Filling the number seven spot, Identity and Access management, was defined as “the implementation of physical, technical, and administrative controls that limit access to company resources to authorized persons.  A challenge exists with achieving easy access by authorized users while making resources inaccessible to unauthorized users.”

No industry has gone untouched in dealing with this issue. Whether you are a large financial institution debating new and unique ways to verify customers who access their accounts via ATM or the Internet or simply an IT director who is trying to safeguard your customer’s private and confidential data, the challenge is the same - always taking the initiative to be one step ahead of the curve to prevent unauthorized access.

Should you be concerned about the vulnerability of a breach in your existing identity and access management system?

Absolutely…Yes!

If your employees are like most, you can be assured that they have created one or more access identities based upon “convenience” rather than on a security and/or privacy perspective. Most individuals will create passwords on such publicly available information such as initials, phone numbers, name of their first born or their mother’s maiden name. Hackers widely use the “dictionary attack” or the “brute force” method to break such passwords. The dictionary attack method uses mostly words in the dictionary to guess passwords and may add a number at the beginning or in the end. The brute-force method uses a crypto analysis technique to find more complex words or phrases and combines alpha, numeric and special characters to break the password. To test your own password and see how many days, hours or even minutes it could take to break using a simple computer, check out the calculator on www.hackosis.com

What can you do to help protect access to private and confidential data?
If you must use passwords, educate your end users on the importance of “strong” passwords. Passwords need to be unique and absolutely must be different for each application. Too many people try to utilize the same password for all applications. Just think about the ramifications if an individual had access to every application and data file within your system, simply as a result of hacking one password.

Some generally accepted rules of thumb on creating strong passwords include:
•    They need to contain special characters such as @#$%^&
•    They must be at least eight characters long
•    They must not have any common words such as 123, password, your birth date, your login name and any words that can be found in the dictionary.
•    a variation of capitalization and small letters
If you want to test your password, try the strength test at www.passwordmeter.com. The goal is to create a password that has a “very strong” complexity.

If possible, use alternatives for access control! Most computer manufactures today offer alternatives to password logins. The most commonly used are biometric techniques. These techniques include scanning such things as fingerprints and irises. Although these methods require additional hardware, they are very often more reliable than the use of passwords.

While the enhancement and modification of existing identity and access management systems should not create an additional layer of complexity for the business, such alternatives should be evaluated in order to protect the private and confidential data stored on such systems.