Token Security or Just Token Security? A Vanson Bourne report for Entrust

Transcription

1 Token Security or Just Token Security? A Vanson Bourne report for Entrust

2 Foreword In 2011, Entrust Inc., an identity-based security company, partnered with respected technology research firm Vanson Bourne to gain a stronger understanding on what security solutions enterprises are using to defend themselves from online breaches, fraud, digital identity theft and other Internet-related attacks in the UK. While traditional attack vectors have long posed problems for enterprises, the ubiquity of mobile devices is greatly increasing vulnerabilities. To defend against an evolving threat landscape, Entrust strongly recommends the use of a layered security strategy for all environments, verticals or industries. To help, Entrust s layered approach enables organisations to manage multiple authenticators and provides enterprises the ability to rapidly switch between them in the event of a breach. By providing strong authentication, physical and logical access, mobile device management and other credentialing services, Entrust offers organisations a single platform to defend against even the most sophisticated of attacks. Dave Rockvam General Manager Entrust Certificate Services & Chief Marketing Officer UK-based enterprises are evolving to stronger security solutions, but the survey found that there s still much room for improvement. Far too many organisations continue to rely on simple username-and-password defences that are simply too easy to circumvent. Further, those organisations that do deploy stronger authentication don t have the versatility to switch authenticators, in real time, in the unfortunate case of a breach. 2 Token Security or Just Token Security?

3 Contents Background 4 Research scope 4 Objectives 4 Introduction 5 A layered approach 6 Prevalence of token-based authentication 6 Security breaches 6 Alternative methods of authentication 7 How long does it take organisations to switch security methods? 8 Awareness of security 9 Why do organisations not have an alternative method of authentication? 9 How well informed is the CEO when it comes to security risks? 9 The importance and security of mobility 10 Security of mobile devices 11 Conclusions 12 3 Token Security or Just Token Security?

4 Background Research scope In autumn 2011, Entrust appointed specialist technology market research house Vanson Bourne to interview 100 senior IT decision-makers across the UK. All respondents came from enterprise-sized organisations; 50% of the respondents from organisations with 1,000-3,000 employees and 50% from organisations with more than 3,000 employees, split evenly across the following sectors: Financial services Manufacturing Retail, distribution and transport Government Other commercial While the 100 responses gives a robust analysis of how the enterprise community is behaving, the sector split delivers a narrower, more snapshot view of each vertical. Objectives There were three main objectives for this research: - First, to determine what UK enterprises use to defend themselves against breaches - Second, to expose just how many large organisations within the UK have experienced some form of security breach as a result of identity fraud - Third, to establish the importance of mobility, and whether or not UK enterprises are capable of securing mobile devices. 4 Token Security or Just Token Security?

5 Introduction Four out of five UK enterprises use a token-based authentication system that is, users must provide some form of token in order to identify themselves; examples of such are hardware tokens, key fobs or USB tokens. Token-based authentication systems are best utilised when the user has to team the token which is something they must have on their person with something that they know, like a password, PIN or a piece of memorable information. Tokens or smartcards can contain many different types of information. Some tokens will hold a digital signature of the authorised owner, some will produce a unique code which is scrambled by an algorithm each time a user wishes to enter a building or log on to a machine, and some more advanced systems will hold biometric data such as retinal scans or fingerprints. tokens. From this it can be concluded that just having one line of defence is not enough 26% of those with a token-based approach still experienced security breaches, therefore a multilayered approach is favourable. However, the 26% who have token-based security and have experienced a breach includes 32% of those who have an alternative method of authentication implying that there may need to be more than just one back-up plan. Furthermore, there is a general consensus that mobility is important both to organisations themselves, and to their customers. However, when it comes to securing mobile devices, there is a chink in the armour as fewer than three in five (55%) use token-based authentication systems for mobile devices that enter the corporate network. This essentially means that with these most advanced systems, in order for a user to enter a location, or access data remotely, they will need to provide three things unique to them, to prove their identity something they know, something they have and something they are. This approach does appear to go the distance when protecting organisations from breaches but only four out of five large UK organisations actually use a token-based authentication system meaning that 20% are more open to attack. Further, of those who do have a system in place, only two in three (68%) have an alternative method should their token-based approach be compromised again leaving a significant number open to attack. But what is truly alarming is that despite more than half of IT decision-makers (56%) believing their CEO and board are aware of IT security risks, 26% of organisations, who employ a token-based security approach, have suffered a security breach as a result of identity fraud, linked to lost or stolen 5 Token Security or Just Token Security?

