With an ever increasing number of users wanting to access an ever increasing number of company applications, from an ever increasing number of endpoints, secure access has become a critically important issue.
Couple that with a growth in pressure on companies to conform to standards such as those from the Payment Card Industry (PCI) and the Information Commissioner’s Office (ICO), then it’s not surprising that there has been a strong growth in 2-factor authentication, which involves a one-time password (OTP) on a hardware or software token, plus a PIN.
Another trend over the last couple of years has been towards hosted services, also known as cloud computing. According to The Information Security Breaches Survey 2010, over three quarters of the organisations polled used externally hosted solutions for some part of their business.
Put these two together, and it’s easy to see why hosted authentication or strong authentication as a service is growing in popularity.
Hosted authentication is a cloud-based service where two-factor, strong authentication is provided by an outside supplier instead of being done in-house. Gartner in the research paper ‘On the Verge: Strong Authentication as a Service’ published June 2010, described the strong authentication as a service market as ‘burgeoning’.
Gary Marsden, vice president of managed services at CRYPTOCard, a leading provider of strong authentication solutions, predicted that ‘hosted’ would generate half of the company’s new sales by the end of the 2010. He commented: “Two years ago lots of people were looking at [hosted 2FA] trials and it was mainly SMEs adopting. This year we have seen large enterprises take it seriously.”
Why hosted authentication?
While recognising the need to improve their access security, some companies don’t have the desire, or the expertise, or the extra finance necessary to implement and manage a two-factor authentication system themselves.
A hosted solution means there is no up front investment, no servers to buy, no extensive training, no network implementation or complicated integration and no heavy ongoing cost in managing the solution and associated infrastructure. In times of financial uncertainty, paying a fixed sum on a regular basis to a third party can be seen as an advantage.
Benefits of hosted authentication
* Instant and easier implementation
Hosted authentication takes all the complexity out of implementation and can be typically carried out in just a few hours, compared to several days for a traditional server based solution.
* Easier ongoing support
A high percentage of help desk calls are related to password and authentication problems. Hosted authentication provides for easier ongoing support, freeing helpdesk staff and system administrators to focus on other more urgent matters.
* No special skills
The adoption of in-house authentication may mean hiring qualified staff to install and manage the system, or training of existing staff, but hosted authentication is managed by experts, so no special skills are needed.
* Lower total cost of ownership
A combination of factors including not having to hire extra staff or train existing staff, instant and easier implementation, less help desk calls, less time spent on token logistics and less security incidents can result in a lower total cost of ownership for hosted authentication.
Hosted services are easily scalable to accommodate more users or more diverse access to networks.
How does it work?
How does a hosted authentication service work in practice and how does it provide the access security you need? As an example, we can look at what is provided by one of the market leaders CRYPTOCard.
The hosted service is accessible from anywhere via a standard web browser. When trying to connect to the corporate network over a VPN, for example, users are asked to identify themselves using their unique OTP and PIN. This request is then sent to the hosted service and the user is authorised and given access to the enterprise network.
The service provides the strongest two-factor authentication, and encryption algorithms as strong as AES 256. The OTP is as strong as eight character Base 64, the most secure type of password available.
A secure managed authentication portal lets users carry out all the administrative tasks associated with organising access and assigning tokens, without having to contact the supplier. Additionally, a service desk is available to give advice, answers, and assistance in planning, implementing, and managing the service.
A service level agreement can also be put in place to make sure a high level of service is provided. The cloud facility is hosted in a Class A data centre with high availability and redundancy.
The growth in 2-factor authentication and the move towards cloud computing, coupled with the increase in end points needing access to the company network and current financial insecurity, mean that hosted authentication is set to grow. It is likely to prove the best current option for many companies wanting to improve their access security.
By David Phillips, business development manager, Wick Hill