Choosing a Replacement for Incumbent One-Time Password Tokens

Similar documents
X.509 Certificate Management: Avoiding Downtime and Brand Damage

Emerging PC Life Cycle Configuration Management Vendors

Cost Optimization: Three Steps to Saving Money on Maintenance and Support for Network Security Products

Research Agenda and Key Issues for Converged Infrastructure, 2006

Managing IT Risks During Cost-Cutting Periods

Toolkit: Reduce Dependence on Desk-Side Support Technicians

In the North American E-Signature Market, SaaS Offerings Are Increasingly in Demand

Key Issues for Identity and Access Management, 2008

Organizations Should Implement Web Application Security Scanning

Vendor Focus for IBM Global Services: Consulting Services for Cloud Computing

Cloud Decision-Making Criteria for Educational Organizations

Cloud IaaS: Service-Level Agreements

Q&A: How Can ERP Recurring Costs Be Contained?

The Lack of a CRM Strategy Will Hinder Health Insurer Growth

Research. Key Issues for Software as a Service, 2009

Gartner's View on 'Bring Your Own' in Client Computing

The Value of Integrating Configuration Management Databases With Enterprise Architecture Tools

Q&A: The Many Aspects of Private Cloud Computing

Organizations Must Employ Effective Data Security Strategies

The Current State of Agile Method Adoption

Responsible Vulnerability Disclosure: Guidance for Researchers, Vendors and End Users

Best Practices for Confirming Software Inventories in Software Asset Management

The What, Why and When of Cloud Computing

Private Cloud Computing: An Essential Overview

Clients That Don't Segment Their Network Infrastructure Will Have Higher Costs and Increased Vendor Lock-in

Case Study: New South Wales State Department of Education Adopts Gmail for 1.2 Million Students

NAC Strategies for Supporting BYOD Environments

The IT Service Desk Market Is Ready for SaaS

Embrace Virtual Assistants as Part of a Holistic Web Customer Service Strategy

Business Intelligence Platform Usage and Quality Dynamics, 2008

For cloud services to deliver their promised value, they must be underpinned by effective and efficient processes.

Integrated Marketing Management Aligns Executional, Operational and Analytical Processes in a Closed-Loop Process

IT asset management (ITAM) will proliferate in midsize and large companies.

IT Operational Considerations for Cloud Computing

2010 FEI Technology Study: CPM and BI Show Improvement From 2009

Eight Critical Forces Shape Enterprise Data Center Strategies

Solution Path: Threats and Vulnerabilities

Modify Your Storage Backup Plan to Improve Data Management and Reduce Cost

Deliver Process-Driven Business Intelligence With a Balanced BI Platform

When to Use Custom, Proprietary, Open-Source or Community Source Software in the Cloud

Cloud, SaaS, Hosting and Other Off-Premises Computing Models

BEA Customers Should Seek Contractual Protections Before Acquisition by Oracle

Cloud IaaS: Security Considerations

Backup and Disaster Recovery Modernization Is No Longer a Luxury, but a Business Necessity

The Electronic Signature Market Is Poised to Take Off

Microsoft's Cloud Vision Reaches for the Stars but Is Grounded in Reality

Iron Mountain's acquisition of Mimosa Systems addresses concerns from prospective customers who had questions about Mimosa's long-term viability.

Data in the Cloud: The Changing Nature of Managing Data Delivery

Now Is the Time for Security at the Application Level

Repurposing Old PCs as Thin Clients as a Way to Save Money

Understanding Vulnerability Management Life Cycle Functions

The EA process and an ITG process should be closely linked, and both efforts should leverage the work and results of the other.

The Hype Around an Integrated Talent Management Suite Outpaces Customer Adoption

Key Issues for Data Management and Integration, 2006

Discovering the Value of Unified Communications

Additional Tools for a World-Class ERP Infrastructure

Strategic Road Map for Network Access Control

Energy savings from well-managed data centers can reduce operating expenses by as much as 20%.

IT Architecture Is Not Enterprise Architecture

Case Study: A K-12 Portal Project at the Miami-Dade County Public Schools

Tactical Guideline: Minimizing Risk in Hosting Relationships

Agenda for Supply Chain Strategy and Enablers, 2012

NGFWs will be most effective when working in conjunction with other layers of security controls.

