Unfortunately, another element of the password policy that needs to be advocated but can't be enforced technically is the use of passwords on external sites. Most employees have their personal mail and instant messaging accounts, as well as IDs and passwords, established on sites around the world. The natural tendency is to make life easier by using the same ID and password on all. And they perhaps want to make life even easier by using their corporate ID and password. This practice should be actively discouraged. Employees should be made aware that using the same personal ID and password on multiple external sites makes desktop data extremely vulnerable and can potentially compromise corporate data. Many companies have a provision in the employment agreement that allows termination of an employee if the company's systems are compromised using that employee's ID. Although somewhat draconian (and rarely enforced), the provision is a very good way to get your employees to recognise the importance of the recommendation. The use of multiple identities
A third required element of any password policy is giving key employees multiple ID/password pairs. For example, network administrators should have at least two IDs -- one for use when performing network management tasks and another for using applications not directly related to managing the network. Think of the multiple IDs as keys on a key chain -- there should be one for the employee's office and another for the data center door. Many will argue that this defeats the purpose of having SSO in the first place. I disagree. I think that it makes SSO palatable in most organisations that value security of corporate data over the convenience for their employees. The next challenge: Federated credentials
With both Microsoft (with Passport) and Sun (with the Liberty Alliance) adding the ability to federate credentials, the password and ID issue clearly has the potential to become more complex and worrisome. Once an enterprise provides internal users credentials to access another company's data (whether it's a client, partner, or customer), there's going to be an even larger potential for liability and much more exposure. Security policies like password selection should be seriously reevaluated in the coming months to meet the challenge of the new federated ecosystem. Having internal policies in place and enforced will give CIOs one less thing to worry about in light of this next major challenge.
Have your say instantly in the Tech Update forum.
Find out what's where in the new Tech Update with our Guided Tour.
Let the editors know what you think in the Mailroom.
