Passwords are getting a bit embarrassing. Companies are increasingly reluctant to admit that they only use weak password protection to prevent access to their corporate networks and resources. In fact, recent research commissioned by RSA, The Security Division of EMC, suggests that most corporates are starting to do the right thing. Up to 80 per cent of all new large-scale VPN installations are using two-factor protection including tokens, one-time passcodes and USB devices.
The research is based on interviews with 20 leading Secure Socket Layer (SSL) and IPSEC VPN vendors including Juniper, Checkpoint, Cisco, SonicWall and their distributors. This definite shift is being driven largely by increasing demand for anytime, anywhere access and the growth in wireless networks.
Yet when it comes to SMEs who face exactly the same threats to their businesses with weak passwords, the message appears not to be getting through. Like most technology barriers – this probably comes down to cost, complexity and the ongoing hassle to support a 24x7 remote user community.
Some of this blame may lie with the reseller who, having made the sale of a nice VPN solution doesn’t want to rock the boat by suggesting that it is not complete without two-factor authentication. The customer may also worry that it’s going to add more to the price and might be difficult to deploy and manage. With a token-based solution such as RSA SecurID, this means everything from despatching devices and rights administration to handling lost tokens or forgotten passwords.
Some customers might prefer a tokenless solution that provides a one time password (OTP) on request to their mobile phone or PDA by SMS or email. This is ideal for occasional users, contractors and part-time staff and for checking web email from home, providing Extranet access to clients and partners, and sensitive on-line services such as banking, betting or retailing.
Whatever the preferred choice, two-factor authentication is now an essential for all remote access projects. While it does add some complexity and management demands, one alternative quick, simple and affordable option is to go for a fully managed, two-factor authentication service. This removes the hassle factors as well as the up front capital cost.
In fact, this reflects an emerging trend by resellers toward using specialist MSSPs – Managed Security Service Providers – to deliver the complex bits of the security jigsaw that require specialist knowledge, infrastructure and support. As a bonus these services generate healthy recurring revenues for resellers and build closer relationships with their customers.
Managed authentication services make it easy and profitable for resellers to help their customers to eliminate weak passwords. They need to explain that relying on basic passwords to secure an SSL VPN system is like putting cheap tyres on a Ferrari – it might save you money and hassle in the short term, but you’ll lose control in the first rainstorm!
Today saw 14 of the UK IT channel's biggest hitters come together to determine the winners of CRN's WiC awards. But what does being a WiC judge actually involve? Doug Woodburn reports
'Smaller firms may struggle to keep up with Microsoft's innovation with Dynamics' says CEO Stuart Fenton after acquiring assets from Profile Enterprise Solutions
Pete Peterson admits the firm hasn't always been the 'easiest company to do business with'
New chief exec Aaron Painter says 'longer-term strategy' could see firm tackle the Asian market