authentication best practices for 2013cdn.ttgtmedia.com/searchsecurity/downloads/e-guide_user... ·...
TRANSCRIPT
Authentication Best Practices for 2013Proven tactics, tips and authentication
Authentication Best Practices for 2013 Proven tactics, tips and best practices for enterprise
Authentication Best
best practices for enterprise
Page 1 of 14
Contents
Cloud Identity Management as a Service: Not quite ready for prime time
Intro to two-factor authentication in Web authentication scenarios
Two-factor authentication options, use cases and best practices
Industry experts Jonathan Hassel and Ajay Kumar take a deep dive into the murky waters of identity management and authentication to explore whether the newest kid on the block, cloud identity management, is ready for prime time, and also provide a comprehensive introduction and best practices for two-factor authentication.
Cloud Identity Management as a Service: Not quite ready for prime time
Cloud Identity Management as a Service: Not quite ready for prime time Jonathan Hassell
As the cloud becomes more vital for CIOs, there exists another problem -- or,
shall we say, a challenge -- that needs to be addressed: cloud identity
management. How can we verify that users are who they say they are, how
do we authorize them to use services, and how can we account for their
activities once they've been authenticated and authorized?
Dealing with identity on-premises is difficult enough. You have generally
disparate systems. Years ago, the big push was to enable your host
integration service to talk to Novell Directory Services, while your accounting
or payroll system utilized NDS as well. Such integration makes user
provisioning simple when employees come and go. It also makes security
policy application more consistent and enables complete control over
monitoring and auditing controls. The integration was made possible with
protocols like Lightweight Directory Access Protocol and the use of central
directory services like Active Directory. Those protocols and serious
investments each made more efficient use of centralized user information in
the private data center.
Get ready to reinvent the wheel when it comes to the movement to cloud-
based computing. Cloud identity management presents an entirely new set of
challenges. Why? There are a couple of reasons. First, different providers
Page 2 of 14
Contents
Cloud Identity Management as a Service: Not quite ready for prime time
Intro to two-factor authentication in Web authentication scenarios
Two-factor authentication options, use cases and best practices
have different internal systems. Imagine that you're considering purchasing a
cloud-based CRM solution. If you've already migrated your email and
calendaring groupware solution to a cloud provider, how do you integrate
identities among these providers? User conveniences like password
integration and single sign-on might not be possible with disparate providers.
You may also have trouble with logging and service support and
provisioning. Maintaining a single identity among different providers using
different systems can be challenging, to say the least.
The other reason involves compliance and auditing. Just think about how
you're handling on-premises data center now. How do you fulfill compliance
requirements for your regulators, financial institutions and business partners?
What is the impact of identity across all of your business systems? How will
you know who can do what? Cloud-based computing magnifies these
obstacles, but with the added complexity of different user interfaces,
reporting platforms, data security and geographical residency attributes.
Some vendors have an eye toward integrating identities across various
providers. You may have already seen this with popular social networking
sites as the bedrock: Many upstart cloud providers and consumer service
providers allow users to create accounts and be authenticated using Twitter,
Facebook, LinkedIn and other sites. Obviously, enterprise and business
corporate customers are not going to be interested in forming the basis of
their online identity systems using Facebook accounts, but this is an area
that CIOs should watch in coming years.
The future of Cloud Identity as a Service
As the coming years unfold, you'll see an increase in the utility of Federation
as a Service. Organizations -- in particular, larger corporate customers -- will
decide that given the current state of affairs, they should become the service
providers for identity: authentication, authorization and accounting.
Businesses will invest in systems that allow users to federate their identities
among on-premise systems, mainframes that are still in use as line-of-
business applications, and cloud services -- in effect, reversing the roles of
customer and provider. Businesses of all sizes will demand of their cloud
providers the ability to consume identity information from their on-premises
Page 3 of 14
Contents
Cloud Identity Management as a Service: Not quite ready for prime time
Intro to two-factor authentication in Web authentication scenarios
Two-factor authentication options, use cases and best practices
directory services. "Being their own customers" allows midmarket companies
to solve challenges in several ways.
