U.S.: Cybersecurity Must Go Beyond Passwords
If indeed we are operating in a "digital economy," standard security measures such as passwords are no longer sufficient to shield the underlying IT infrastructure from sophisticated hackers, asserts a panel of U.S. experts and advocates of "multi-factor" authentication technologies.
A report released late last year by the U.S. Commission on Enhancing National Cybersecurity warns: "For now, technological advancement continues to outpace security and will continue to do so unless shifts in our cyber-security strategies—and how well we implement those strategies—are made."
Security concerns have been heightened by recent malware exploits targeting Internet of Things devices, which the commission noted combine "both antiquated software and newly generated hardware and software."
Among the panel's recommendations were closer collaboration between the private sector and government agencies such as the National Institute of Standards and Technology (NIST) to develop a cyber-security roadmap. The framework should focus on shielding network infrastructure against denial-of-service attacks, spoofing and other malware attacks, the panel said.
The cyber-security report was released by NIST, which among other responsibilities develops U.S. cyber-security standards. Thomas Donilon, former national security adviser to President Obama, and Samuel Palmisano, retired CEO of IBM Corp. (NYSE: IBM) led the cyber commission. Executives from Microsoft Research (NASDAQ: MSFT), MasterCard (NYSE: MA) and Uber also served on the panel.
Meanwhile, proponents of multi-factor authentication techniques note that stolen passwords are often a frequent route used by hackers to penetrate networks. They emphasized the report's conclusion that "reliance on passwords presents a tempting target for malicious actors."
Hence, security vendors argue, the username-and-password security model needs to be replaced with "strong identity management". Increasingly, cloud and IT vendors are adopting multi-factor authentication in which user access is granted only after presenting identity credentials from separate sources. Cloud vendors such as Amazon Web Services (NASDAQ: AMZN) describe the approach as "an extra layer of protection on top of your user name and password."
A standard authentication technique used by companies such as Apple (NASDAQ: AAPL) involves sending a one-time passcode to a legitimate user's mobile phone.
Authentication vendors also seized on several commission recommendations calling for federal agencies to employ strong authentication internally and among contractors. Authentication technologies also should be used in the delivery of Internet-based government services, the panel said.
Authentication vendors such as U.K.-based SecurEnvoy, developer of a "tokenless" security platform, assert that multi-factor authentication is no longer expensive or hard to implement."
Network security specialists go further, arguing that the use of multiple passwords represents an inconvenience to users as well as productivity killer. Along with creating security risks, multiple passwords and the need to reset passwords and passwords managers increases the need for IT helpdesk intervention.
"Employees’ juggling multiple logins and the knock-on effect on security, productivity and the need for greater IT intervention is a problem for businesses," according to Lee Painter, CEO of enterprise network security vendor Hypersocket Software.
The vendor argues that passwords as a first line of defense won't go away anytime soon. Therefore, it promotes "single sign-on" software designed to store and manage passwords so users can login to business applications in one click.