Authentication Best Practices for 2013Proven tactics, tips and authentication

Authentication Best Practices for 2013 Proven tactics, tips and best practices for enterprise

Authentication Best

best practices for enterprise

Page 1 of 14

Contents

Cloud Identity Management as a Service: Not quite ready for prime time

Intro to two-factor authentication in Web authentication scenarios

Two-factor authentication options, use cases and best practices

Industry experts Jonathan Hassel and Ajay Kumar take a deep dive into the murky waters of identity management and authentication to explore whether the newest kid on the block, cloud identity management, is ready for prime time, and also provide a comprehensive introduction and best practices for two-factor authentication.

Cloud Identity Management as a Service: Not quite ready for prime time

Cloud Identity Management as a Service: Not quite ready for prime time Jonathan Hassell

As the cloud becomes more vital for CIOs, there exists another problem -- or,

shall we say, a challenge -- that needs to be addressed: cloud identity

management. How can we verify that users are who they say they are, how

do we authorize them to use services, and how can we account for their

activities once they've been authenticated and authorized?

Dealing with identity on-premises is difficult enough. You have generally

disparate systems. Years ago, the big push was to enable your host

integration service to talk to Novell Directory Services, while your accounting

or payroll system utilized NDS as well. Such integration makes user

provisioning simple when employees come and go. It also makes security

policy application more consistent and enables complete control over

monitoring and auditing controls. The integration was made possible with

protocols like Lightweight Directory Access Protocol and the use of central

directory services like Active Directory. Those protocols and serious

investments each made more efficient use of centralized user information in

the private data center.

Get ready to reinvent the wheel when it comes to the movement to cloud-

based computing. Cloud identity management presents an entirely new set of

challenges. Why? There are a couple of reasons. First, different providers

Page 2 of 14

Contents

Cloud Identity Management as a Service: Not quite ready for prime time

Intro to two-factor authentication in Web authentication scenarios

Two-factor authentication options, use cases and best practices

have different internal systems. Imagine that you're considering purchasing a

cloud-based CRM solution. If you've already migrated your email and

calendaring groupware solution to a cloud provider, how do you integrate

identities among these providers? User conveniences like password

integration and single sign-on might not be possible with disparate providers.

You may also have trouble with logging and service support and

provisioning. Maintaining a single identity among different providers using

different systems can be challenging, to say the least.

The other reason involves compliance and auditing. Just think about how

you're handling on-premises data center now. How do you fulfill compliance

requirements for your regulators, financial institutions and business partners?

What is the impact of identity across all of your business systems? How will

you know who can do what? Cloud-based computing magnifies these

obstacles, but with the added complexity of different user interfaces,

reporting platforms, data security and geographical residency attributes.

Some vendors have an eye toward integrating identities across various

providers. You may have already seen this with popular social networking

sites as the bedrock: Many upstart cloud providers and consumer service

providers allow users to create accounts and be authenticated using Twitter,

Facebook, LinkedIn and other sites. Obviously, enterprise and business

corporate customers are not going to be interested in forming the basis of

their online identity systems using Facebook accounts, but this is an area

that CIOs should watch in coming years.

The future of Cloud Identity as a Service

As the coming years unfold, you'll see an increase in the utility of Federation

as a Service. Organizations -- in particular, larger corporate customers -- will

decide that given the current state of affairs, they should become the service

providers for identity: authentication, authorization and accounting.

Businesses will invest in systems that allow users to federate their identities

among on-premise systems, mainframes that are still in use as line-of-

business applications, and cloud services -- in effect, reversing the roles of

customer and provider. Businesses of all sizes will demand of their cloud

providers the ability to consume identity information from their on-premises

Page 3 of 14

Contents

Cloud Identity Management as a Service: Not quite ready for prime time

Intro to two-factor authentication in Web authentication scenarios

Two-factor authentication options, use cases and best practices

directory services. "Being their own customers" allows midmarket companies

to solve challenges in several ways.

