Security that makes sense

As the government talks about the need to reduce costs and optimise efficiencies, the requirement for ensuring the government IT infrastructures, services and applications are secure, remains. This is particularly important as some government departments, in an attempt to save costs, either are or will be closing some of their offices and increasing their number of remote workers. Not to mention, again in the name of cost, many are also looking towards new technologies such as the use and development of G-cloud services and facilities.

Security compliance
A case in point on the evolution in ways of working and the adoption of technologies lies within local governments. With efforts to improve access to information across various departments, the Government Connect Secure Extranet (GCSX) was born, however with that, the need for securing user access became apparent. Hence the Code of Connection guidelines came about in which they specified that in order to be compliant with data security requirements (for remote workers) two-factor authentication had to be used.
    
Two-factor authentication is the means by which an organisation can ensure that its users really are who they say they are. It does away with traditional static passwords and related password policies, and replaces them with two forms of user identification: a PIN, which is only known to the user, and a token, such as a keyfob, which in conjunction with the PIN produces a password that is only valid for one time use. According to research undertaken by Tudor Rose and published by Bloor Research, within the local government sector the two main providers of these solutions are RSA with 37 per cent of the market, and CRYPTOCard with 24 per cent of the market.

CoCo compliance
The same research has concluded that 91 per cent of local government organisations have adopted two-factor authentication as part of their CoCo compliance, a positive approach that may have contributed to the reduction in instances of breaches caused by unauthorised access to information. Of the 1,007 security breaches reported to the Information Commissioners Office to May 2010, only 132 of those cases involved local authorities, and even then, most times the breach was due to the loss or theft of portable computing and media devices.
    
Looking at the wider public sector, however, data security remains a hot topic. And with technology developments looking towards issues such as the G-cloud, the list of solutions that would be available in the cloud is being met with high levels of interest, not least because of one of the most popular cloud features – cost effectiveness. All that said though, before cloud can be fully embraced, one aspect that remains paramount in the list of things to consider is that of security.
    
With many cloud applications still only requiring usernames and passwords as their frontline security, the question needs to be asked: is that really enough to protect the access points of a cloud solution which has been entrusted to hold sensitive data? It’s hard enough protecting in-house systems but the perception of letting a third party look after your virtual assets is that the risk is decidedly higher. However, there is another question that runs parallel to this one that must also be considered: which is the higher cost – living with the risk of a breach or investing in a solution which mitigates that risk?

The user
Coupled with that is the continued reliance on the users themselves to be password-responsible. The usual requirements being that they each have unique passwords, changed every 60-90 days and that they are of certain character combinations – a standard password policy. However, while these policies are common, the behaviour of the users is changing – and this change has come about as the web and its applications continue to grow and develop.
    
As users access business and personal applications for data that is hosted in the cloud – whether at home or at work – the line between the two worlds is fading fast. The fact is that where a user may use a 5ecr3t Passw0rd for their Yahoo! account, there’s a higher chance than ever that this password will be the same one that they access their business applications – and business clouds – with. Needless to say, the risk of identity theft and fraud is higher than ever before as hackers today value the password above all else as the easiest and most effective way of breaching a security network.
    
This in turn comes directly back to the question of passwords being enough to protect access to the cloud. That said, it doesn’t mean government organisations need to shy away from utilising and developing G-cloud solutions. It just means that in order to help mitigate against the many risks that are faced in IT security today, perhaps G-cloud developers and users should take a leaf out of the CoCo book and consider stronger forms of security such as two-factor authentication.

About the Author
Jason Hart is the senior Vice-President of Europe, and joined CRYPTOCard as part of the March 2006 Management buy-in which saw the merger of CRYPTOCard and WhiteHat Consulting Ltd.
    
Jason brings more than 17 years of Information Security experience to the business. With a background in ethical hacking Jason brings a unique perspective to the CRYPTOCard organisation.
    
Prior to CRYPTOCard, Jason served as CEO of the information security services organisation, WhiteHat, where he was responsible for strategic and business development activities. WhiteHat grew to provide a full range of positive identification solutions, in a variety of formats for all types of organisations.
    
Prior to WhiteHat, Jason held senior positions within a number of organisations, including Ernst & Young’s Information Security Assurance and Advisory Services practice. Jason has created and developed entire security frameworks as well as Information Security Assessment Methodology. Clients have included NHS, government, as well as a large number of FTSE 100 organizations.
    
Jason holds a degree in Micro Electronics, CISSP, CISM. Noted as a leading figure within the information security industry, Jason often speaks at security events around the world, advising individuals and organisations of the information security threats that exist.

Please register to comment on this article