A Case for Expanding Stronger User Authentication: Executive Summary

Aberdeen Group’s analysis provides quantitative insights into making a business case for deploying stronger user authentication to an expanded user base.

Summary and Key Takeaways

• As Aberdeen Group described in its research report “IAM Beyond Control, Compliance and Cost: The Rise of the User”, enterprise identity and access management (IAM) systems are more than the technical means for control, compliance and cost efficiencies. It is also an enabler for the organisation’s users.
• Enterprise IAM systems are now being looked to with both unrewarded (e.g. protection) and rewarded (e.g. enablement) types of business risks. Both types of business risks are leading drivers for investments in IAM.
• For the modern enterprise, the rewarded risks of enablement, the unrewarded risks of protection, and regulatory compliance make stronger authentication a necessity.
• Aberdeen has developed a simple Monte Carlo model for the annualised risk of data breaches based on the estimates of five variables:
• The likelihood of experiencing a security incident
• The likelihood of experiencing a data breach
• The number of yearly data breaches
• The percentage of data breaches involving weak, stolen or compromised credentials
• The business impact of a data breach
• This simple model makes a conservative, understated estimate of the risk of the status quo because it addresses only the unrewarded risks of weaker authentication – i.e. not the business impact of non-compliance or the business impact of failing to enable users.
• In the private sector, based on a compromise of 100,000 to 1,0000,000 records, the median annualised business impact of data breaches as a result of weak authentication is about $370k.
• Estimating the value of an investment in stronger user authentication can be done by adding three variables to Aberdeen’s Monte Carlo model:
• The number of users to which stronger authentication will be deployed
• The percentage of data breaches involving stronger user authentication
• The annual cost per user for stronger user authentication
• In the private sector, based on a compromise of 100,000 to 1,0000,000 records, Aberdeen’s analysis shows that one-time passwords (OTP) result in a median reduction in the risk of data breaches of about 90%.
• Aberdeen’s quantitative analysis demonstrates how traditional economic ceilings for stronger authentication are changing.
• The selection of user authentication involves making trade-offs in three high-level areas:
• Total cost of ownership
• Fit for users
• Fit for the organisation
• Aberdeen’s Monte Carlo models use Microsoft Excel and include simple dropdown menus to allow customisation by industry, number of employees and number of records.

AFTERWORD

Aberdeen Group has been an international research partner of Nebula since 2010.  With thousands of research documents, growing daily, Aberdeen’s research library helps enterprises and service providers discover the priorities and strategies of best-in-class enterprises.

Besides Nebula’s insight and research services, we also provide services to help large enterprises assess, optimise and manage their enterprise ICT environments.

Should you be interested in finding out more about Nebula’s services or discussing this research, please send us an email indicating your requirements to ContactUs@nebula.co.za.