First, they will maintain the ultimate control of identity centrally, and permit

services to consume the information necessary to provide services on an ad

hoc basis. Companies will also keep data safeguarded within the confines of

the corporate network, and allow services to get only "yes or no" information

from the on-premises federation service. They will also enable smoother

rollout of other cloud-based services by exposing standardized application

programming interfaces that those services can consume, and then

authorizations that those services can exchange with others. Finally, by

adapting this method, they will permit assurance that regulatory and

compliance requirements are still being met. The customer is still in control of

authorization and accounting, as well as ensuring that the appropriate

logging is taking place and ensuring full transparency.

All in all, don't jump into cloud identity management anytime soon. Identity

Management as a Service is not ready for primetime. Instead, look for ways

to expose your current identity services through federation, and then push

cloud-based service vendors to consume that information from your on-

premises resources.

About the author

Jonathan Hassell is president of 82 Ventures LLC. He's an author, consultant

and speaker in Charlotte, N.C. Hassell's books include RADIUS, Learning

Windows Server 2003, Hardening Windows and, most recently, Windows

Vista: Beyond the Manual. Contact him at editor@searchcio-midmarket.com.

Page 4 of 14

Contents

Cloud Identity Management as a Service: Not quite ready for prime time

Intro to two-factor authentication in Web authentication scenarios

Two-factor authentication options, use cases and best practices

Intro to two-factor authentication in Web authentication scenarios

Intro to two-factor authentication in Web authentication scenarios Ajay Kumar

Recently Apple joined a growing number of major consumer brands like

Facebook, Google, Microsoft and PayPal in offering two-factor authentication

(2FA) to help customers better secure their user accounts against hacking.

For Apple Inc., the new feature is designed to block unauthorized changes to

iCloud or iTunes accounts and prevent attackers who steal Apple IDs from

making purchases using the credit cards stored in customers' iTunes and

Apple store accounts.

While most information security professionals are quite familiar with the

concept of two-factor Web authentication, for those who aren't, it is a more

rigorous and complex method of authenticating an account then with a

simple password-only process. In this tip, we'll examine the benefits,

challenges and technical considerations of implementing two-factor

authentication in a consumer-facing website environment.

An introduction to two-factor authentication

A password is inherently weak. It can easily be lost or forgotten; many people

write their passwords down where they can be seen by others; some use the

same password over and over or use weak passwords that can be easily

guessed.

The use of two-factor Web authentication ensures that this won't happen. A

password is one of two necessary authentication factors that must be

provided before access is granted. All 2FA systems are based on two of

three possible factors: a knowledge factor (something the user knows, like a

password), a possession factor (something the user has, like a token; more

on that below), and an inherence factor (something the user is, such as a

Page 5 of 14

Contents

Cloud Identity Management as a Service: Not quite ready for prime time

Intro to two-factor authentication in Web authentication scenarios

Two-factor authentication options, use cases and best practices

fingerprint). In this scenario, even if a malicious party obtains a person's

password, he or she would not be able to provide the relevant second

element needed to complete the authentication process. This lowers risk and

the potential for unscrupulous behavior, as a compromised password alone

is not enough to compromise the authentication system.

In the enterprise, two-factor Web authentication systems rely on hardware-

based security tokens that generate passcodes; these passcodes or PINs

are valid for about 60 seconds and must be entered along with a password.

In a consumer-oriented Web-based environment, it's cost-prohibitive for a

service provider to distribute physical tokens to each and every individual

user.

Instead, most websites ask users to undergo a one-time registration process

during which users register one or more of their mobile devices with the

website provider. This is a trusted device under the users' control that can

receive a verification code via SMS or another means to verify the user's

identity.

Any time a user signs into the website, a passcode is sent to the registered

device. The user must enter the password and verification code to fully sign

in and use the services.

2FA Web authentication: Challenges and considerations

In consumer-oriented environments, the challenges lie in the complexity of it,

where the consumers have access to more than one service from the service

provider and each requires seamless and secure transactions. If the second

factor of authentication is not secure then it's not worth implementing at any

cost. Thus it presents a critical and challenging requirement that the 2FA

system should be protected in such a way that the hacker or attacker cannot

get to it and compromise its integrity.

Further, it's difficult to integrate two-factor authentication seamlessly with an

entire service portfolio or set of Web products. It requires the website and

product development teams to understand changing consumer needs and

business scenarios so that increased customer security doesn't negatively

affect sales, registrations or other metrics of business success.

