There can be no secure access to data without authentication. It's something that's more important than ever to build customers' trust in a company's data-security practices. Customers now expect to see more than just a security lock on a Web site before divulging personal data, and industry practices and regulations are making stronger authentication a top priority.
For instance, chances are that sometime in the past few months when you logged onto an online banking site, you've had to go through a new authentication procedure that might have included choosing unique images, selecting pass-phrases, setting up challenge questions and agreeing to registering your access device. Those measures are likely in response to Federal Financial Institutions Examination Council (FFIEC) authentication guidelines that took effect on January 1 of this year.
Salt Lake City-based Zions Bank uses RSA's Adaptive Authentication solution to provide site-to-user and user-to-site authentication in its online banking service. The bank deployed the system last July, and enrollment in what it calls its "SecurEntry" system is now mandatory for bank customers.
The RSA system displays a user-selected pass-phrase to authenticate the site to the user. To authenticate the user to Zions Bank, SecurEntry starts with a conventional name and password, but also records IP addresses and collects "forensics" such as browser platform and operating system version to create a layered security solution. The system is adaptive, developing a rolling profile of users' login activity. Login attempts outside these profiles will trigger challenge questions.
For ROI-focused companies that have struggled with the cost-benefit of security solutions, building customer trust can turn into a measurable reward. Zions, for instance, has seen increased reliance on its online customer service channel (reducing phone- and branch-based service costs) as well as a deterrent value. "Today the 'bad guys' are attacking the easiest targets," explains Preston Wood, Zions' chief information security officer. "As we've strengthened our authentication, we haven't seen as many attacks."
Striking a Balance
In the rush to address all the technological challenges of data security, businesses have to be careful not to put legitimate users and customers through hell. That's one reason why Sharp Healthcare hasn't automated its policy enforcement yet, even though its new security systems could automatically block access to or movement of certain types of data.
"If you come out of the gate and start blocking everything, you'll have a big fight with your business units," says Tobia, adding that the deployment would likely fail. "We are taking a conservative approach, starting with a base set of policies, following up on a case-by-case and person-by-person basis, and monitoring the effectiveness of those policies. When we're comfortable with what we're capturing, we can more fully automate enforcement."
Ultimately, "You want to train people to be conscientious," says Patel. "That will help companies' view of [security] to change from being something that goes on after the fact and under the radar to being something proactive that has a benefit to both the business and its customers."