Q&A: Chris Harget, ActivIdentity

ActivIdentity is a global leader in secure identity solutions, enabling customers to establish trust in online activities. Over 2,500 enterprise, online banking and government organisations rely on ActivIdentity’s authentication and credential management solutions to meet their security and compliance requirements. ActivIdentity was founded in 1987 and is headquartered in Silicon Valley, California. As of December 2010, ActivIdentity is part of HID Global, an ASSA ABLOY Group brand. We spoke to Chris Harget, Senior Product Manager at ActivIdentity, to find out more about the types of solutions used to confidently establish a person’s identity for digital interactions, also known as logical access control.

What exactly is strong authentication, why is it important and who needs it?

Strong authentication uses multiple trusted factors simultaneously to prove the identity of a person seeking access to data, a network or physical site. By employing diverse factors, the odds of unauthorised access can be reduced by an order of magnitude or more. The most common strong authentication factors are passwords (something you know) combined with digital certificates stored on a token or smart card (something you have).

Even if a password has been stolen, it is useless without the digital certificates on a smart card that can only be released by a secure pin. Occasionally organisations will rely on a third factor such as finger prints (something you are). Given the widespread acknowledgement that static passwords alone are insufficient to secure data, strong authentication is increasingly recognised as necessary for all enterprises. Experts observe that for publicly traded companies, the CFO has a fiduciary responsibility to shareholders to take reasonable measures to protect data and strategic corporate resources.

So really, you’re just another password and security token firm?

…and Michelangelo was just another painter. ActivIdentity is the world’s leading provider of employee smart card credential management systems. ActivIdentity users have issued more than 30 million credentials. ActivIdentity is the first and only vendor to deliver a CMS Appliance, allowing a 30-minute install and immediate provisioning of smart cards immediately thereafter. This makes military-strength smart cards easy to own, and so much more affordable, that it is dramatically expanding the number of organisations that can take advantage of the best strong authentication. ActivIdentity also provides with widest range of authentication solutions, to provide the optimal mix of security, cost and convenience for your business.

What are the typical problems that organisations have with managing their security credentials, and what does it cost them?

Previously, organisations either used static passwords, which were cheap but easily stolen or cracked, or organisations used One-time password (OTP) tokens which required manually keying in dynamic pins and some users complained. OTP tokens have batteries which last 5-8 years (although vendors such as RSA force replacement of their proprietary tokens after only 3 years).

Replacement of OTP tokens involved much administration. Smart cards can double as identity badges for entrance into the building, strong authentication into Windows, and strong remote authentication. The security processes of creating and issuing credentials to cards, managing cards, and revoking credentials from cards is cumbersome without credential management software. Therefore, previously, only heavily regulated organisations or very large enterprises were likely to use smart cards. With CMS Appliances, smart cards are now arguably easier to own than OTP tokens.

You’ve been active in the US for some time. What differences do you see in the state of the security market over here, and in UK organisations’ preparedness?

Over the past twenty plus years we’ve discovered security issues are relatively similar across the globe. The US government has set very clear standards for personal identity verification (PIV) smart cards, which are mandated for government agencies, and encouraged for government contractors. This has led to some sizeable smart card deployments in large enterprises.

However, the UK government and major police forces are using similar public key infrastructure (PKI) smart cards and we expect a similar progression. Cybercriminals operate globally, so the threat environments are quite similar. In both countries most enterprises are still overly reliant on static passwords, which have long since been proven insufficient. Verizon Business’ 2010 Data Breach Investigations Report found that almost half of all data breaches exploited stolen or weak credentials, which could be almost entirely eliminated with strong authentication.

How big does a business need to be before it makes sense to invest in strong authentication? What industries can benefit most from it?