Page 6 of 14

Contents

Cloud Identity Management as a Service: Not quite ready for prime time

Intro to two-factor authentication in Web authentication scenarios

Two-factor authentication options, use cases and best practices

Another challenge is interoperability; every organization does business with

other organizations, and users or consumers access other providers'

services. So interoperability becomes an important challenge to address

while implementing the 2FA. This involves considerations such as whether to

buy or build a 2FA product that is based on an industry standard (the

burgeoning FIDO Alliance is a compelling new option), and whether to plan

for interoperability with the authentication mechanisms offered by other major

Web brands, like Facebook or Google. Don't underestimate the challenge of

implementing an interoperable, user-friendly 2FA system that keeps

consumer account details secure.

Be sure to consider exception scenarios such as when a user can't receive a

text message while traveling overseas. The solution might be an app for

smartphones or tablet/laptops that can generate security codes on its own

with simple steps to set up the app before starting the travel.

Web 2FA costs

The costs associated with planning, procuring, deploying and supporting a

Web authentication system must be considered early on. There are one-time

development and deployment costs, including the

development/customization, installation and configuration of the system, and

the cost of customization and integrating it with other applications. There are

also ongoing system infrastructure costs for hosting the system.

Finally, factor in support costs for ongoing support and administration of a

2FA solution, including helpdesk staff members who can help consumers

resolve their issues in a timely fashion.

To lower costs, organizations can subscribe to SaaS security vendors that

provide a two-factor authentication service for combining cloud-based

delivery and self-service administration with flexible authentication methods

with low per-user costs. They are also easy to provision and inexpensive to

maintain.

Every Web service provider should consider using two-factor authentication -

- or begin moving Web authentication strategies in that direction -- to better

Page 7 of 14

Contents

Cloud Identity Management as a Service: Not quite ready for prime time

Intro to two-factor authentication in Web authentication scenarios

Two-factor authentication options, use cases and best practices

secure the online services they provide and the safety of consumer data and

account details.

About the author:

Ajay Kumar is an information security manager who has worked for a decade

in the information security and risk management domain and has expertise in

infrastructure security, identity and access management, threat and

vulnerability management, data protection and privacy, cloud security and

mobile security. He specializes in the planning, design and implementation of

the security services and systems required to protect the confidentiality,

integrity, privacy and authenticity of the information stored in enterprise

environments. Ajay can be reached at akumar_net2002@yahoo.com.

Two-factor authentication options, use cases and best practices

Two-factor authentication options, use cases and best practices Ajay Kumar

It's becoming increasingly obvious that security programs that are reliant on

single-factor password-based authentication systems are doomed to fail. As

Verizon noted in its 2013 Data Breach Investigations Report, the use of

something other than a single-factor username-password credential would

have likely thwarted 80% of the hacking attacks reported last year. Yet many

enterprises still don't use multifactor authentication.

With that in mind, let's look at two-factor authentication -- options offered by

technology providers and how to make a strong business case for

enterprises to implement it as part of a comprehensive enterprise security

strategy.

While many vendors have similar technology, they all come with their own

pros and cons. For examples, the vendor with mature offerings may have

proprietary authentication methods and a software development kit (SDK)

that allows it to plug into enterprise applications or vendor applications.

Page 8 of 14

Contents

Cloud Identity Management as a Service: Not quite ready for prime time

Intro to two-factor authentication in Web authentication scenarios

Two-factor authentication options, use cases and best practices

Others may focus on one or a few well known authentication methods such

as one-time password (OTP) tokens and out-of-band (OOB) authentication

methods.

Use cases for two-factor authentication

Enterprise IT systems provide specific capabilities to specific users; for

example, the tasks performed by a system administrator differ from those a

security analyst or financial analyst performs. Authentication is a critical

business process that connects users to applications and other resources

without exposing data and processes to which users aren't authorized.

In today's complex and cloud computing age, enterprises can adopt a two-

factor authentication option to support one or more use cases to better

protect enterprise assets and business data against unauthorized access.

Those use cases include the following:

1. Internal or local access: Employee access to critical business or

cloud-based applications, and/or administrator access to corporate

servers and network devices.

2. External or remote access: Remote or mobile employee access to

the corporate backend systems via the VPN or portal access.

