A newly released survey of around 100 IT resellers, conducted by UBM for Safenet, a data protection vendor, found the industry understandably spooked by the events of 2012 and looking for more sophisticated authentication procedures for 2012.
"The State of Authentication" (which can be downloaded here) paints a grim picture of anxiety levels among clients of the vendors surveyed. It's hardly surprising that over 50 percent are more concerned about breaches than they were a year ago. As discussed before in this space, some enterprises are being repeatedly hit by precisely targeted persistent threats. High profile targets, according to some analysts, can be divided into those who know they've been hit, and those yet to find out.
Inappropriate data access (presumably incorporating advanced persistent threats) leads the field of problems reported by clients. Other major headaches include phishing, malicious code attacks, and -- at a less sophisticated level -- plain, old-fashioned device loss. Again, more than half the resellers' customers reported each of these problems.
More positively, clients (over 70 percent) seem keen to get to grips with new authentication solutions. They are interested in doing more than just making passwords longer and hoping for the best. Nevertheless, there seems to be confusion about just what type of procedure might constitute an improvement.
According to the resellers, their markets are fairly evenly divided in their interest in software authentication, secure browser solutions, and certificate-based authentication, with knowledge-based and biometric solutions lagging somewhat behind.
What we're witnessing, of course, is a lack of leadership from the security community, which is deeply and sincerely concerned by the current vulnerability of cyberspace, but hesitant to place all its chips on another solution -- like antivirus shields or SSL certificates -- which may prove porous.
For all the market's interest in software authentication, that seems to remain a challenge as much as a solution. We've recently witnessed a systemic failure of the third party certificates that are intended to authenticate online identities. Secure browsers essentially sandbox any processes that start to run, protecting the rest of the system.
This can be done by running a virtual secure browser within Windows, or by leveraging a browser that uses an entirely different operating system: If you're not even using Windows, the theory goes, the bad guys will pass you by, looking for lower-hanging fruit. The problem is that the more enterprise adopts secure browsers, the more incentive there will be to develop methods for hacking them.
The best advice for both vendors and clients seems to be the adoption of layered security systems with as many elements as possible. This won't mean impregnable systems; it will mean systems that are too secure to be worth breaching, given all the unprotected systems out there.
Unfortunately, the customers of vendors interviewed in this survey place extremely high importance on factors like ease of deployment and management, low cost, user friendliness, and interoperability with existing systems. All of these concerns seem to suggest that security should be kept as dumbed down as possible.
— Kim Davis , Community Editor, Internet Evolution