Single Network Identity: Holy Grail or Nightmare?
Network managers are well familiar with the chaos multiple passwords and identities can cause with harried user communities. When is a single identity across the network more menace than refuge?
Is there a better way to keep track of them all? What if I only needed to memorize one password or even better, use a special card that would tell the computer how to access all of my accounts. The technology to allow a single network identity or ?single signon? already exists today. For some it is the holy grail of network security. For others it can be a nightmare. Imagine if your network identity was appropriated or stolen. It can potentially cost thousands of dollars and months of effort to clear your name. Is single network identity a good idea in this age of network security breaches and ID fraud?
What is single network identity?
The old computer geek joke "on the Internet nobody knows you are a dog" is an apt description of account and network identity information. How do computers "know" you are who you say you are? For decades, computers have recognized who uses them with user login accounts and passwords. There are two parts to the recognition process. First, the system administrator must grant you authorization or access to the system by creating an account with a username and an associated password. UNIX systems store the information in a text file unimaginatively named /etc/passwd. Once the account exists, the system must authenticate you when you access it. Jim Johnson, a systems administrator formerly at University of Pennsylvania writes, "Authentication answers the questions 'Who am I?' and 'Who am I talking to?', While authorization answers the questions 'Do I have access to this server?' and 'What are my access privileges?"
The overall theory of single sign-on is that you have one network identity for access to all of your various networked systems and accounts. Johnson continues, "Single Sign-on represents the concept that a computer user can be authenticated once during a session. Any systems or networks connected to the security database would check to determine privileges, with no need for any further interruptions or passwords." This would theoretically mean that you could have the same password for all your on-line access requirements. For example at work, you would login once in the morning and not worry about how to access your files. Sounds great, I can never remember where all my files are located anyway. Before you commit too hastily, think of this alternate scenario, you could also have the same password for your on-line bank account, 401k plan, and your home network. Whoa, this sounds dangerous to me! What happens if someone takes over my identity?
As long as there have been computers and computer login accounts, the potential has existed for people to steal identities or harm data. Of course, pre-Internet it was much more difficult to access computer systems. Unless you had a dialup modem connection, which was expensive and very slow, the only way to break into a computer was to sit at a terminal or console that was directly attached to the machine. Government agencies still use limited physical access or "air gap security" as an effective means of maintaining their computer and data integrity.
In the new hyper-security conscious world, does single network identity security still make sense? The answer is yes and no. When you think about it, all networks are ultimately insecure. Security professionals are all paranoid, that is their job. For the rest of us, it is a matter of how much risk can we tolerate. If someone steals your wallet with all your credit cards, it can be a very traumatic experience. If you forget to pick up the change at a newsstand, you're likely not terribly concerned about the loss. Think of computer and network security in the same way. If your Yahoo! e-mail account gets spammed, that is just part of using a relatively public address. If your credit card information is appropriated after you have made a secure purchase on Amazon, you'll be justifiably upset.
Single network identity does make sense in the workplace environment, where the IT department must keep track of literally thousands of people and machines. Having a system that allows staff to log in with one account name and one password inside a corporate firewall, where the users are protected by the security systems maintained by the corporate IT department, can be very cost effective. More importantly, the vulnerable data is not personal information, but company property. The company is balancing the risks of compromising important company records and the costs of maintaining thousands of accounts.
David Lavenda, Vice President of Marketing & Product Strategy at Business Layers Inc., remarks, "Network security is not only about pulling the plug when employees leave but limiting the access while they are in the company. In today's volatile business environment, departments and teams are built and changed constantly." Their product, eProvision, allocates appropriate resources to employees based on business rule sets. The digital identities stay with the employee as they move through the company. If (or when)people leave a company, they are securely and systematically disconnected from all resources - providing companies with an added level of security. Business Layers in Rochelle Park, N.J. and Cupertino, Calif.-based Oblix, Inc. are just two of a number of companies who sell comprehensive network identity products, mostly to larger enterprises.
"Universities are another case where the interest in single sign-on technology is high. Because of their limited resources and the huge amount of account turnover, they are attracted to self-serve account administration. The burden is on the student customer to get the account information correct," says Lavenda.
In general, the consensus among the experts seems to be for individual accounts that single network identity is just too risky. The June 17, 2002 Scientific American article "Who's Who, Can digital technology really prevent identity theft" suggests "Instead of spending more resources on a holy grail of perfect identification, governments and businesses should accept that ID failures will occur and make reporting identity fraud as easy as reporting a single lost or stolen credit card. For personal computer access stay with more limited forms of identification -- each suited to a small range of transactionsthis might turn out to be more cost-effective and secure than a single overarching digital persona."
Beth Cohen is president of Luth Computer Inc., a consulting practice specializing in IT infrastructure for smaller companies. She is currently writing a book about IT for the small enterprise and pursuing an Information Age MBA from Bentley College.
This article was first published on CrossNodes, an internet.com site.
By Drew Robb
July 15, 2002
While external attacks are serious enough, the threat posed by one's own employees -- whether intentional or inadvertent -- can often be much worse. But a number of software management tools can help overburdened IT staffs reduce network vulnerabilities.