January 18, 2011, 10:36 AM — As organizations increase their reliance on cloud-based services, collaboration tools and enabling users to access networks, the number of security breaches is on the rise. A new study by Forrester Research shows that more than half of the 306 companies surveyed (54%) reported a data breach in the previous year.
Even with the growing security threats, most enterprises continue to rely on the traditional username and password sign-on to verify a user's identity, rather than strong authentication, according to the study.
The report, "Enhancing Authentication to Secure the Open Enterprise," was conducted by Forrester late in 2010 on behalf of Symantec Corp. The vendor wanted to evaluate how enterprises are evolving their authentication and security practices in response to changing business and IT needs as exemplified by cloud and software-as-a-service (SaaS) adoption, the business use of Web 2.0 services, and user mobility trends.
Password issues are the top access problem in the enterprise, according to the study. Policies on password composition, expiration, and lockout that are put in place to mitigate risk have become a major burden to users, impeding their ability to be productive. They also result in help desk costs due to forgotten passwords.
The Forrester study recommends that organizations implement strong authentication throughout the enterprise, not just for select applications.
Mauricio Angee, VP and information security manager at Mercantil Commercebank N.A., agrees that passwords have become a problem.
"Today, there is a high percentage of calls and service requests related to password resets in our environment," Angee says. "Two-factor authentication has been implemented for network sign-ons, in addition to the deployment of single-sign-on, which has helped us [reduce] the amount of password management."
The concern with passwords, Angee says, "is that we have given the user the responsibility to change passwords, remember long complex pass-phrases, secure PINs, carry tokens, etc. This is a practice that has proved to be a huge weakness to keep our environments secure, not to mention the huge challenge to information security professionals who have to enforce policies and maintain an expected level of security."