First, they will maintain the ultimate control of identity centrally, and permit
services to consume the information necessary to provide services on an ad
hoc basis. Companies will also keep data safeguarded within the confines of
the corporate network, and allow services to get only "yes or no" information
from the on-premises federation service. They will also enable smoother
rollout of other cloud-based services by exposing standardized application
programming interfaces that those services can consume, and then
authorizations that those services can exchange with others. Finally, by
adapting this method, they will permit assurance that regulatory and
compliance requirements are still being met. The customer is still in control of
authorization and accounting, as well as ensuring that the appropriate
logging is taking place and ensuring full transparency.
All in all, don't jump into cloud identity management anytime soon. Identity
Management as a Service is not ready for primetime. Instead, look for ways
to expose your current identity services through federation, and then push
cloud-based service vendors to consume that information from your on-
premises resources.
About the author
Jonathan Hassell is president of 82 Ventures LLC. He's an author, consultant
and speaker in Charlotte, N.C. Hassell's books include RADIUS, Learning
Windows Server 2003, Hardening Windows and, most recently, Windows
Vista: Beyond the Manual. Contact him at [email protected].
Page 4 of 14
Contents
Cloud Identity Management as a Service: Not quite ready for prime time
Intro to two-factor authentication in Web authentication scenarios
Two-factor authentication options, use cases and best practices
Intro to two-factor authentication in Web authentication scenarios
Intro to two-factor authentication in Web authentication scenarios Ajay Kumar
Recently Apple joined a growing number of major consumer brands like
Facebook, Google, Microsoft and PayPal in offering two-factor authentication
(2FA) to help customers better secure their user accounts against hacking.
For Apple Inc., the new feature is designed to block unauthorized changes to
iCloud or iTunes accounts and prevent attackers who steal Apple IDs from
making purchases using the credit cards stored in customers' iTunes and
Apple store accounts.
While most information security professionals are quite familiar with the
concept of two-factor Web authentication, for those who aren't, it is a more
rigorous and complex method of authenticating an account then with a
simple password-only process. In this tip, we'll examine the benefits,
challenges and technical considerations of implementing two-factor
authentication in a consumer-facing website environment.
An introduction to two-factor authentication
A password is inherently weak. It can easily be lost or forgotten; many people
write their passwords down where they can be seen by others; some use the
same password over and over or use weak passwords that can be easily
guessed.
The use of two-factor Web authentication ensures that this won't happen. A
password is one of two necessary authentication factors that must be
provided before access is granted. All 2FA systems are based on two of
three possible factors: a knowledge factor (something the user knows, like a
password), a possession factor (something the user has, like a token; more
on that below), and an inherence factor (something the user is, such as a
Page 5 of 14
Contents
Cloud Identity Management as a Service: Not quite ready for prime time
Intro to two-factor authentication in Web authentication scenarios
Two-factor authentication options, use cases and best practices
fingerprint). In this scenario, even if a malicious party obtains a person's
password, he or she would not be able to provide the relevant second
element needed to complete the authentication process. This lowers risk and
the potential for unscrupulous behavior, as a compromised password alone
is not enough to compromise the authentication system.
In the enterprise, two-factor Web authentication systems rely on hardware-
based security tokens that generate passcodes; these passcodes or PINs
are valid for about 60 seconds and must be entered along with a password.
In a consumer-oriented Web-based environment, it's cost-prohibitive for a
service provider to distribute physical tokens to each and every individual
user.
Instead, most websites ask users to undergo a one-time registration process
during which users register one or more of their mobile devices with the
website provider. This is a trusted device under the users' control that can
receive a verification code via SMS or another means to verify the user's
identity.
Any time a user signs into the website, a passcode is sent to the registered
device. The user must enter the password and verification code to fully sign
in and use the services.
2FA Web authentication: Challenges and considerations
In consumer-oriented environments, the challenges lie in the complexity of it,
where the consumers have access to more than one service from the service
provider and each requires seamless and secure transactions. If the second
factor of authentication is not secure then it's not worth implementing at any
cost. Thus it presents a critical and challenging requirement that the 2FA
system should be protected in such a way that the hacker or attacker cannot
get to it and compromise its integrity.
Further, it's difficult to integrate two-factor authentication seamlessly with an
entire service portfolio or set of Web products. It requires the website and
product development teams to understand changing consumer needs and
business scenarios so that increased customer security doesn't negatively
affect sales, registrations or other metrics of business success.
