TMCnet News
Passwords Have Failed as Effective Identity Management Tools, According to META Group; Research Finds Both Organizations and Individuals Responsible for Password Ineffectiveness STAMFORD, Conn. --(Business Wire)-- Sept. 15, 2004 -- Most customer password implementations and policies are ineffective, as a result of organizational and individual failings as well as a lack of truly viable solutions from vendors, according to META Group (Nasdaq: METG), a leading provider of information technology (IT) research, advisory services, and strategic consulting.At the enterprise level, META Group finds that most organizations devote too much time developing convoluted policies for accessing resources that do not require significant protection, or they spend too little time protecting crucial applications. Further, organizations have been unable to strengthen password protection for mission-critical resources in a cost-effective manner. These organizations have also been cited by independent auditors for non-compliance with new and existing regulations that may be supported by identity management services. Finally, research suggests that there are inadequate processes, skill sets, training, tools, awareness, and communication among business users and the IT organization, rendering password protection systems both vulnerable and underutilized. Password failure is also rooted in end-user issues. According to META Group analysts, the password as an identification and authentication method is ineffective when individuals have too many passwords to maintain. However, the issue goes beyond the sheer volume of passwords, a problem initially created by an industry of disparate vendors with differing identity management systems and methods. "The issue with password protection isn't just a number issue. Rather, from a cultural standpoint, many individuals do not believe the value of the password reflects the value of the assets it protects," said Earl Perkins, vice president with META Group's Security & Risk Strategies advisory service. "Time and again, the password is not afforded deserved protection. This renders passwords ineffective regardless of synchronization, best practices, or management efforts." Perkins suggests customers are waiting for and expecting the software community to provide them with a solution, rather than the management applications and best practices that have been favored to date. However, solving the password puzzle has not proven a profitable business and, for that reason, vendors have had little interest helping customers heal what they believe are "self-inflicted wounds." Despite the lack of incentive for vendor involvement, there have been efforts to address the growing identity management problem. Most of these have focused on the classic "single sign-on" solution, which involves creating a single identifier and password for most applications and resources for each user. However, while single sign-on may solve some password issues, META Group believes that it will also inject new problems regarding the balance between authentication and authorization. META Group believes the ultimate solution must address three simple principles about authentication to be successful: 1. Individuals want to know that their identity is secure when they identify themselves to gain access 2. Individuals want to identify themselves simply and consistently, without tricks, aids, mnemonics, etc. 3. Individuals want to understand the value of what they are accessing in relation to how they access it About META Group META Group is a leading provider of information technology research, advisory services, and strategic consulting. Delivering objective and actionable guidance, META Group's experienced analysts and consultants are trusted advisors to IT and business executives around the world. Our unique collaborative models and dedicated customer service help clients be more efficient, effective, and timely in their use of IT to achieve their business goals. Visit metagroup.com for more details on our high-value approach. |
