use of passwords.

In large or diverse networks this is often a very difficult goal to achieve. The problem with passwords is that humans forget them, write them down, stick them to their computers and never change them.

Phishing attacks are increasingly successful as many banks are still using static passwords as part of the log in process, making it easy to fool customers into divulging their passwords.

Eliminate them by taking the burden of password management away from the customer and the problem is greatly reduced. The biggest step towards network security a corporation can take is to NOT let users be in possession of their own passwords.

Access via SSLVPN solves part of the problem

In the context of network protection, there is a growing recognition of the benefits that secure socket layer virtual private networks (SSL VPNs) can provide and the limits of the IPSec VPN.

Many IT organisations face the complexity of supporting a growing variety of users, all of whom require different levels of access to information according to their job function; they are also faced with the challenge of opening up their network to customers and suppliers.

IPSec is well suited for point-to-point connectivity, between a head office and its regional centres, for example, but is less well matched for dealing with remote access from the growing variety of locations users may now find themselves: at home, at a customer or supplier, or even an internet café or Starbucks.

In this context it is financially harder to provide an IT support function that maintains a central pool of company laptops, equipped with multiple software agents, running a variety of different applications, needing bespoke installation and updating. Who needs the experience of a day grounded in the office while IT resuscitates or upgrades a laptop?

What the modern organisation needs is to provide a service to its users without being bogged down in the provision of hardware, managing user authentication or worrying about who has access to what information and whether the end-point is trustworthy.

Combining SSL VPN access with a managed service that deals with the headache of user authentication opens up the possibility of providing a much richer variety of information to remote users. It can surely facilitate the secure provision of public information, and is one of the goals of e-government.

Managed authentication

The root cause of security breaches is that 95 per cent of organisations still use static passwords for authentication. Companies spend thousands of pounds on intrusion detection systems and products to prevent security breaches, but they are all managed by static passwords.

One major credit card organisation with 140 million users worldwide was successfully hacked, via its intrusion detection system, primarily because it was linked to a database that made use of static passwords.

Authentication enables identity to be assigned to an individual within an organisation. Through authentication, trust is established.

If a method of authentication is not properly deployed, the impact is to impart significant vulnerabilities to an organisation's IT systems, which can lead to exploitation, unauthorised access, lost of data, unnecessary downtime, or other disruptions.

How a managed authentication service (MAS) works

Users log on using their token and dynamically generated password, and are authenticated through the MAP data centre, which holds details of the user's level of authorisation, as provided by the user's organisation.

Once authenticated, users are redirected to their internal computer network to gain access to applications. The MAS 24x7 support centre will liaise with the customer's IT organisation to provide support, or talk directly to end-users, if required, to provide login facilities in cases where tokens are lost.

The customer's HR or IT departments is given access rights to the MAP via a customer portal to make it easier to add, upgrade or remove users.

The MAP will automatically generate new tokens and update or cancel existing ones, to reduce the risk associated with disgruntled employees. The whole process dramatically reduces the level of password misuse.

Integrating security and identity directories

In all the discussions about managed authentication, SSL VPN and the ability to secure a more widely available, often wireless, infrastructure, one area is often overlooked, and is frequently vulnerable.

Microsoft Active Directory is at the heart of most organisations, as the backbone for Microsoft Windows Server 2003 and 2000 operating systems.

Active Directory supports the access to often-critical applications, but without the guaranteed availability of DNS or DHCP services that Active Directory relies on access to applications is jeopardised.

Many organisations give little thought to the security risks of running Active Directory, RADIUS DNS and DHCP services on a standard server, including the lack of fail over available, and accept having to deal with the ever-present vulnerabilities of Windows operating systems.

Dedicated appliances are now available, such as those from Infoblox, which have built-in security hardening and easier centralised management. They can be used to enhance the availability and performance of all such services, by removing them from domain controllers.

As domain controllers are often distributed across the network, to provide for faster logon and quicker access to directory services, there is an increased level of vulnerability to hackers, as patching and updates to Active Directory software become much more time-consuming and labour-intensive to distribute.

A dedicated, hardened device adapted for this purpose improves availability, security and ensures easier management, and can be built into most types of remote access solution. Indeed, these devices prove particularly useful in wireless or IP telephony environments where there is more pressure on Active Directory services.

IT need not hold back global expansion

Organisations in both the public and private sector are increasingly looking to information technology to drive and support their rapid development and expansion into global markets.

Advances such as intranets, extranets and the internet make it easy to communicate with people and markets in a way that was inconceivable a few years ago.

However, with all of the opportunities that technology and open environments bring to a company, they also bring increased risks and vulnerabilities.

Many managers are now forced to live with growing concerns relating to unauthorised users, disgruntled employees, industrial spies, hackers and over-inquisitive employees compromising and exploiting their information systems.

It is equally important to discourage legitimate users from accidentally deleting files or stumbling into parts of the business that they should not be able to access.

Perhaps more importantly, as companies extend their customer reach through the internet it becomes increasingly critical to know exactly whom you are dealing with at the other end of the wire.