Managed Authentication Offers Password-Policy Options

When it comes to password policies, organizations may chose to use static passwords or strong authentication.

The former relies on users to create passwords, which are easy to crack or can be found scribbled on a piece of paper. The latter method, exemplified by two-factor authentication, provides greater security but requires the adopter to build and manage an authentication system. That system includes an authentication server and tokens that generate one-time passwords. The authentication system may also call for redundancy to ensure availability. And, of course, IT personnel must be assigned to administer the system.

Vendors selling managed authentication services, however, offer a third choice for password management: have a third-party company take over the chore of running a two-factor authentication system.

DC Energy's Experience

DC Energy, a proprietary trading firm that invests in energy markets, opted for the managed approach. The company, which employs about 50 people, was looking for a better way to secure VPN (virtual private network) access. "For years, we did what all small companies do: have a password policy and try to enforce strong passwords," recalled Ware Adams, managing director of DC Energy.

But DC Energy could never be certain remote users weren't taking the password-on-a-Post-it route. The company decided that two-factor authentication was the way to go and initially pursued authentication as an in-house solution. According to Adams, the company set up a trial version of CRYPTOCard Inc.'s CRYPTO-Shield two-factor authentication solution. "It worked as advertised," Adams said. "But the main hurdle for use was, given that this [authentication system] is absolutely critical to our functioning, installing it would have required multiple redundant servers."

In addition to its main office facility, DC Energy operates two redundant datacenters, which would have needed the extra servers.The hardware requirements, administration, and the necessity of learning CRYPTOCard technology created a barrier in the path of deployment, Adams said.

Against this backdrop, Pegasus Technologies, a security specialist firm that helped with DC Energy's authentication pilot, introduced the company to CRYPTOCard's CRYPTO-MAS (Managed Authentication Service). The service was launched in 2007. "It took all of the hardware administration out of our hands," Adams said of CRYPTO-MAS.

Reducing the Burden

Industry executives view this offloading of management chores as a key driver for managed authentication services. The hosted model "reduces the amount of administrative burden," said

Mark Diodati, senior analyst with the Burton Group. "We are definitely seeing increased growth in this market."

The reduction in management responsibilities frees IT personnel to work on more meaningful tasks, noted Bill Laham, CRYPTOCard's senior vice president of North America and products. He added that password management is probably not the best use of skilled workers.

Dan Cirelli, director of managed services at Alliant Technologies LLC, an IT-services firm, said managed-service customers can avoid having to staff a 24/7 help desk for token reset and resynchronization. An organization would otherwise need to assign one employee per shift on the round-the-clock help desk and overstaff a total of 4 FTEs (full-time equivalents) to cover vacations.

Alliant's Drawbridge Managed Authentication Service provides equipment, staffing and other resources for the implementation and administration of RSA Security products such as SecureID tokens, according to the company.

Cirelli noted that customers need not maintain a secondary site, as the Drawbridge service includes disaster recovery. Organizations are also off the hook when it comes to training and certifying an IT staff member in RSA's Authentication Manager, the management component of a SecureID solution. "You don't need anyone on your premise that needs to know about Authentication Manager," he said, noting that an annual week of training is required to maintain certification in Authentication Manager administration.

Managed authentication may also make it easier for organizations to meet security-compliance directives. The Payment Card Industry Data Security Standard requirement 8.3, for example, calls for the implementation of two-factor authentication for remote access.

One thing managed authentication typically doesn't provide, though, is significant cost reduction versus in-house deployment, according to some observers. Over time, the cost of the hosted solution is slightly more expensive than the do-it-yourself alternative, Adams said.

Laham agreed that a managed service is more expensive, if one looks strictly at the bits and pieces of a solution without considering labor costs. But he noted that improved IT-staff utilization compensates for any additional expense. "There's no such thing as an IT staff that has extra time on their hands," Laham said.

Market Players

Two customer categories tend to gravitate toward managed services: small organizations lacking the staff to manage authentication and big companies hoping to outsource a significant management chore.

Cirelli pointed to customers with fewer than 500 token users as an example of the first market. Such organizations don't run 24/7 help desks and don't have experience with Authentication Manager, he noted.

Enterprises that want out of the ongoing task of ordering and distributing potentially thousands of tokens represent another market. Customers have 10 to 12 decent-sized vendors to select from in this space, according to Diodati. That vendor roster includes managed-authentication-service companies, but Diodati also pointed to authentication-as-a-service providers as market participants.