However, there is hope on the horizon, believes Andrew Ochse, product manager at Nanoteq, Comparex Holdings' managed security services arm, with the infrastructure for providing dedicated access control in a distributed environment evolving rapidly.
One example of this is LDAP and the universality of directory services. Via a protocol, a directory service provides information about users and resources and their access rights to multiple applications in a seamless, integrated way. Another is Security Assertion Markup Language (SAML), an interoperable protocol that can exchange information about access control in a more distributed context.
The downside, as Ochse sees it, is that while authorisation products have come of age to a large degree, organisations still forget the amount of work they need to do to customise their channels to work with these products. "Access control problems do not get fixed overnight. It will take time, just as it took time for computer systems to evolve from mainframes to distributed networks." However, meta-directories and standards suggest that there is a way to position access control where it belongs: as an integral part of an infrastructure that is universally available to the application level.
SSO not panacea to security ills!
Ochse is a vociferous opponent of the current trend towards single sign-on (SSO), saying SSO is being wrongly touted as the answer to all security problems.
"SSO vendors are spreading the line that SSO will solve all ID management problems and that it will save money and increase productivity, but all they are doing is creating a heinous misconception," says Ochse.
"Fact is, in South Africa we lose more productivity to people going outside to smoke than we do to having to re-authenticate every so often. Question is, is not the marginal inconvenience of having to re-authenticate worth the risk when you consider the value of the information being dealt with in some instances? Of course it is."
Access control nirvana
Access control nirvana, according to Ochse, is the migration towards the adoption of PKI solutions, working with smartcards, which are secured by biometrics. "The main drawback of PKI is its cost and even biometrics are fairly expensive for single desktop applications but, in high-risk applications, it is often worth it. Government has certainly been a very strong adopter of biometrics in its departments. Biometrics is the only real way to accurately identify someone to a digital system."
Ochse believes biometrics could even play a major role in reducing ATM fraud at a marginal cost per ATM. Instead of typing in a pin code - 'a security manager's nightmare' - a user would insert their card and then authenticate themselves by putting their finger on a biometric scanner.
"The general trend in South African business is still the staggering degree to which organisations underestimate the value of their information," says Ochse. "We cannot even start to guess the amount of fraud in areas like finance, medicine and government - and the bottom line is that most of it is preventable with modern access control technologies."