Authentication: Who Are You and Why Are You Here?

Friday, July 29, 2011

Mike Meikle


I received an email from a journalist who wanted to discuss the trends in user Identification and Authentication as well as some best practices and prognostication.

Since my consulting tenure over the last 15 years has allowed for a broad exposure to these concepts, I felt I could provide some valuable commentary.

As a recap, my most recent clients had significant Identification and Authentication challenges.  

One was a Health Care client that focused on HIPAA, HITECH and PCI DSS compliance.  I was also providing guidance on security best practices and processes, both of these included effective identification and authentication at the client location.

At the same time, I worked with a Financial client where I was responsible for their eCommerce Single Sign-on and Multifactor Authentication solutions.  This included business process and practices alignment with Commercial and Consumer lines of business.  

Again this was a deep exposure to the concepts of user Identification and Authentication.

In your view what are some of your present concerns about Identification and Authentication management from the perspective of an IT manager?

The top concern regarding Identification and Authentication is the reliance on the antiquated User ID and password scheme.  Savvy social engineering techniques can gather User IDs. 

Passwords can be readily cracked due to the difficulty of enforcing proper password protocol.  Also, due to the increase in computing power, most passwords can be cracked via brute force.

Effective Identification and Authentication not only validates a user, but also the equipment assigned to that user.  Should users and equipment always be viewed together whenever developing an identification and authentication program or policy?

I believe it is a best practice to view a users and equipment together as much as possible.  This will facilitate effective asset management, a key foundational practice for information security. However, there will be exceptions, such as kiosk computers in healthcare with multiple users.

Can you provide some perspective (and anecdotes if possible) of best practices in managing and setting Identification and Authentication plans and policies for end-users and equipments in an organization?

In order to have an effective Identification and Authentication regime within an organization there have to be several foundational policies in place.  These policies are technology agnostic. 

There are many technological solutions for Identification and Authentication, most are on par with another.  The key issue is having the appropriate management and maintenance polices in place to ensure they are managed and supported effectively. 

Also, senior IT and business leadership have to support these solutions in total to ensure they remain effective.

One best practice is Asset Management.  If an organization does not know what it owns, where it is located, when it leaves or how it is supported, then all other security practices become superfluous. 

You may have robust network security, stringent password policies and a tightly locked down user environment, but if you don’t know what you own, both data and hardware, it is akin to having a bank vault door standing alone in a field.

A second key practice is to have a well-managed single sign-on solution in place.  What ever technological solution is chosen, the appropriate polices and procedures have to be put into place to ensure the solution is well managed. 

In my past consulting experience, clients may have a state of the art single sign-on solution, but the management and maintenance of the system is haphazard.  The data within that system is therefore suspect and requires a tremendous effort to correct and normalize.

With a more mobile and dispersed workforce, do you see Identification and Authentication being an even greater concern looking forward? 

Yes, reliable Identification and Authentication will be a security linchpin for a mobile workforce.  With the consumerization trend gaining momentum in the corporate environment organizations will have to tightly manage devices and ensure the data residing on them is protected.

Would you say that Authentication and Identification is one of the most important safeguards to maintain secure data?  Or is it only one gateway of many?

The combination of Identification and Authentication is a key component of data level protection & loss prevention.  There are other components of data protection (encryption, granular user permissions, internal and external data usage policies, etc.).

Looking forward 3- 5 years, what will the trend of Identification and Authentication policies, plans, and management best practices in your view?

Since the consumerization trend is taking hold and growing in organizations, Identification and Authentication practices will have to adjust to mobile technology. 

Like corporate provided devices (blackberries, desktops and laptops) that were addressed in the past, new mobile devices (iOS, Android, Cisco) will have to conform to managed device standards.  This includes remote wipe, encryption, two-factor authentication, etc.

I cover this topic in far more detail in an ExecSense webinar entitled What CIOs Need to Know About Mobile Device SecurityI discuss the most effective best practices and policies for chief information officers (CIO) to manage their organizations’ mobile security risks.

One way to address Identification and Authentication with mobile devices is to stand-up a Virtual Desktop Infrastructure (VDI) that pushes a secure remote desktop image to the device.  The user logs into a specific desktop image, the network connection is encrypted and the data is stored remotely on a corporate SAN. 

This will give the organization greater control of employee provided devices with the added benefit of providing a standardized image for employees to work from.  This also greatly reduces the risk of data being lost if the mobile device is stolen or misplaced, the most common means of data loss in the enterprise.

Also, two-factor authentication and identification will move beyond user ID and password and shift toward phone factor authentication.  With the advent of IPv6, this will provide an additional layer of authentication as well.

I’d like to hear your thoughts on this topic.  Please feel free to leave your comments below in order to add to the discussion!

Cross-posted from Musings of a Corporate Consigliere

Possibly Related Articles:
Network Access Control
Information Security
Passwords Policy Network Access Control Network Security Multifactor Authentication Identification
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.