6 A layered approach Prevalence of token-based authentication Figure 1a: Larger organisations are more likely to use token-based authentication systems Only 80% of UK enterprise organisations currently use a token-based authentication system, which means that one in five don t see this security method as necessary. 68% 92% When looking at the data across the sectors, it can be seen that there are slight variations in attitudes; just 70% of respondents in government said that they utilise token-based authentication systems, compared to the overall average of 80%, and 90% in the financial services sector and in the other commercial sector. Figure 1: Just four in five UK enterprises have a token-based authentication system Those with a token-based authentication system Those without a token-based authentication system 20% 80% However, there is a more noticeable difference here when we look at this data by the size of the organisations (figure 1a right) Organisations with employees Larger enterprises are much more likely to use a token-based authentication system than their smaller counterparts. So, are larger organisations better protected as a result? Security breaches Organisations with more than 3000 employees More than a quarter (26%) of organisations that employ a token-based authentication system have experienced a security breach that was a result of identity fraud linked to a lost or stolen authentication device. This number drops to just 22% in the largest organisations and reaches 32% among the smaller enterprises. This could be linked to the fact that larger organisations appear to be the vanguards here, and may be using a more sophisticated method of authentication than smaller organisations. Therefore, without added levels of security, identity fraud and the consequent organisation breach is easier and therefore more likely among smaller organisations. 6 Token Security or Just Token Security?

7 But do organisations have a back-up plan if their token-based security approach is successfully attacked? Alternative methods of authentication Just two thirds of organisations that utilise a tokenbased approach (68%) have an alternative method of authentication that they could use, should their primary approach be compromised. (83%) and again, government is the least likely (50%). So, what are the most common alternative methods being used? Figure 3: A strong username or password is the most common alternative authentication method Strong username/ password 86% Figure 2: A third of organisations do not have an alternative method of authentication to turn to in the event of a breach Knowledge-based questions Soft-tokens 18% 53% Those with an alternative method 33% Grid card 16% Those without an alternative method 68% SMS 12% When we look at the difference in organisation size, we see a slightly dislocated story; while figure 1a showed that larger organisations are more likely to have a token-based authentication system in the first place, smaller organisations that have tokenbased authentication systems are actually more likely to have an alternative method of authentication they could turn to in the event of a breach (85% vs. 54%). And we can see a similar story with sectors; we have already unearthed that those in the financial services sector were among those most likely to be using token-based authentication in the first place. And now a picture is starting to form, as they are also the most likely to have an alternative method On average, organisations that have alternative methods of authentication have two such methods they turn to. The most common, used by six out of seven organisations (86%) that have an alternative method of authentication in case their token-based system is breached, is a strong username or password. The second most popular alternative method, utilised by just over half (53%) are knowledgebased questions. But how long does it take to switch from one method of authentication to another? 7 Token Security or Just Token Security?

8 How long does it take organisations to switch security methods? Of all organisations both those with and without token-based authentication systems just 64% can change their method of authentication from one means to another, within a day. However, when we look at just those with a tokenbased authentication system who have an alternative method (54/100 organisations) this percentage leaps to 80% of this group that can change their method of authentication within a day. This suggests that those with token-based authentication may be slightly more advanced when it comes to the ability to switch authentication methods. But what is concerning is that of those who have experienced a breach only 50% can switch their authentication method within a day compared to more than 68% of those who have not experienced a breach. Could this be because those who have not experienced a breach have better, more proactive defences in the first place? But as figure 2 showed, a third of those with tokenbased authentication systems do not have an alternative method of authentication. Why is this? 8 Token Security or Just Token Security?

9 Awareness of security Why do organisations not have an alternative method of authentication? There are two main reasons that enterprises do not have an alternative method of authentication they could utilise if their token-based approach is breached. Two in five (38%) cite that it is the expense of deploying an alternative solution that deters them from having one. However, the same number (38%) report that they never thought they would need one. This really highlights the naivety of the large enterprises considering that almost a quarter of UK enterprises have experienced a security breach (23%) that compromised their token-based approach. Figure 4: 38% of organisations do not have an alternative method of authentication because they never thought they d need one How well informed is the CEO when it comes to security risks? While a small percentage of respondents said that they don t have an alternative method of authentication because they didn t think they d need one, nine in 10 (90%) senior IT decisionmakers within UK enterprises say that, actually, their CEO and board are well informed when it comes to IT security risks and only 10% believe they are not well informed. And this varies by the size of the organisation; in the larger enterprises more CEOs are seen as being informed about IT security risks, compared to smaller enterprises. There are sector variations too. It appears that those in the manufacturing sector are the least likely to think that their CEO is aware of IT security threats and those in the government have the most faith in their seniors. 38% 4% 38% Figure 5: CEOs in larger organisations are more informed than their counterparts in smaller enterprises 66% 8% 12% 46% The expense of deploying an alternative solution IT doesn't have the bandwidth to manage an alternative We are not aware of the alternatives We never thought we would need one Other Organisations with employees Organisations with more than 3000 employees 9 Token Security or Just Token Security?