3. Common network entry points: Between the public

network/Internet and the internal corporate network, facilitating

secure access to enterprise services like email or the VPN.

Two-factor authentication options

2FA as a technology has matured in recent years and technology costs have

gone down significantly. While there have been evolutions and

enhancements in the technology, now employees no longer need to always

carry a cumbersome token device with them. A simple mobile device carried

by every employee today can be used as a second authentication factor to

deliver the secure authentication code instead of a token to protect the

enterprise assets from hackers or attackers.

Some major two-factor authentication vendors are Entrust, RSA, SafeNet

and Symantec; all offer established, broad technology options and a range of

viable use cases for enterprises.

Page 9 of 14

Contents

Cloud Identity Management as a Service: Not quite ready for prime time

Intro to two-factor authentication in Web authentication scenarios

Two-factor authentication options, use cases and best practices

RSA, the security division of EMC Corp., has its well-known brand of RSA

SecureID one-time password hardware and software-based tokens. In

addition, it offers adaptive authentication, which is used by large enterprises

to take the advantage of contextual authentication/adaptive access control

capabilities. Identify verification, another option, is a managed service that

offers identity proofing with validation based on end-users' life-history

questions and uses interactive user authentication processes. Most of its

competitors sell similar products.

The implementation pricing of 2FA basically depends on the scenarios. For

example, the industry verticals, and the size of the enterprise, the usage

pattern, user geography, helpdesk presence and sensitivity of the business

or data and would cost between approximately $65,000 and $2 million for big

financial and retail banking verticals.

An example of a newer but established type of 2FA is the one offered by

PhoneFactor (now owned by Microsoft). PhoneFactor leverages the user's

existing phone in lieu of a token or other dedicated 2FA device, it's

convenient for users and is a cost-effective, secure platform for enterprises.

During the first step of the authentication process, the user must enter his

user name and password. In the second step, the user can choose one from

among these methods: a) PhoneFactor calls the user and user simply

answers by pressing # on the phone keypad, b) PhoneFactor sends out a

text message containing the passcode and then the user replies to the text

message with the passcode, c) PhoneFactor pushes a notification to the

PhoneFactor app on the user's smartphone and the user just taps

"authenticate" in the app to complete the authentication process. For small

organizations (up to 25 users), the vendor offers a free version.

Considerations in selecting a two-factor authentication product

Two-factor authentication technology helps enterprises protect user

credentials and reduces the number of incidents related to unauthorized

access and theft of credentials in the corporate environment. In addition, it

brings the enterprise in compliance with the regularity standards and meets

the compliance requirements. For example, PCI DSS 8.3 reads, "Incorporate

Page 10 of 14

Contents

Cloud Identity Management as a Service: Not quite ready for prime time

Intro to two-factor authentication in Web authentication scenarios

Two-factor authentication options, use cases and best practices

two-factor authentication for remote access to the network by employees,

administrators and third parties."

Not all enterprises must be PCI compliant, but the PCI DSS is considered a

baseline set of requirements, so organizations that don't already have a 2FA

strategy in place would be wise to begin the process, which of course

includes evaluating vendor technology.

Organizations should consider the recommendations listed here while

identifying their 2FA needs and plan the project accordingly.

Understand the corporate IT environment -- This could include

understanding the technologies landscape that's used inside or

outside the enterprise to access information or data and knowing

how the IT policies are enforced and what protections are in place.

For example, are the employees allowed to access corporate

information through mobile devices? Or is the enterprise using SaaS

applications hosted by SaaS providers, and do the SaaS providers

support the 2FA security measures to protect the data.

Find the target users -- Is 2FA considered only for selected

business units like sales or marketing departments or for remote

works and partners as well? In general, most organizations only offer

2FA for VPN access. Limit the implementation, at least in the early

stages, to specific use cases.

Adopt a risk-based approach -- Most organizations today

implement a technology if it will help reduce risk. So alternatively

when there isn't a clear scope or group of target users, offer 2FA

only to users who access business critical information or intellectual

property, whether the user is an employee or third party and is

accessing the information from within the corporate network or from

a remote location.