User Survey Analysis: Usage Plans for SaaS Application Software, France, Germany and the U.K., 2009

Data Center Consolidation Projects: Benefits and Pitfalls

Use Heterogeneous Storage Virtualization as a Bridge to the Cloud

Establishing a Strategy for Database Security Is No Longer Optional

IAM can utilize SIEM event data to drive user and role life cycle management and automate remediation of exception conditions.

2009 FEI Technology Study: CPM and BI Pose Challenges and Opportunities

The Next Generation of Functionality for Marketing Resource Management

The Six Triggers for Using Data Center Infrastructure Management Tools

IT Cost Savings With Information Governance

Key Issues for Consumer Goods Manufacturers, 2011

EHR Advantages and Disadvantages

Knowledge Management and Enterprise Information Management Are Both Disciplines for Exploiting Information Assets

Gartner Clarifies the Definition of the Term 'Enterprise Architecture'

Real-Time Decisions Need Corporate Performance Management

Data Center Redesign Yields an 80%-Plus Reduction in Energy Usage

Recognize the Importance of Digital Marketing

The Five Competencies of MRM 'Re-' Defined

Invest in an analysis of current metrics and those missing, and develop a plan for continuous management and improvement.

CDOs Should Use IT Governance and Risk Compliance Management to Advance Compliance

Predicts 2008: The Market for Servers and Operating Systems Continues to Evolve

Case Study: Innovation Squared: The Department for Work and Pensions Turns Innovation Into a Game

How Eneco's Enterprisewide BI and Performance Management Initiative Delivered Significant Business Benefits

Is a Commodity and Other Fairy Tales

Microsoft and Google Jostle Over Cloud-Based and Collaboration

Transactional HR self-service applications typically get implemented first because they typically automate manual, error-prone processes.

Best Practice: Having a 'Big Picture' View of IP Telephony Will Give the Buyer More Control

How to Develop an Effective Vulnerability Management Process

2010 Gartner FEI Technology Study: Planned Shared Services and Outsourcing to Increase

Key Issues for Business Intelligence and Performance Management Initiatives, 2008

Roundup of Business Intelligence and Information Management Research, 1Q08

What to Consider When Designing Next-Generation Data Centers

What Is the Role of Quality Assurance in a SaaS Environment?

Government 2.0 is both citizen-driven and employee-centric, and is both transformational and evolutionary.

Business Intelligence Focus Shifts From Tactical to Strategic

Overcoming the Gap Between Business Intelligence and Decision Support

Containers and Modules: Is This the Future of the Data Center?

Cost-Cutting IT: Should You Cut Back Your Disaster Recovery Exercise Spending?

Transcription:

Research Publication Date: 21 April 2011 ID Number: G00212244 Choosing a Replacement for Incumbent One-Time Password Tokens Ant Allan This research outlines the options for enterprises seeking replacements for incumbent one-time password (OTP) hardware token deployments, along with guidance on how to choose among alternatives. Authentication is fundamental to trust relationships, so it's vital that enterprises make properly informed choices. Key Findings OTP hardware tokens are still widely regarded as the standard authentication method in workforce remote access and other use cases, but they can be expensive and offer poor user experience (UX). OTP hardware tokens are not well-suited to use with smartphones and other mobile devices, the use of which are rapidly increasing for access to enterprise systems, banking, e-commerce and so on. The recent breach at RSA, The Security Division of EMC, has raised concern about the robustness of RSA SecurID (the market-leading OTP hardware token) in particular, and of other OTP hardware tokens in general. Recommendations When choosing a replacement authentication method, apply the same criteria that you would when choosing a new authentication method from scratch: Consider the level of assurance (and accountability), the total cost of ownership (TCO) and UX. Review your needs critically: Don't assume they're unchanged from when you decided to deploy OTP hardware tokens in the first place. Remember that all authentication methods can be broken or bypassed, so don't neglect security monitoring, fraud detection and other layered controls. 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner's research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see "Guiding Principles on Independence and Objectivity" on its website, http://www.gartner.com/technology/about/ombudsman/omb_guide2.jsp

