With time, trends come full circle. Security is only as good as the tools you deploy, and insuring that they are properly used. Why has the user again become the bane of the enterprise network administrator (if they really ever stopped)?
The enterprise user is where all the efforts of the enterprise network administrator are either successfully implemented or is completely negated. Diligence by the enterprise network administrator has increased security ten fold, yet the user can unintentionally circumvent all that. Programs installed by the user can either bring in viri or trojans, or simple help give hackers a way in or out of the network or devices like the USB keys with storage space. Enterprise users can unintentionally do as much if not more damage to a network then a determined hacker.
Security dictates that passwords be different (to prevent one comprise cascading to the others causing a total security breach) for each application. In an example an enterprise network administrator has made complex (complex being a mixture of capitals, numbers and other letters like an exclamation “!”) passwords mandatory on all network resources, and these passwords must also be changed at intervals short enough to prevent them becoming cracked / brute forced. A major challenge being the time frame for each applications password renewal, I myself as security professional can at times feel burdened with all the passwords that I must remember to function everyday.
A normal day for me just from the password standpoint each one being different from the others:
Work process that require a password:
Badge in the building
Login to laptop
Login to email
Expense report system
Travel booking website
Phone calling card
Conference call line
Human resources website
Team web calendar
Department intranet site
Internal training website
Electronic time card
Personal processes that require a password in the same day:
Other creditors and or online bill paying website
To add insult to injury administrators can also configure these applications to prevent password recycling (where you use a previous password again). This has lead many an enterprise user to secretly (or prominently) writing down their passwords. This leads to the full circle of trends, and this totally negates the purpose if the password being secret.
So what?s the answer? No passwords? Little mini super secret notepads you hide in your underwear? If your IT dept has the money to get a single sign on, does it work? Most of the people that I talk to and all the places I have seen single sign on implemented don?t like it/nor does it work. Poor implementation at this level is due to the single sign on uses some type of plug in for the applications, services packs and system setup is cost on top of the application it?s self.
What we need is an ISO Standard for passwords that all vendors must adhere to, and a set up API calls with the auth sitting in protected memory until being wiped or deleted for a new users to log in. This way those applications can look at your original authentication for rights to launch the app. This of course leads to how well the operating system can handle these protected memory space. Windows .NET or what ever it?s called will let us know how close we come. If Windows CE is supposed to out sell desktop licenses in the next five years, what does that do for security?
And the pendulum swings. Security is a concept, an unobtainable goal. You never have a secure computer network, just one with security features.