Page 6 of 14
Contents
Cloud Identity Management as a Service: Not quite ready for prime time
Intro to two-factor authentication in Web authentication scenarios
Two-factor authentication options, use cases and best practices
Another challenge is interoperability; every organization does business with
other organizations, and users or consumers access other providers'
services. So interoperability becomes an important challenge to address
while implementing the 2FA. This involves considerations such as whether to
buy or build a 2FA product that is based on an industry standard (the
burgeoning FIDO Alliance is a compelling new option), and whether to plan
for interoperability with the authentication mechanisms offered by other major
Web brands, like Facebook or Google. Don't underestimate the challenge of
implementing an interoperable, user-friendly 2FA system that keeps
consumer account details secure.
Be sure to consider exception scenarios such as when a user can't receive a
text message while traveling overseas. The solution might be an app for
smartphones or tablet/laptops that can generate security codes on its own
with simple steps to set up the app before starting the travel.
Web 2FA costs
The costs associated with planning, procuring, deploying and supporting a
Web authentication system must be considered early on. There are one-time
development and deployment costs, including the
development/customization, installation and configuration of the system, and
the cost of customization and integrating it with other applications. There are
also ongoing system infrastructure costs for hosting the system.
Finally, factor in support costs for ongoing support and administration of a
2FA solution, including helpdesk staff members who can help consumers
resolve their issues in a timely fashion.
To lower costs, organizations can subscribe to SaaS security vendors that
provide a two-factor authentication service for combining cloud-based
delivery and self-service administration with flexible authentication methods
with low per-user costs. They are also easy to provision and inexpensive to
maintain.
Every Web service provider should consider using two-factor authentication -
- or begin moving Web authentication strategies in that direction -- to better
Page 7 of 14
Contents
Cloud Identity Management as a Service: Not quite ready for prime time
Intro to two-factor authentication in Web authentication scenarios
Two-factor authentication options, use cases and best practices
secure the online services they provide and the safety of consumer data and
account details.
About the author:
Ajay Kumar is an information security manager who has worked for a decade
in the information security and risk management domain and has expertise in
infrastructure security, identity and access management, threat and
vulnerability management, data protection and privacy, cloud security and
mobile security. He specializes in the planning, design and implementation of
the security services and systems required to protect the confidentiality,
integrity, privacy and authenticity of the information stored in enterprise
environments. Ajay can be reached at [email protected].
Two-factor authentication options, use cases and best practices
Two-factor authentication options, use cases and best practices Ajay Kumar
It's becoming increasingly obvious that security programs that are reliant on
single-factor password-based authentication systems are doomed to fail. As
Verizon noted in its 2013 Data Breach Investigations Report, the use of
something other than a single-factor username-password credential would
have likely thwarted 80% of the hacking attacks reported last year. Yet many
enterprises still don't use multifactor authentication.
With that in mind, let's look at two-factor authentication -- options offered by
technology providers and how to make a strong business case for
enterprises to implement it as part of a comprehensive enterprise security
strategy.
While many vendors have similar technology, they all come with their own
pros and cons. For examples, the vendor with mature offerings may have
proprietary authentication methods and a software development kit (SDK)
that allows it to plug into enterprise applications or vendor applications.
Page 8 of 14
Contents
Cloud Identity Management as a Service: Not quite ready for prime time
Intro to two-factor authentication in Web authentication scenarios
Two-factor authentication options, use cases and best practices
Others may focus on one or a few well known authentication methods such
as one-time password (OTP) tokens and out-of-band (OOB) authentication
methods.
Use cases for two-factor authentication
Enterprise IT systems provide specific capabilities to specific users; for
example, the tasks performed by a system administrator differ from those a
security analyst or financial analyst performs. Authentication is a critical
business process that connects users to applications and other resources
without exposing data and processes to which users aren't authorized.
In today's complex and cloud computing age, enterprises can adopt a two-
factor authentication option to support one or more use cases to better
protect enterprise assets and business data against unauthorized access.
Those use cases include the following:
1. Internal or local access: Employee access to critical business or
cloud-based applications, and/or administrator access to corporate
servers and network devices.
2. External or remote access: Remote or mobile employee access to
the corporate backend systems via the VPN or portal access.