ANALYSIS Many enterprises have deployed OTP hardware tokens, typically for workforce remote access and external user access. However, enterprises are increasingly sensitive to the cost of this authentication method and the relatively poor UX, especially when used for mobile access. Also, recent events have raised concerns about the robustness of the market-leading product, RSA SecurID. Thus, some enterprises are critically reviewing their deployments. What alternatives are available to such enterprises? How can an enterprise choose among them? This research provides guidance on these choices. Why Is Your Enterprise Considering an OTP Hardware Token Replacement? Gartner has clients asking about OTP hardware token replacements for the following reasons: The Current Tokens Need Replacing Every Three to Five Years, at Significant Cost. Some vendors offer tokens with a limited lifetime, or three to five years, while other vendors offer tokens without user-replaceable batteries, so the tokens stop working (unpredictably) when the batteries expire. The Current Tokens Are Too Expensive to Issue to Large Numbers of New Users. This arises particularly when remote access is being extended to a larger part of the workforce, or when high-value systems are being rolled out to external users (business or consumer). The Current Tokens Provide Poor UX. This is a particular concern for enterprises with users who have an elective relationship with the enterprise, and who might take their business elsewhere if they find tokens too much trouble, compared with what competitors are using (see "Good Authentication Choices for External User Access"). Increasingly, Gartner also sees push-back from workforce users accessing corporate systems from smartphones (even when they've tolerated using tokens for access from PCs), partly because of the inconvenience of juggling two handheld devices, and partly because UX expectations are higher on smartphones than on PCs. However, it should be noted that most of the options have no better or worse UX, or they demand a trade-off in assurance level (AL). Proven options with high AL and good UX have yet to emerge. The Current Tokens May Provide Less Assurance Than Originally Thought. This was prompted by a recent attack on RSA, The Security Division of EMC (see "RSA SecurID Compromise Is of Concern, but Likely Not a Fatal Flaw"). Clearly, RSA SecurID is the focus of most clients, but some have expressed concerns about similar attacks compromising other vendors' OTP hardware tokens. Although this is possible, it depends on the details of the vendor's technical implementation. For existing RSA SecurID customers, it is likely much faster and cheaper for an enterprise to distribute replacement RSA SecurID tokens those shipped since the attack was announced are not compromised than it is to migrate to a new solution. We understand that some RSA Publication Date: 21 April 2011/ID Number: G00212244 Page 2 of 11

SecurID customers already have received replacement tokens, although we don't know under what terms. However, what the attack has highlighted is the need for robust management practices to protect the integrity of the authentication infrastructure (including backups and other mirrors of user identity information and credentials), for good user and administrator behaviors, and, in particular, for active monitoring of user behavior. No authentication method is fail-safe, and good monitoring is essential to avoid fraud and other misuse (see "Where Strong Authentication Fails and What You Can Do About It" and "Discover Data Breaches With Security Monitoring and Fraud Detection Technologies"). What Alternatives to Its Existing OTP Hardware Tokens Can Your Enterprise Consider? An enterprise might consider the options shown in Figure 1, Figure 2, Figure 3 and Figure 4, which are, roughly, in order of increasing difference from the current "baseline" method, which is assumed to be an OTP hardware token with a display, but no PINpad this is the most common type. (With this kind of token, a PIN or password is sent across the Internet along with the generated OTP, exposing the PIN or password to a variety of PC-based and network-based attacks.) In each figure, the "Driver" column indicates which goal is most likely to prompt the consideration of this method: higher AL (or higher accountability), lower TCO or better UX. The "AL," "TCO" and "UX" columns show how each method compares against the baseline method (see the "Which Provides the Bigger Potential Cost Savings: Changing Method or Changing Vendor?" section of this research). Publication Date: 21 April 2011/ID Number: G00212244 Page 3 of 11

Figure 1. Other OTP Tokens Publication Date: 21 April 2011/ID Number: G00212244 Page 4 of 11

Figure 2. Phone-Based Authentication Methods Phone-based authentication is now more popular than OTP hardware tokens in new deployments (see "Predicts 2011: Identity and Access Management Continues Its Evolution Toward a Strategic Discipline"). However, when the user is using a smartphone to access enterprise systems, the level of assurance is lower because there is no longer a discrete physical token (thus, it's equivalent to using a PC OTP software token for access from a PC; see Figure 1). Publication Date: 21 April 2011/ID Number: G00212244 Page 5 of 11

