Remote Access increases productivity, but puts your company at risk!

Colin Campbell, IT Manager, Stroud & Swindon Building Society

To stay competitive in today’s dynamic global market, institutions of all sizes are providing employees with easy and cost-effective remote access to applications and resources. And, as the demand for this functionality has increased, it has led to astounding advances in remote access technology. Businesses have transitioned from noisy modems at 2400bps with unreliable connections to expensive VPN access with poor throughput, and most recently to fast broadband connections using SSL VPNs (Secure Socket Layer/Virtual Private Networks). But no matter how remote access technologies have changed, one thing remains constant: To provide true security and auditability an organization must be able to positively identify every user attempting to access the system.

Organizations now appreciate the fact that SSL VPNs are cost effective and that there is no need to deploy or manage software clients for remote users. This adds great flexibility as it enables people to work from hotels, coffee bars, and any other remote location. But, the simple truth is that the very simplicity of access which organizations have embraced cannot be adequately protected by traditional static passwords as any hacker with a stolen username and password can sit at any computer that has a web browser and gain access to a business’ applications and resources.

With so much media focus on the damage that can be done when a network is compromised – the reputations that are damaged (or ruined) the identities that are stolen, the business that is lost – it’s sometimes hard to understand the options. How can you ensure that the person you are providing data to is actually who they say they are and not a hacker or fraudster?

“Just about every organization that I have ever visited in the past 10 years, including many Fortune 100 companies, have a high percentage of accounts with easily-cracked passwords,” said Jason Hart, CEO, CRYPTOCard Europe, and a former ethical hacker for Ernst & Young. “The truth is that the sophistication of the increasing number of hackers who infiltrate company networks has far outstripped any advances in system security,” Hart continued. “As a former ethical hacker I can tell you that it is increasingly simple for unauthorized users to get hold of a user’s credentials, and this means that an SSL VPN or any other security solution that relies on static passwords to authenticate users is extremely vulnerable.”

Just by typing in the word “login” into Google a hacker can list a vast number of businesses that are providing login portals for remote users. By simply visiting the site a hacker can easily get hold of a username from any listed email address, as the first part of the email address will usually be the user name. Alternatively, and just as simply, the illegal “user” can easily use Google to locate usernames. Statistically, a whopping 80% of the passwords that a hacker needs to guess are related to people’s interests and hobbies.

As unsuspecting users sit in a coffee bar and access the network they can be oblivious to the fact that the person sitting at the table behind them isn’t just sipping a Latte, but is actually making a note of all the passwords for the computer network, bank accounts, hotmail accounts, and so on. All the hacker needs to do then is reuse the user name and password that has been captured, and as far as the business is concerned the hacker is a trusted user.

And yet despite numerous studies from firms such as Forrester Research which state that given the ability to do so, over 60 percent of users continuously use the same one or two passwords, the vast majority of businesses using technologies like SSL VPNs continue to rely on static passwords. But, making static passwords harder to guess can also be extremely prohibitive. Forcing users to come up with passwords that are hard to remember simply does not work because humans are not good at remembering a random string of numbers and letters. In fact, Gartner research found that password reset requests and other user identity-related problems can account for an average of 30 percent of all help-desk calls.

A proven solution to this is Two-Factor Authentication (2FA) which works in the same way that one ‘authenticates’ to an Banking Machine – you use something only you have (your unique bank card) and something only you know (your secret PIN) to identify yourself to the system. 2FA provides the same solution in the networked world, the ‘something only you have’ is a password-generating authenticator or token. The ‘something only you know’ is, again, a secret PIN. This secure method of authentication does what static passwords cannot, it gives you the confidence and peace-of-mind that a user logging on to the network, really is who he or she claims to be and not someone just using a stolen, lost or shared password.

However even the most cost effective solution requires up front expenditure, integration and on going management. Paying for licences and tokens can interrupt budgets and cash flows, not to mention the hardware and software requirements.

“We have an increasing number of employee’s who work from remote locations, including cafés and clients’ premises,” said Tom Chambers, Financial Controller of UK based Clifton Asset Management PLC. “Along with our security policy we have implemented a fully outsourced two-factor authentication solution from CRYPTOCard called CRYPTO-MAS which ensures that our shareholders have peace of mind that our information and database assets are secured.”

This unique Managed Authentication Service (MAS) provided by CRYPTOCard, requires no servers to purchase, no IT training, no network implementation and simply eliminates these capital costs. The service is hosted and managed for you and takes away the complexity of security integration, maintenance and support while managing your authentication system and securing your organization.

A CRYPTO-MAS implementation can be carried out in just a few hours. The browser based management portal allows easy and simple administration to maintain and manage the service from anywhere and on the go. Assigning, revoking and configuring tokens, tracking logs, and reporting activity ensures you’re on track from anywhere, anytime... you can “Secure Your World.”

“The Managed Service was simple and easy to implement. From running a free of charge evaluation trial through to having the first users up and running, took only a couple weeks”, said Colin Campbell, IT Manager, Stroud & Swindon Building Society. “The set-up of the Managed Service using the Portal made it easy for us to allocate tokens to users and so deployment times and resource requirements were kept to a minimum. From receiving the tokens and then getting access to the internal systems could not be an easier or more unobtrusive process” said Campbell. “Our users have total confidence in the system and find it easier that having to decide on, and regularly change, the traditional static password system we were using”.