Keeping your identity

“All your networks are antelopes in the Savannah, and you’ve got predators out there who are trying to get in,” he states. “So long as you have prey you will also have predators — they want to gain access these days not just to prove they can get in and be clever but they are doing it for money.”

When people usually discuss issues around identity management and authentication technologies, security is normally the aspect that is identified first — maintaining secure access to your systems is obviously a paramount concern for an organisation.

However, as Grashion acknowledges, these days there is also a lot more to it than just keeping the predators out — you also need to know just how much access you give to the people you do let in.

“Originally you authenticate people because you want to find out who’s on your network — that’s a no-brainer,” he explains.

“Everything on the outside of the network is untrusted — the internet, the great unwashed. So the good guys are on the inside, the bad guys on the outside and you monitor that perimeter.”

“But it then blossoms from there because the business environment has evolved,” Grashion says.

“What they [authentication systems] are becoming now is a much richer environment so you can audit what people have actually been doing and which assets they have been gaining access to and you can control that as well.”

While authentication systems used to be black and white — you let users in or you didn’t — today’s IT systems are becoming more and more complex; with employees in all sectors needing access to an ever increasing number of applications, databases and networks, there is a greater and greater need to limit just who gets access to what.

This can lead to requirements for separate usernames and passwords — a situation that can create not just security risks but also administrative complications.

And mounting compliance regulations — particularly those governing financial institutions — are now requiring firms to provision users and account for who is accessing which applications.

If anything, companies today might be best advised to treat their IT systems in the same way as concert promoters treat the back stage areas of a rock concert: only a privileged few have an access-all-areas pass.

The rest could be restricted to certain designated areas and those without adequate means of identifying themselves should be barred altogether.

These types of issues mean that identity management has had to become a lot more specialised — and is becoming increasingly important.

Identity management deals with identifying individuals in a system and controlling their access to resources within that system by associating user rights and restrictions with the established identity — the IT equivalent of the passes handed out by concert promoters.

Identity management software can also automate administrative tasks, such as resetting user passwords.

In an enterprise setting, identity management is used to increase security and productivity, while decreasing cost and redundant effort.

According to Mohamed Al Ojaimi (pictured, below), technology solutions marketing, at Oracle Middle East and Africa (MEA), adoption of these solutions is now being driven by the fact that identity management is becoming “a business issue rather than a technical issue because you want to know who is this user, what is his role and what systems should he be given access to”.

Demand for specialist identity and access management software grew by 10% to reach US$719million in 2004, according to IDC figures.

By 2009, the research firm believes that the market will have almost doubled, to an estimated US$1.3 billion.

Naveed Moeed, senior technology consultant for RSA in the MEA region, points out that: “Customers are no longer price conscious the more that identity has become a problem.”

“It’s not so much that there’s infinite budget for these things but whereas IT budgets used to be very much geared towards storage and applications, identity management is now a big factor in this budget.”

Need to comply

Globally, another driving force behind the adoption of identity management and user provisioning software is compliance — organisations in many sectors now need to prove that only certain users can gain access to certain types of records.

According to analyst firm Gartner, compliance regulations are driving growth in the user provisioning market — where users are granted access rights according to defined ‘groups’, depending on their status.

This market grew 19.7% in 2005, with revenue reaching US$753.3 million.

Maria Medvedeva, director of security management for CA in the Europe, Middle East and Africa (EMEA) region (pictured, right), says banks are under particular pressure to comply with regulations — a factor that is driving their adoption of identity management software.

“Banks have to comply with certain strict procedures which require them to prove that each individual has access to particular applications or accounts or infrastructure components,” she says.

“In a good bank with multiple applications you have on average 1,000 to 2,000 business applications, 4,000 employees and about 6,000 different types of accounts. Without adequate controls it becomes impossible to see who does what and who accesses what.”

CA’s identity management solution provides user provisioning and includes an animated directory structure where all the user information is stored, including what access rights they have.

On top of the directory sits a tool called Identity Manager, which assigns users to certain accounts or to certain groups and gives them rights.

“CA provides solutions that basically define three simple things: who has access to what in the environment, what is happening and what actions need to be taken based on the information you know,” says Medvedeva.

“It gives you the ability to create user accounts as well as to provision user accounts, which means that you are able to delete or remove user accounts when a user chooses to leave the company.”

As well as managing the identities of internal users, the wide availability of online services via company portals means organisations must control who is accessing their applications from the outside too.

This can be further complicated by the fact that enterprises often allow customers access to their databases, containing financial, product and customer information, via online portals.

