Today, vast amounts of information are produced electronically and much of that information is extremely valuable—both to the individuals and organisations that produce it, as well as to those looking to intercept precious data such as personal details, intellectual property, and financial records. In order to prevent such groups getting their hands on data they shouldn't, controls are required over who has access to what data in the first place.

Among the most effective controls that organisations can use for countering unauthorised access to information is the use of stronger forms of authentication. Strong authentication has traditionally referred to the use of factors of assurance that are difficult to forge or steal, such as something a user has in their physical possession, for example a security token or card, or something that is unique to them, such as their fingerprint. More recently, new types of tokens have come onto the market that are software-based and can be installed on computers and mobile devices, such as smart phones. These provide the protection of strong authentication, as they also generate a one-time password as the second factor for gaining access to resources, but lower the costs and overheads involved in distributing hardware tokens.

Strong authentication technologies have been available for some time and have proved their worth in terms of ensuring security meets the most stringent of requirements, including their usage in finance and defence applications. However, they have generally been the preserve of large organisations that have the budget and resources at their disposal to implement server-based authentication systems that have been developed to provide the centralised management capabilities that are required for provisioning users with account credentials and the factors of assurance required.

But the issues surrounding data security apply as equally to small and medium (SMBs) organisations as they do to their larger counterparts. To cater to SMB needs, cloud-based managed authentication services have been developed. These services are hosted in secure data centres operated by a service provider, which brokers the access between a user and the network resources or web-based applications they need to access.

The beauty of such a service is that all administration and ongoing management are handled by the service provider, rather than the organisation. On signing up to the service, users are allocated a token and account credentials. If hardware tokens are required, the service provider distributes these to the users, although software tokens can be provided instantly. The user then connects to the service via a browser-based portal, where they enter their user name and the one-time password generated by the token. The user is then authenticated by the service, which provides the network interface to allow them access to the web-based application or organisational network that is being secured.

Such managed authentication services are licensed as subscriptions with pricing models linked to simple metrics such as number of users served, the range of services consumed, or the performance requirements for the application. In comparison to the traditional licence model used for software applications, a subscription model based around cloud services reduces the need for incurring upfront expense such as the purchasing of software licences and the hardware required on which to run the applications. The subscription also includes the service provider handling the distribution of authentication tokens and web-based facilities for users in order to lessen the burden on help desk services.

The simplicity and low upfront costs of subscribing to services provided in the cloud opens up the use of such services to a wider range of organisations that have previously lacked the budgets and resources required to deploy an in-house, server-based system. Such services provide organisations of all sizes with the benefits of access to services provisioned and managed by experts, backed up stringent service-level agreements that incorporate high levels of security and that guarantee service availability. Provided on a utility-based pricing model paid for as a monthly operating expense, they also provide greater flexibility in terms of how services are consumed, allowing organisations to scale up or down the number of users as required as circumstances change.

The benefits of managed authentication services and the continued evolution of strong authentication technologies are discussed in greater detail in a freely available report by Quocirca, commissioned by CRYPTOCard, that can be downloaded here: The evolution of strong authentication.