For DataPipe, a privately held Web hosting and IT outsourcing company, the threats of cybertheft and hacker attacks are more than just a concern–they represent major potential liabilities. The computer servers at the Hoboken, N.J.-based company traffic in huge amounts of private data from corporate clients–everything from e-commerce transactions to medical records. A single server may host Web pages or e-mail for several companies, so a wily hacker could compromise several clients in one shot.
While DataPipe uses several layers of security to guard against intruders, the one that it considers among its most effective involves two-factor authentication, which requires a second passcode or device, in addition to a more conventional secret personal identification number (PIN), to allow a user onto a system.
At DataPipe, whenever an employee tries to enter a secure server, the system requires the use of a physical token, a small plastic device with a screen display that flashes a password or code needed to enter. But unlike standard ATM cards, the tokens–supplied by Secure Computing Corp.–flash a new password every time they’re used, making it much harder for an outside attacker to crack the code. “We want the highest level of security we could possibly have at a reasonable cost,” says Joel Friedman, DataPipe’s chief security officer. “With a one-time password, every time [a hacker] takes a guess, it’s changed again. It’s like a moving target. You can’t exhaust the combinations because they keep changing.”
Besides tokens, vendors also use smart cards and even cell phones to trigger access. The point behind the technology: One simply mislaid or stolen PIN would not provide a hacker entry.
Two-factor authentication is already widely used by large banks with their corporate treasury clients, and for the last several years, many companies have used some form of two-factor authentication for employees accessing their systems remotely. But recent hacker attacks on sensitive data at ChoicePoint, Lexis-Nexis and others have raised fresh concerns that companies may need to rethink their data security procedures, and vendors like Secure Computing are seeing a new market emerge. “You don’t have to be a bank to have sensitive data in your computers,” says Susan Feinberg, a senior analyst at TowerGroup Inc. “Every company has sensitive employee data like Social Security numbers, payroll information and sensitive information of a competitive nature.”
The question for the budget-minded CFO is whether the benefits of a broad two-factor roll out are worth the considerable cost. Tokens used by DataPipe cost between $75 and $100 each, depending on the size of the installation and features. “Companies are comfortable with the cost and relatively minor inconvenience for a remote employee or bank partner or business partner, but if you’re looking at it for all employees, that’s different,” says Jay Goldlist, vice president and general manager of the enterprise security division of Secure Computing.
There are limitations, however. First, they require employees to carry yet another card or device. For this reason, some have combined a system smart card and company ID. Two-factor devices also won’t solve every security issue. “Two factor is a good way to go, but it doesn’t protect against the disgruntled employee [with access],” says Avivah Litan, head of research at Gartner Inc. “Two factor needs to be augmented by back-end pattern detection software.” That, of course, will only add to the cost.