“Giving your employees, customers and business partners broader access to your applications via the web benefits your business by allowing them to place their own orders, service their own accounts and update their own profiles,” says Oracle’s Ojaimi.

“This access, however, brings security risks — more people using more applications over the internet means more chances for security breaches, stolen data, and halted operations.”

“In such a fast moving environment where applications can be deployed quickly, access and provisioning become very big issues, particularly when it comes to internal security systems,” Ojaimi goes on to add.

E-government

Another area of online services where security has become an issue is e-government, with initiatives in the region such as that being undertaken in Dubai, where the government hopes to make 90% of services available online by the end of next year.

The criticality of some of these services, the sensitivity of the information involved and the fact that some of it involves financial transactions being carried out online, means that the stakes are high.

“E-government initiatives all rely on improving citizen services — and when you log onto a portal you want to make sure that your information does not get disclosed to somebody else,” says CA’s Medvedeva.

“For instance, you don’t want anybody else to receive your traffic ticket,” she adds.

Companies offering services online must therefore deploy strong authentication and identity management solutions to control access to applications by external users and ensure that online services don’t become a backdoor to their corporate network. “Strong authentication solutions help solve this problem by creating user profiles and checking multiple factors such as passwords, tokens, smart cards and even biometrics to identify users before giving them access to your IT infrastructure,” says Ojaimi.

Oracle Access Manager, part of Oracle Identity Management Suite, offers such solutions.

This delivers the functionality of web single sign on meaning external users log on once and don’t have to log on again to get to different applications, and works in a heterogeneous environment, which means it is not affected by what the customer has in terms of systems and platforms.

Abdul Mulla, a Tivoli security technical pre-sales specialist for IBM Middle East, explains that there are various means of authentication depending on the requirements of the service involved and how business critical it is to the end user.

“What we have noticed is that depending on the type of service provided, the criticality of the service, they can step up the authentication or step down,” he says.

“Most governments are using two-factor authentication and some services require user ID and password authentication, where the password goes along the wire and is encrypted.”

The adoption of authentication technology in the region, though slow is increasing according to Jitendra Kapoor, business development manager for Online Distribution, which distributes Vasco and SafeNet authentication tokens in the region.

He claims his company has seen a big increase in enquiries about authentication and encryption solutions from firms in the region who are changing the ways they think about security to meet rising threats from hackers, phishers and identity thieves.

Though he admits “even today it has not been much.”

According to Kapoor “traditionally it’s been about parameter security such as firewalls, which protect you from so-called internet threats. But more recently the trend has been towards cutting through the parameter and talking about authentication and encryption.”

“Going forward, the next 12 months are going to be good for both authentication and encryption solutions,” he adds.

“Banks in the region are one type of organisation that are likely to be strong adopters of authentication technology — after suffering a spate of online security attacks in recent months.

Banks affected by phishing attacks include HSBC, MashreqBank and National Bank of Abu Dhabi (NBAD) while hackers have also attacked Emirates Bank and Commercial Bank of Dubai (CBD).

Phishing attacks are where the perpetrator sends out legitimate looking e-mails that appear to come from trustworthy web sites in an attempt to gather personal and financial information from the recipient.

In the case of online banking customers they are sent e-mails, purportedly from the bank, which usually contain a link to what appears to be the bank’s website, and are asked to enter their account details and in some cases passwords or pin numbers.

In the case of HSBC, in June this year customers were sent a fraudulent e-mail claiming to have come from the bank entitled ‘HSBC UAE. Urgent Update’.

The e-mail requested customers to click onto a link to a website designed to look like HSBC’s then enter their pin code as a means of activating a new security system.

Account holders were warned their accounts would be suspended if they did not reply to the e-mail.

Etisalat and HSBC detected the e-mail on May 31 and Etisalat blocked the fake website through its proxy server around 15 minutesafter the e-mail reached customers.

HSBC admitted at the time however that this action was too late for a “few customers” that responded to the e-mail, although it said it was only a small number of customers that replied relative to the volume of e-mails that were sent out.

These attacks rely on social engineering and the ignorance of users for their success and mean that static passwords no longer provide adequate protection for online banking customers.

One way to protect customers against these attacks is through authentication tokens which generate a different password every few seconds.

Using these devices, even if a phisher successfully obtains a user’s password details, by the time they attempt to log into the user’s account, that password will have changed.

“What these devices give you is a dynamic password — that’s the key factor behind authentication tokens,” says Kapoor at Online Distribution.

“The password changes every time you log in so it doesn’t matter if someone spoofs off your password or has a key logger recording the letters you type into your keyboard — it doesn’t matter because the next time you log in there is a different password altogether. It provides you with foolproof security.”

