Selecting Two-Factor Systems for Cost Effectiveness
In preparation for next week's Enterprise Client Briefing, we wanted to highlight a recent blog post by IANS Faculty Ed Moyle. A leading authority on authentication, Ed will be addressing what organizations should consider as they evaluate their strategies, especially in light of the RSA breach, moving forward.
Please join Ed on July 27, 2011 at 2:00 pm ET as he discusses alternative authentication solutions and some of the economic factors organizations should keep in mind when evaluating a two-factor purchase:
Avoid "Low Entry, High Upkeep"
OK, so yesterday we were talking about two factor authentication and the economic characteristics that make up total cost of ownership. The nature of what is appropriate for your particular situation will of course vary depending a number of different factors: security requirements, business tolerance of particular technologies, etc. Point being: there’s no “one size fits all”. But that being said, there are some things that we can examine to help guide decision-making.
Greener grass?
So, given that, let’s look at one of the mistakes folks commonly make when they look at two factor options available. Namely, the starting assumption that lowest cost to acquire means lowest cost of ownership. This is absolutely not the case, which we all seem to realize when it comes to daily life but many folks seem to magically forget when it comes time to look at authentication systems. Ask yourself: if it really was so much cheaper, why’s everyone using the expensive option?
Point is, very often the systems that cost less to acquire tend to be on the high side when it comes to upkeep. Take certificates for example. Digital (x.509) certificates can be used to log in to IPSec and as client-side in an SSL session (i.e. stored by your browser). You could (hypothetically) use this as a second “what you have” factor for authentication. People do. Somewhat successfully in certain cases; wildly successfully in others. And certificates might as well be free they cost so little to issue.
Consider certs
So why isn’t everyone using certificates? Because they are, without question, one of the most expensive (if not the most) authentication methods to maintain. Why? A few reasons:
- Users don’t know what a certificate is and need to be educated
- Enrollment is hard involving stuff users neither understand nor want to understand (e.g. CSRs, SCEP, etc.)
- Validation is currently broken (CRLs are lame and cumbersome, OCSP is not universally supported by default by relying parties)
- Certificates are not often portable across browsers or across clients (e.g. mail, IPSec clients)
Et cetera. You think your helpdesk is busy now? Try piloting certificates for a few days. You haven’t seen active until you have users who requested a certificate in Chrome, but the app they’re trying to authenticate to only supports IE, and the key isn’t exportable. Oh, and the cert they need for IPSec certificate is different too. And so is the one they need for mail. Oh, and the five or six they need to have for these different purposes expire every year. And they can’t authenticate from their BlackBerry.
Point is, if you just look at the cost to acquire each individual certificate, you miss out on realizing the full pain that life with certificates could bring if you look to them to support every authentication use case. However, once you start to fully understand your own use case – like in the event that you can fully manage the endpoint and take maintenance of the certificate out of the hands of users… well, then you open up opportunities for *real* cost savings. But more on that after the break…
Archives
- March 2012 (2)
- February 2012 (2)
- January 2012 (3)
- December 2011 (5)
- October 2011 (1)
- September 2011 (1)
- August 2011 (4)
- July 2011 (4)
- June 2011 (5)
- May 2011 (7)
- April 2011 (4)
- March 2011 (4)
Next Event
Space is limited, reserve your spot today