3. Common network entry points: Between the public
network/Internet and the internal corporate network, facilitating
secure access to enterprise services like email or the VPN.
Two-factor authentication options
2FA as a technology has matured in recent years and technology costs have
gone down significantly. While there have been evolutions and
enhancements in the technology, now employees no longer need to always
carry a cumbersome token device with them. A simple mobile device carried
by every employee today can be used as a second authentication factor to
deliver the secure authentication code instead of a token to protect the
enterprise assets from hackers or attackers.
Some major two-factor authentication vendors are Entrust, RSA, SafeNet
and Symantec; all offer established, broad technology options and a range of
viable use cases for enterprises.
Page 9 of 14
Contents
Cloud Identity Management as a Service: Not quite ready for prime time
Intro to two-factor authentication in Web authentication scenarios
Two-factor authentication options, use cases and best practices
RSA, the security division of EMC Corp., has its well-known brand of RSA
SecureID one-time password hardware and software-based tokens. In
addition, it offers adaptive authentication, which is used by large enterprises
to take the advantage of contextual authentication/adaptive access control
capabilities. Identify verification, another option, is a managed service that
offers identity proofing with validation based on end-users' life-history
questions and uses interactive user authentication processes. Most of its
competitors sell similar products.
The implementation pricing of 2FA basically depends on the scenarios. For
example, the industry verticals, and the size of the enterprise, the usage
pattern, user geography, helpdesk presence and sensitivity of the business
or data and would cost between approximately $65,000 and $2 million for big
financial and retail banking verticals.
An example of a newer but established type of 2FA is the one offered by
PhoneFactor (now owned by Microsoft). PhoneFactor leverages the user's
existing phone in lieu of a token or other dedicated 2FA device, it's
convenient for users and is a cost-effective, secure platform for enterprises.
During the first step of the authentication process, the user must enter his
user name and password. In the second step, the user can choose one from
among these methods: a) PhoneFactor calls the user and user simply
answers by pressing # on the phone keypad, b) PhoneFactor sends out a
text message containing the passcode and then the user replies to the text
message with the passcode, c) PhoneFactor pushes a notification to the
PhoneFactor app on the user's smartphone and the user just taps
"authenticate" in the app to complete the authentication process. For small
organizations (up to 25 users), the vendor offers a free version.
Considerations in selecting a two-factor authentication product
Two-factor authentication technology helps enterprises protect user
credentials and reduces the number of incidents related to unauthorized
access and theft of credentials in the corporate environment. In addition, it
brings the enterprise in compliance with the regularity standards and meets
the compliance requirements. For example, PCI DSS 8.3 reads, "Incorporate
Page 10 of 14
Contents
Cloud Identity Management as a Service: Not quite ready for prime time
Intro to two-factor authentication in Web authentication scenarios
Two-factor authentication options, use cases and best practices
two-factor authentication for remote access to the network by employees,
administrators and third parties."
Not all enterprises must be PCI compliant, but the PCI DSS is considered a
baseline set of requirements, so organizations that don't already have a 2FA
strategy in place would be wise to begin the process, which of course
includes evaluating vendor technology.
Organizations should consider the recommendations listed here while
identifying their 2FA needs and plan the project accordingly.
Understand the corporate IT environment -- This could include
understanding the technologies landscape that's used inside or
outside the enterprise to access information or data and knowing
how the IT policies are enforced and what protections are in place.
For example, are the employees allowed to access corporate
information through mobile devices? Or is the enterprise using SaaS
applications hosted by SaaS providers, and do the SaaS providers
support the 2FA security measures to protect the data.
Find the target users -- Is 2FA considered only for selected
business units like sales or marketing departments or for remote
works and partners as well? In general, most organizations only offer
2FA for VPN access. Limit the implementation, at least in the early
stages, to specific use cases.
Adopt a risk-based approach -- Most organizations today
implement a technology if it will help reduce risk. So alternatively
when there isn't a clear scope or group of target users, offer 2FA
only to users who access business critical information or intellectual
property, whether the user is an employee or third party and is
accessing the information from within the corporate network or from
a remote location.