Figure 3. Other Tokens Publication Date: 21 April 2011/ID Number: G00212244 Page 6 of 11

Figure 4. Biometric Authentication Methods and Knowledge-Based Authentication Methods Note that other biometric technologies such as voice and face topography might be considered and can suit multiple use cases, but are far less proven in the market. The choice needn't be "all or nothing": Several authentication vendors nearly all the major ones offer an infrastructure (an on-premises appliance or server software, or a cloud-based service) that supports multiple authentication methods for different users in different use cases. So, for example, an enterprise might retain OTP hardware tokens for some users (such as those with time-critical, higher-risk access), while migrating to out-of-band (OOB) authentication for Publication Date: 21 April 2011/ID Number: G00212244 Page 7 of 11

others (such as those with an occasional need for lower-risk access). Talk to your OTP hardware token vendor to see what alternatives it can support in parallel. Which Provides the Bigger Potential Cost Savings: Changing Method or Changing Vendor? The "TCO" column in Figure 1, Figure 2, Figure 3 and Figure 4 is based on average costs across all vendors. So, a downward arrow indicates an alternative method that has typically lower TCO than OTP hardware tokens across all vendors very often with a lower licensing cost; however, similar (or even higher) licensing costs can be offset by lower overheads (see "Gartner Authentication Method Evaluation Scorecards, 2011: Total Cost of Ownership"). Thus, an enterprise can generally achieve cost savings by switching to a "low cost" alternative from the same vendor (if it offers that option, of course), although some vendors may have anomalous pricing. However, given the wide range of prices for different methods from different vendors (see "How Much Is That Token in the Window? What You Should Expect to Pay for New Authentication Methods"), it is possible to make a bigger cost savings by migrating to OTP hardware tokens from another vendor than by migrating to a "lower cost" alternative from the incumbent vendor. The biggest cost savings can be achieved by migrating to a "lower cost" alternative from a "lower cost" vendor, of course but the enterprise must ensure that this still meets its needs (see the next two sections). Other cost savings may be possible by changing the delivery method for example, by moving from on-premises server software to a cloud-based service. What Should You Consider When Choosing Among These Different Options? When choosing a replacement authentication method, it shouldn't be assumed that the existing OTP hardware tokens are the best fit for your enterprise's current needs. Many decisions to use OTP hardware tokens were made when fewer options were available. Furthermore, the situation may have changed along multiple dimensions: the kinds of systems accessed, the threat landscape, and users' wants and needs (especially with regard to their endpoint device preferences not just mobile devices, but also "bring your own PC to work" initiatives). It may be useful to revisit the basis for the original decision, but interactions with Gartner clients and vendors' reference customers suggest that these were not always well-documented, or the documents were not retained. In any case, you should consider your current needs as if you were choosing a new method from scratch. The choice of any authentication method is determined by: The required level of assurance and accountability, determined by the level of risk and the need for nonrepudiation in each use case. TCO, limited by what can be justified by the enterprise's available budget. What can be justified is, in turn, determined by the level of risk. UX, determined by users' wants and needs. External users may be particularly sensitive to poor UX (we know that banks have lost a small percentage of customers because of this), but poor UX can drive behavior that compromises security: Users may, for example, take steps to make the method easier to use for example, by writing a token's PIN on a sticky label on the token. Publication Date: 21 April 2011/ID Number: G00212244 Page 8 of 11

