Tuesday, October 15, 2013

Information Security in 2013: Are Passwords Really Dead?

email password, phishing, security awareness, information securityAccording to Heather Adkins, Google’s information security manager, “the game is over” if your company is still relying on passwords as a primary form of information security protection.

Adkins laid it all out when speaking at a recent tech panel. Apparently, Google’s done with passwords and we should be too. She went on to describe a new means of authentication that could require physical tokens embedded in clothing. And who’s behind this world changing, space-age technology? You guessed it—Google.

Authenticate, Authenticate, Authenticate.

And here we are again. Every few years, the security community bands together with some new direction in IT security—
particularly in user authentication—that is designed to plug all of the holes in the existing security methodologies.

Most often the sentiment of bloggers and experts is that the use of the new technology standards will revolutionize security and make companies vastly more threat-proof. This has happened as far back as I can remember (which is 25 years as far as business is concerned) and somehow breaches keep occurring and even escalating.

Adkins’ dramatic statement is shortsighted. Password authentication is only a single component of a security strategy. It’s time to recognize that any good security or authentication mechanism is only a tool and must be used in concert with other tools and with good corporate leadership and strongly enforced policies. And remember: once all of that is done, you have still only improved your vulnerability to risk. Too many executives are under the false impression that security tools, plans, and projects are implemented to eliminate risk. You can never fully eliminate risk. All you can do is minimize it.

And while Adkins may be right to suggest that one of every new company’s first 25 hires had better be somebody fully focused on security, that person had better be in the business of asking questions—not just implementing new and improved technology. Here are some questions your security-focused personnel should be asking right now: What are we securing? For whom? From whom? What are the consequences of it being exposed? What level of authentication will our customers bear? And what steps can we take to create a multi-faceted security plan?

More about Information Security