One of the banks in the region that has adopted this technology for its online banking customers is NBAD (picture, inset), which purchased RSA’s SecurID two factor authentication tokens last year for its 19,000 online customers.

Each customer has now been given a token bearing a digital security number, which changes every 60 seconds and which they can use to access their online banking details.

RSA SecurID is a bundled solution, which includes the RSA SecurID Appliance, RSA SecurID tokens, and RSA Authentication Manager software and hardware support.

“Recent high profile security breaches mean that awareness of the potential risks of banking online is high and many users are nervous of using the internet to conduct financial transactions,” says Srood Sherif, head of the information technology division at NBAD.

“We wanted to provide additional security and peace of mind for our customers, and believe that using strong two-factor authentication such as RSA SecurID technology is one of the best ways of achieving that.”

Another bank in the region that is considering adopting authentication devices for its online banking customers is Commercial Bank of Dubai, which last year suffered a hacking attack in which its static website was defaced.

It is now considering deploying authentication tokens to its customs as well as to its employees.

Rinaldo Ribeiro, senior manager for IT security at the bank, said earlier this year that the bank would be issuing one-time password tokens to its customers.

Authentication tokens, smart cards and even biometrics are also adopted by enterprises for their internal users logging onto the network.

The thinking behind the technology is that using a password as the only way to authenticate users is no longer enough given the internal threat posed by identity sharing among users.

“I think identity sharing is probably the biggest problem — especially in a culture like ours in the Middle East,” says RSA’s Moeed.

“People more often than not will share passwords or let them slip,” he continues.

“It starts off with small things like a colleague letting another colleague know his password so he can gain access to a system. Then before you know it 100 people are sharing information in a similar fashion. And the more people that you have sharing identity amongst themselves the more risk there is that somebody will do something fraudulent,” he adds.

Kapoor argues that as many as 60% of threats are from internal users. “All of us engage at some point in behaviour that is not security conscious  — having your birthday or spouse’s name as a password or telling your their password are just some examples,” he points out.

Biometrics technology provides an even stronger layer of authentication. Biometrics is the science and technology of measuring and analysing biological data.

In information technology, biometrics refers to technologies that measure and analyse human body characteristics, such as fingerprints, eye retinas and irises, voice patterns, facial patterns and hand measurements, for authentication purposes.

Patrick Gilmore, director of biometrics for MEA at Motorola, explains that although enterprises in the region are starting to consider biometric access control and authentication point solutions for high security situations, they do face some obstacles, most notably the fact that not everybody is suitable for fingerprint scanning because of digit wear — skin on the fingers becoming worn so the print is less defined.

“One landmark project in Dubai, which uses biometrics for access control, eventually decided on RFID cards because of the issues around speed of access and the free-flow of people,” he claims. “What we are seeing is enterprises deploying biometrics in high security, low population areas, where security is paramount.”

Moeed predicts a growth in hybrid devices — a combination of smart card and authentication tokens, which can also be used to enter a building — and for online banking customers as a credit card complete with a liquid digital display with a changing PIN number.

He believes another trend will be convergence of authentication solutions on mobile devices, such as mobile phones and PDAs carrying two factor authentication tokens.

“Customers who wish to give tokens to their users don’t want their users to be carrying around multiple devices, so why not put a token on a user’s mobile phone,” he adds.

Osama Friejeh, technical consultant for Secureway, which distributes ActiveIdentity solutions in the region, also believes convergence is the way forward for authentication devices.

“Technology is going into convergence, meaning that more solutions have to be integrated together — authentication, single sign-on, smart cards and user provisioning solutions. We have a partnership with Sun Microsystems to integrate our products with their user provisioning solution and with Novell’s identity management solution,” he says.

CA’s Medvedeva believes that identity management systems will become more tightly integrated with forensics technology designed to monitor user behaviour and detect fraud.

“I think the future is that it will become more and more integrated with network forensics. Once the information on user actions is gathered it can be analysed by correlation agents that are able to detect any kind of fraud that is being committed,” she explains.

Juniper’s Grashion believes the technology will be simplified in the future — and that once this is done it will become more effective.

“Security has to be like picking up the phone ? transparent and mind-bogglingly easy. What is happening today is there’s so much latitude — you switch on your computer and you’re asked if you want to download a security patch,” he says.

“You have the option so you say ‘no I’ll wait’ — you’re being allowed to make poor decisions.”

Whichever direction identity management and authentication take in the future there is no doubt they are here to stay.

“You switch on your computer and you’re asked if you want to download a security patch. You have the option so you say ‘no I’ll wait” — you’re being allowed to make poor decisions.”