Dr. Chris Edwards, Chief Technical Officer at Intercede
The consumerisation of IT has left many companies vulnerable and at risk of new security threats. With the emergence of the BYOD trend, businesses have opened the doors of their network to a host of potentially unauthenticated users. Security conscious companies have implemented identity and access management technology to protect their sensitive data at the end point – the device – and make sure the right person is accessing the right information. However, some businesses are still shying away from this approach because of the upfront costs of issuing and deploying physical smart cards and smart card readers. Instead they are sticking to using insecure passwords, despite the possible costs to the business of theft or loss of IP. Enterprise firms are looking for a more cost effective option to secure their data and devices, and virtual smart cards (VSCs) are the key.
The most effective technology approach for identity and access management today involves two factor authentication – ‘something I have’ (typically a physical smart card or security token) and ‘something I know’ (a PIN). The Microsoft Windows 8 release offers organisations the ability to implement two factor authentication, without the cost barrier. The release introduces the concept of VSCs, which emulate the functionality of traditional smart cards, but use the Trusted Platform Module (TPM) chip available on many organisations’ computers rather than requiring the use of a separate physical smart card and reader. Conventional smart cards and TPM virtual smart cards offer comparable levels of security, but TPM virtual smart cards can be deployed with no additional material cost, as long as employees have computers with built in TPMs. An Aberdeen Group report released in June 2012 found that US based companies employing a hardware-based root of trust show a cost advantage of more than $80 per end point per year.
While the technology exists within Windows 8 devices for this approach, identity credentials provisioned to virtual smartcards must also be managed throughout their lifecycle via software that enables the company to issue them to trusted employees, on known machines. Additionally, these credentials need to be recovered, renewed, revoked and reset when necessary, even if users get locked out or are offline.Credential recovery is also essential if machines are lost so that the individual can access relevant systems and email on an alternative machine.
Any credentials management solution should also link to a company’s in-house data stores and directories, such as the HR database, and apply secure business processes, so that firms are aware who can request and grant access to the network and who provides authorisation and collection. Furthermore, the proliferation of mobile devices has meant that the ability to support multiple platforms from Apple to Android and Blackberry is a crucial part of any mobile and credential management solution.
Two factor authentication should remain the cornerstone of any device security strategy for firms who want to avoid the hefty reputational, IP and Information Commissioner’s Office (ICO) fine costs associated with data loss or theft. Virtual smart cards will help businesses to overcome the cost barrier traditionally associated with this approach but the ability to manage mobile credentials effectively on the TPM is the key to delivering on its promise.