Part III: Securing your Data and Systems

By Thomas G. Stephens, Jr., CPA, CITP

 

In this series, we have reviewed many of the risks and responsibilities accountants face with respect to securing data and systems. We have also discussed some of the tools available to accountants when addressing these risks. In the final installment of this series, we will examine some of the leading-edge technologies that you can put to work today in order to secure your data and information systems.

 

Key Fobs and Smart Cards

 

Key fobs and smart cards are physical devices that authenticate a user’s identity. Think of these devices like a car owner’s keys – just as the owner cannot start his car without the keys, a user cannot log on to a computer or access data without the appropriate key fob or smart card to validate his identity.

One of the interesting developments in the use of key fobs and smart cards is using these tools to periodically generate new passwords – in effect, forcing frequent password changes instead of relying on users to change their passwords frequently. For instance, PayPal allows customers to use a key fob that generates a new password every 30 seconds. When engaging in a PayPal transaction, the customer must enter the correct current password, as defined by the key fob; otherwise, the transaction fails. This type of use of key fobs is increasingly commonplace in Web-based commerce, banking, and other financial transactions.

 

Biometric Devices

 

Biometric devices are physical devices that, like key fobs and smart cards, are used to validate a user’s identity. Many of today’s biometric devices use fingerprint recognition for this purpose. For instance, Hewlett Packard’s line of mobile workstation laptops contain embedded fingerprint readers that replace a user’s traditional password log-on. Merely swiping a finger over the device causes the user to log on to the computer, without the need to enter a password. This means that a weak or lost password does not compromise access to the computer.

Biometric devices can measure a number of biologically-specific characteristics. Included are fingerprints, retina scans, DNA, and voice and speech recognition. Of course, the risk of improper data and system access determines the complexity of the biometric characteristic used to authenticate a user. When using biometrics in a multi-factor authentication environment, as discussed below, security over data and systems increases exponentially.

 

Multi-Factor Authentication

 

Multi-factor authentication uses multiple factors to validate a user’s identity. These factors often are divided into three categories:

Something the user has. Generally, this is a physical device such as a key fob, security token, or smart card.

Something the user knows. These are traditional passwords, phrases, security questions, and personal identification numbers.

Something the user is or does. These are typically biometrics, such as fingerprints, retina scans, or voice recognition.

Historically, developers have used multiple factors to validate a user’s identity when engaging in critical transactions; for instance, an ATM card and PIN constitutes two-factor authentication – something the user has (ATM card) and something the user knows (PIN). Clearly, using multiple authentication factors provides a higher level of assurance regarding a user’s identity than using a single authentication factor. Without all pieces of the puzzles in place, access to the data or system is denied.

 

Throughout this series, we have attempted to highlight many of the risks accountants face with respect to computer and information security. In a perfect world, these risks would not exist or, if they did, they would be static and therefore, easily addressed. Unfortunately, that is not the world in which we live and work. Accordingly, we must recognize and respond to these risks using the tools and techniques that are available to us both today and in the future. Above all, remember that the only constant here is change, and the tools that are appropriate today will likely give way to a different breed of tools to more appropriately address risks in the future.

 

Mr. Stephens is a shareholder in K2 Enterprises, where he develops and presents technology-related continuing professional education programs to accounting and finance professionals across the United States. You may reach him at tommy@k2e.com.

 

The views and opinions expressed in this column are those of the author and do not necessarily reflect the opinions of Microsoft.