Passwords have been a weakness of network security since the development of computer networks. Through guessing weak passwords, exploiting weak passwords, acquiring passwords through social engineering, or more recently using malicious software like Advanced Persistent Threats (APT), attackers have focused on compromising passwords to gain access to the network.
The traditional approach to defending against password attacks has focused on user awareness training, ever increasing password complexity requirements, certificate based authentication, and multi-factor authentication. Defenses that rely on the user are often subject to apathy, non-compliance from the user, and lack of enforcement of company policies that render them ineffective.
Two-factor authentication technologies have suffered from poor adoption because of high costs, resistance from the user community, and in some cases, vulnerabilities in the two-factor technology that attackers can exploit. Current trends in APT malware have targeted both password collection and two-factor authentication, which have further reduced their effectiveness.
Further complicating the job of protecting the network is an explosion in mobile devices requiring access anywhere, and a strong focus on international business. The days of having a contained network that only uses company-managed devices on secured networks are largely over. Today's network is global, persistent across devices, and must be available to the user from any device at any location. If the organization does not provide this capability, in most cases the user will work around the organization.
Defending user access to network resources in today's information requires a defense-in-depth approach that consists of understanding the company's risk tolerance, understanding the company's user base, and deploying technology solutions that align with the users and the business.
The first step in developing an effective defense is to understand how the company uses the network and what the expectations for usage are. This requires the network architect to go beyond what is written in the policy documents and observes what users are actually doing. An effective approach to identify this is to meet with non-IT business staff and discuss how they use technology. Additionally, walking around business locations can provide great insight into how people are using technology. Many IT departments that have "banned" mobile devices or remote access from home are surprised to find that users bring their own devices in spite of policies.
Understanding how employees use technology to do their jobs is also essential. The requirements for a sales department may be much different than those of a data entry clerk. Manufacturing personnel may already be using unapproved devices through their tendency to solve technical problems and get the job done.
Finally, understanding the culture of the organization will help determine what technology is acceptable. Are users free roaming creative professionals that stress art over function? Are the users very conservative and professional? Each of these could drive very different solutions. At the end of the day, if the user does not accept the technology, they will find ways around it.
Sign up for CIO Asia eNewsletters.