10 The importance and security of mobility Two thirds of enterprise organisations realise that the need for mobility is important to their organisation, e.g. all employees are equipped to work remotely using smartphones, laptops and tablets. This appears to be least important to the financial services sector (55%) and most important to the other commercial group (85%). Figure 7: and mobility is important to the customers of 53% of enterprises 14% Not important Figure 6: The need for mobility is important to two thirds of UK enterprises 53% 33% Neither important or not important 13% Important Not important Neither important or not important Important 66% 21% When it comes to mobility in regards to the organisation s customers, a similar outcome is apparent; 53% of senior IT decision-makers cite that mobility is important to customers. And there is a positive correlation here among those who think that mobility is important to their organisation and those who feel that mobility is important to their customers. Figure 8 on page 11 shows that 64% of senior IT decision-makers who consider mobility important to the organisation, also believe it is important to customers (the linear increase in the purple bar in figure 8, alongside the opposing linear decrease in the pink bar). 10 Token Security or Just Token Security?

11 Figure 8: Those who believe mobility is important to the organisation also believe it is important to customers This drops to just half (50%) of those with 1000 to 3000 employees and rises to two thirds (66%) among those with more than 3000 employees. 48% 64% This is almost a mirror image of what we saw in figure 1a, where the larger organisations were more likely to have a token-based authentication system. So, is there a link? 38% 31% 31% Not important to the organisation 19% 33% Neither important or unimportant to the organisation 9% 27% Important to the organisation Not important to customers Neither important or unimportant to customers Important to customers The most popular security method in place for mobile devices entering the corporate network is to request a strong username or password. However, more than half of enterprises use a token-based system. Figure 10: 55% of those who have mobile devices that enter the corporate network use a tokenbased system We can conclude from this that mobility is definitely important to enterprise organisations, but is the security of mobile devices being overlooked? Username/ password Token-based 55% 81% Security of mobile devices Fewer than three out of five IT managers (58%) believe that the mobile devices within their organisation are secure. Knowledgebased questions Grid card None of these 9% 27% 4% Figure 9: Just 58% of UK enterprises believe the mobile devices in their organisation are secure 9% Not secure Considering it was established in figure 1 that 80% of enterprises employ a token-based authentication system, the fact that only 55% use it for mobile devices implies that mobile security may be somewhat of an Achilles heel for organisations. 58% 33% Somewhat secure Secure 11 Token Security or Just Token Security?

12 Conclusions It is clear that despite the majority of UK enterprise organisations having a token-based authentication system, many are still at risk; 33% of those with a token-based system do not have an alternative method of authentication. Further, 36% of organisations would need longer than a day to switch from one method of authentication to another should a breach occur meaning that their defences would be down for a prolonged period of time. And it appears breaches are not an uncommon event 26% of organisations that utilise a token-based authentication system have experienced a breach as a result of identity fraud caused by lost or stolen tokens. The report raises more questions than delivers answers about enterprise security. It is clear that organisations we researched are likely, at some point, to be the victim of an attack. And whilst larger organisations do appear to be more security-aware, it is also the case that the larger the organisation they are likely to be more well-known, have more people working within them and the opportunity for a breach is greater. Therefore, it is much harder for the largest organisations to be 100% secure. If we add the hugely significant factor of mobile device access to this mix, then it is clear that the organisation needs to constantly monitor its security regimen to make a successful attack as unlikely as possible. Senior IT staff have faith in their CEOs and board members though, as all but 10% believe that the CEO and board are well informed about IT security risks. However, this begs several questions; If 90% of CIOs are satisfied that the board and the CEO are aware and informed of security risks then: Why do a third of those with a token-based system not have an alternative method of authentication? (aside from the fact that 38% thought they would never need one ) Why have 26% of organisations with tokenbased authentication systems experienced token-related breaches? Why do only 58% of senior IT decisionmakers think that the mobile devices within their organisations are secure? 12 Token Security or Just Token Security?

13 About Entrust A trusted provider of identity-based security solutions, Entrust secures governments, enterprises and financial institutions in more than 5,000 organisations spanning 85 countries. Entrust s award-winning software authentication platforms manage today s most secure identity credentials, addressing customer pain points for cloud and mobile security, physical and logical access, citizen eid initiatives, certificate management and SSL. For more information about Entrust products and services, call , [email protected] or visit About Vanson Bourne Vanson Bourne, a specialist research-led consultancy, carries out user research within a technology context. The company interviews senior decision makers from a variety of functions, across a whole range of industries, in organisations from the smallest to the largest, in markets around the globe. Vanson Bourne s clients range from start-ups to well-known companies that need expert guidance, delivering robust and credible research-based analysis. 13 Token Security or Just Token Security?