Avoid unnecessary cost and complexity -- The overall cost of the

implementation can vary vendor to vendor depending on the size

and requirements of the enterprise. Take into account the number of

Page 11 of 14

Contents

Cloud Identity Management as a Service: Not quite ready for prime time

Intro to two-factor authentication in Web authentication scenarios

Two-factor authentication options, use cases and best practices

users, office locations, the global presence of the enterprise, plus

support and help desk coverage factors when determining the cost.

Two-factor authentication implementation challenges

Two-factor authentication is not easy to implement. For instance, security

firm Duo Security recently reported a serious flaw in Google's two-step login

process. The problem, which was soon fixed, stemmed from Google applying

the feature across its many services. Despite being one of the Internet's

giants, while its technology was solid, its implementation was flawed.

To be clear, such a broad undertaking like 2FA is bound to have

complications in any organization. But the lesson is that while implementing a

single, secure infrastructure-wide two-factor authentication platform is not

without stumbling blocks, being aware of likely problems before you begin

can help lessen the effects.

For example, legacy software and services must often be reworked to handle

2FA or may require an authentication framework that could be used among

different in-house or outsourced tools to support the two-factor authentication

enterprisewide. Sometimes it becomes clear that the two-factor

authentication framework selected simply requires too much customization,

something that can be difficult to determine until software architects actually

get to work on integration aspects of the implementation.

Two-factor authentication will likely be seen by users as a hassle. They may

find it tedious to have a trusted device or hardware token with them at all

times in order to log in. So some authentication scenarios may require an

option for users to skip two-factor authentication for frequently accessed

systems.

These and other pain points of a two-factor authentication implementation

may be eased with the following measures:

Select a factor that fits enterprise needs. The options include

hardware-/software-based tokens or sending SMS messages to

smartphones. Enterprises that are geographically centralized will

Page 12 of 14

Contents

Cloud Identity Management as a Service: Not quite ready for prime time

Intro to two-factor authentication in Web authentication scenarios

Two-factor authentication options, use cases and best practices

appreciate physical tokens, while others with a constantly moving

workforce may wish to use software-based tokens or mobile options.

Consider implementing a phased approach. Abrupt,

enterprisewide cutovers don't make anyone happy. At the same time,

application and system owners will find it easier to migrate everyone

at a single go. But that just creates a nightmare for end users and

help desk staff members who have to support and address the

issues that occur during the migration. It could shoot up the project

cost too.

Provide sufficient user support. Getting the back-end server

components installed and configured takes a while, and integrating

and testing applications takes time too. Self-service, sufficient

training and a well-staffed helpdesk and support team will be

essential to get users accustomed to the technology and able to

successfully navigate through the transition period.

Two-factor authentication is becoming an essential element of modern

enterprise IT security programs, yet it remains complex and difficult to

understand, implement and manage. Organizations must understand that

traditional and inherently weak password-only authentication mechanisms

may no longer serve as an adequate security control. Furthermore, amid

today's threat landscape, it's apparent that two-factor authentication is

necessary in order to keep unauthorized users from obtaining access into

key corporate systems and keeps persistent, sophisticated attackers at bay.

Page 13 of 14

Contents

Cloud Identity Management as a Service: Not quite ready for prime time

Intro to two-factor authentication in Web authentication scenarios

Two-factor authentication options, use cases and best practices

Free resources for technology professionals TechTarget publishes targeted technology media that address your

need for information and resources for researching products,

developing strategy and making cost-effective purchase decisions. Our

network of technology-specific Web sites gives you access to industry

experts, independent content and analysis and the Web’s largest library

of vendor-provided white papers, webcasts, podcasts, videos, virtual

trade shows, research reports and more —drawing on the rich R&D

resources of technology providers to address market trends,

challenges and solutions. Our live events and virtual seminars give you

access to vendor neutral, expert commentary and advice on the issues

and challenges you face daily. Our social community IT Knowledge

Exchange allows you to share real world information in real time with

peers and experts.

What makes TechTarget unique? TechTarget is squarely focused on the enterprise IT space. Our team of

editors and network of industry experts provide the richest, most

relevant content to IT professionals and management. We leverage the

immediacy of the Web, the networking and face-to-face opportunities of

events and virtual events, and the ability to interact with peers—all to

create compelling and actionable information for enterprise IT

professionals across all industries and markets.

Related TechTarget Websites