Strong authentication is available today for businesses of all sizes, and it makes sense to invest now. For sub-100-employee organisations, OTP tokens and remote authentication server software can be had for reasonable sums (typically less than £45/employee). For organisations with just a few hundred employees, full smart card solutions, including appliance, cards and readers (or smart USB keys) and optional middleware can be had starting at around £80/employee (depending on how many users amortise the appliance). All industries benefit from good data security, but any industry that handles financial information, medical information, credit cards, and such probably carries additional data protection regulations and expectations.

Where do the most dangerous threats come from?

The most dangerous threats come from insiders, because most organisations are poorly equipped to inhibit password theft by insiders. Stolen credentials are the most useful to hackers because they ‘look like they belong.’ However, zero-day spyware keystroke loggers, sophisticated phishing attacks, password reuse, public WLANs, and brute force dictionary attacks can all quickly compromise static passwords. One quick solution, strong authentication, prevents almost all of these threats from compromising data and networks.

What are the next big security threats that businesses should be aware of? What keeps you awake at night?

This is an interesting question because exotic, menacing sounding threats get a disproportionate amount of ink in the media, given their statistical irrelevance compared to good old-fashioned credential theft. A great example is man-in-the-middle attacks. They sound very alarming, but if you look at Verizon Business’ 2010 Data Breach Investigations Report, man-in-the-middle attacks were only used in 2% of the breaches, whereas stolen or weak credentials were exploited in about 50% of the breaches. That means enterprises will get 25x more risk mitigation bang for the buck by deploying strong authentication than if they attempt to deploy something to address the exotic new threat.

We would really like to see enterprises roll out proven strong authentication solutions, preferably smart cards, because they cover Windows Login as well as remote authentication, as the most rationale data protection measure available. That said, man-in-the-middle is more dangerous for some segments where the environment is predictable, such as consumer banking, and we do offer transaction level security such as Out-Of-Band SMS messages with a PIN for a particular sized cash transaction, to ensure a compromised PC can’t act without the user’s explicit permission.

What about internal threats? Can ActivIdentity help organisations counter activity by malicious employees?

Internal threats are generally eternal. For Global 2000 companies, it should be assumed that organized crime, foreign agents, and disgruntled employees have already infiltrated, and the exercise is more about limiting exposure. Smaller companies face similar risks on a smaller scale. ActivIdentity can help a great deal. By requiring all employees to utilise smart cards to login to their PCs, merely looking over a coworker’s shoulder is no longer enough to get access to their data. Further, strong authentication ensures well-intentioned users are not sharing accounts, and makes audit logging and user accountability greater. This visibility is a great deterrent to insider misbehaviour.

How do you achieve buy-in from staff when moving to strong authentication systems, and what education do organisations need to provide to ensure that these systems remain secure?

Most substantive IT decisions today require approval from a primarily financially-oriented executive. It helps to use concepts and metaphors with which these executives are most comfortable. It is not about encryption key strength, or PKI standards, or explaining the theoretical underpinnings behind zero-day attacks. It is about risk management. Quantify the risk and the solution cost and explain the proposal as a form of insurance for risk mitigation. There are numerous studies quantifying the cost of data breaches to organisations of varying sizes. There may be personal liability for some executives as well. Offset that with the per-employee cost, and the risk-benefit calculation is typically quite compelling.

As to changing hearts and minds within your user base to drive more responsible behaviour, the good news is that smart cards are probably easier than what your users are already doing. Smart cards feel like familiar ATM cards. Insert the card, input a PIN, and you’re in. Smart cards are often faster than inputting username and password. Further, smart cards integrate elegantly with SecureLogin Single Sign On, meaning one login gains secure access to all applications, portals, directories, and such throughout the day. Users’ appreciate that very much. ActivIdentity also provides a self-help utility for cases when the user’s card is not present, which ensures they will stay productive and preserves the IT team’s time as well.

Christian Harris is editor and publisher of BCW. Christian has over 20 years' publishing experience and in that time has contributed to most major IT magazines and Web sites in the UK. He launched BCW in 2009 as he felt there was a need for honest and personal commentary on a wide range of business computing issues. Christian has a BA (Hons) in Publishing from the London College of Communication.