Other needs or constraints: For example, if there is a need to support digital signature or endpoint encryption, or a desire to adopt a common access card, then a smart card with public-key infrastructure (PKI) credentials might be preferred. This general approach is set out in "How to Choose New Authentication Methods." The following research discusses the strengths and limitations of candidate authentication methods in different sets of use cases: "Good Authentication Choices for Workforce Local Access" "Good Authentication Choices for External User Access" "Good Authentication Choices for Workforce Remote Access" What Influences Your Decision to Move to a Different Authentication Vendor? An enterprise should evaluate the following when considering changing an authentication vendor: Do you have enough time to migrate to the new solution? Many enterprises consider migrating to a new method or vendor within months of the contract renewal date. This may not be enough time to research, select, negotiate contracts for and implement an alternative solution. Implementing smart cards with PKI credentials, for example, can be particularly time consuming, especially if an organization also wishes to integrate building access systems (that is, a common access card approach), and can push out the replacement of OTP hardware tokens by 12 months. The time available should not dictate the enterprise's choice, so enterprises should look at least a year ahead when making such a decision under normal circumstances. Can the new vendor's offering support all the platforms that the incumbent vendor's does? Most OTP hardware tokens are deployed to support workforce remote access and external user access; thus, most vendors' offerings will support these use cases and can be easily integrated with most Secure Sockets Layer and IPsec VPNs, and also with many Web and application servers. However, for some instances of workforce local access such as users' PC and network logins and administrators' server logins where one vendor's OTP hardware tokens are used, it may be harder to find an alternative. (It should be easy to migrate to another method from the same vendor, which typically doesn't involve a change in the authentication infrastructure, of course.) Does the new vendor offer alternative delivery options? To date, most enterprise OTP hardware token deployments are based on on-premises server software, although more recent ones may have already taken advantage of alternative delivery options, such as on-premises hardware appliances or cloud-based managed authentication services. Rack-mounted hardware appliances are popular among some enterprises across a range of security products because they provide a more robust platform, in addition to potential TCO savings. Cloud-based services have been taken up mainly by small and midsize businesses, and, among enterprises, mainly by government and higher education vertical industries. However, as enterprises gain confidence in moving a variety of applications to the cloud, we expect to see increasing interest in this delivery option. In particular, it seems to offer the easiest way to implement new authentication methods for access to applications in the cloud. Publication Date: 21 April 2011/ID Number: G00212244 Page 9 of 11

What are the "rip and replace" costs? Migration costs are likely higher than the cost of implementing a new authentication method from scratch, because of the overheads of managing the transition and the costs of decommissioning the old infrastructure. Even if the replacement is similar, there may be sufficient differences to prompt many user calls to the help desk. Retraining administrators may be harder than training them in the first place, because of the cost of "unlearning" the old ways of managing the system. These costs might be offset by a reduction in licensing costs, compared with a first-time implementation, because a new vendor may offer a "competitive upgrade." Can existing tokens continue to be used until they expire? Many enterprises will be reluctant to throw away usable tokens. A vendor may be able to support existing tokens on its own infrastructure. This is typically true where existing tokens are compliant with the Initiative for Open Authentication (OATH) specifications. In addition, some vendors can also support proprietary tokens, typically RSA SecurID. Alternatively, a vendor may be able to run in parallel with the incumbent infrastructure for as long as necessary, acting as a proxy to the old authentication server for users who are identified as "old token" users. Additional analysis and review by Mark Diodati. RECOMMENDED READING Some documents may not be available as part of your current Gartner subscription. "How to Choose New Authentication Methods" "Good Authentication Choices for Workforce Local Access" "Good Authentication Choices for External User Access" "Good Authentication Choices for Workforce Remote Access" "Where Strong Authentication Fails and What You Can Do About It" "Q&A: Phone-Based Authentication Methods" "Q&A: Biometric Authentication Methods" "Q&A: Smart Tokens and Common Access Cards" "Gartner Authentication Method Evaluation Scorecards, 2011: Overview" "Gartner Authentication Method Evaluation Scorecards, 2011: Total Cost of Ownership" "How Much Is That Token in the Window? What You Should Expect to Pay for New Authentication Methods" Publication Date: 21 April 2011/ID Number: G00212244 Page 10 of 11

REGIONAL HEADQUARTERS Corporate Headquarters 56 Top Gallant Road Stamford, CT 06902-7700 U.S.A. +1 203 964 0096 European Headquarters Tamesis The Glanty Egham Surrey, TW20 9AW UNITED KINGDOM +44 1784 431611 Asia/Pacific Headquarters Gartner Australasia Pty. Ltd. Level 9, 141 Walker Street North Sydney New South Wales 2060 AUSTRALIA +61 2 9459 4600 Japan Headquarters Gartner Japan Ltd. Aobadai Hills, 6F 7-7, Aobadai, 4-chome Meguro-ku, Tokyo 153-0042 JAPAN +81 3 3481 3670 Latin America Headquarters Gartner do Brazil Av. das Nações Unidas, 12551 9 andar World Trade Center 04578-903 São Paulo SP BRAZIL +55 11 3443 1509 Publication Date: 21 April 2011/ID Number: G00212244 Page 11 of 11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information