Avoid unnecessary cost and complexity -- The overall cost of the
implementation can vary vendor to vendor depending on the size
and requirements of the enterprise. Take into account the number of
Page 11 of 14
Contents
Cloud Identity Management as a Service: Not quite ready for prime time
Intro to two-factor authentication in Web authentication scenarios
Two-factor authentication options, use cases and best practices
users, office locations, the global presence of the enterprise, plus
support and help desk coverage factors when determining the cost.
Two-factor authentication implementation challenges
Two-factor authentication is not easy to implement. For instance, security
firm Duo Security recently reported a serious flaw in Google's two-step login
process. The problem, which was soon fixed, stemmed from Google applying
the feature across its many services. Despite being one of the Internet's
giants, while its technology was solid, its implementation was flawed.
To be clear, such a broad undertaking like 2FA is bound to have
complications in any organization. But the lesson is that while implementing a
single, secure infrastructure-wide two-factor authentication platform is not
without stumbling blocks, being aware of likely problems before you begin
can help lessen the effects.
For example, legacy software and services must often be reworked to handle
2FA or may require an authentication framework that could be used among
different in-house or outsourced tools to support the two-factor authentication
enterprisewide. Sometimes it becomes clear that the two-factor
authentication framework selected simply requires too much customization,
something that can be difficult to determine until software architects actually
get to work on integration aspects of the implementation.
Two-factor authentication will likely be seen by users as a hassle. They may
find it tedious to have a trusted device or hardware token with them at all
times in order to log in. So some authentication scenarios may require an
option for users to skip two-factor authentication for frequently accessed
systems.
These and other pain points of a two-factor authentication implementation
may be eased with the following measures:
Select a factor that fits enterprise needs. The options include
hardware-/software-based tokens or sending SMS messages to
smartphones. Enterprises that are geographically centralized will
Page 12 of 14
Contents
Cloud Identity Management as a Service: Not quite ready for prime time
Intro to two-factor authentication in Web authentication scenarios
Two-factor authentication options, use cases and best practices
appreciate physical tokens, while others with a constantly moving
workforce may wish to use software-based tokens or mobile options.
Consider implementing a phased approach. Abrupt,
enterprisewide cutovers don't make anyone happy. At the same time,
application and system owners will find it easier to migrate everyone
at a single go. But that just creates a nightmare for end users and
help desk staff members who have to support and address the
issues that occur during the migration. It could shoot up the project
cost too.
Provide sufficient user support. Getting the back-end server
components installed and configured takes a while, and integrating
and testing applications takes time too. Self-service, sufficient
training and a well-staffed helpdesk and support team will be
essential to get users accustomed to the technology and able to
successfully navigate through the transition period.
Two-factor authentication is becoming an essential element of modern
enterprise IT security programs, yet it remains complex and difficult to
understand, implement and manage. Organizations must understand that
traditional and inherently weak password-only authentication mechanisms
may no longer serve as an adequate security control. Furthermore, amid
today's threat landscape, it's apparent that two-factor authentication is
necessary in order to keep unauthorized users from obtaining access into
key corporate systems and keeps persistent, sophisticated attackers at bay.
Page 13 of 14
Contents
Cloud Identity Management as a Service: Not quite ready for prime time
Intro to two-factor authentication in Web authentication scenarios
Two-factor authentication options, use cases and best practices
Free resources for technology professionals TechTarget publishes targeted technology media that address your
need for information and resources for researching products,
developing strategy and making cost-effective purchase decisions. Our
network of technology-specific Web sites gives you access to industry
experts, independent content and analysis and the Web’s largest library
of vendor-provided white papers, webcasts, podcasts, videos, virtual
trade shows, research reports and more —drawing on the rich R&D
resources of technology providers to address market trends,
challenges and solutions. Our live events and virtual seminars give you
access to vendor neutral, expert commentary and advice on the issues
and challenges you face daily. Our social community IT Knowledge
Exchange allows you to share real world information in real time with
peers and experts.
What makes TechTarget unique? TechTarget is squarely focused on the enterprise IT space. Our team of
editors and network of industry experts provide the richest, most
relevant content to IT professionals and management. We leverage the
immediacy of the Web, the networking and face-to-face opportunities of
events and virtual events, and the ability to interact with peers—all to
create compelling and actionable information for enterprise IT
professionals across all industries and markets.
Related TechTarget Websites