A view of the current state of enterprise authentication through a practical approach to balancing better security against access boundaries and compliance in a changing environment
by Tim Moses, Entrust
Enterprise authentication used to be simple: passwords for everyone, expensive tokens for a small number who work remotely. But today, authentication requirements are changing. While the demand for strong authentication has extended beyond traditional users, technologies are also emerging that present organizations with new opportunities to improve security, while reducing operating costs. Mobile or remote employees – the traditional user base for stronger authentication – are commonplace at all levels in all industries. When a limited community of users, with the same basic requirements, needed additional protection, a single authenticator such as tokens (though traditionally expensive and sometimes hard to manage) was a reasonable solution. But that small community of users who need more than password protection has ballooned.
The growth of mobile devices and smartcard technology is increasingly playing a role in the development of an organization’s security strategy. Mobile devices enable organizations to leverage a very flexible, convenient and low-cost method for authentication.
Organizations also can begin leveraging smartcard technology to consolidate two security environments: physical and logical access. Once the responsibility of two distinct organizations within a company, combining physical and logical access solutions provides these organizations consolidated management, improved ROI and a total security view. By leveraging the platform approach, businesses can broaden their security deployment, provide flexibility for employees and partners, while achieving operating efficiencies. Whether it’s a smartcard for physical and logical access, soft tokens on a mobile device, or a unique grid card for strong authentication to a VPN, organizations can consolidate all authentication processes with a single, proven solution.
Additional protection
When a limited community of users with the same basic requirements needed additional protection, a single authenticator such as tokens, though traditionally expensive and sometimes hard to manage, was a reasonable solution.
But today the authentication requirements of users within an organization now may vary depending on a number of factors, including the level of security required, their usability needs and experience, and where and how they are accessing the network. Organizations are urged to consider the importance of a versatile authentication platform that offers a range of authentication options that can be matched to different users based on policy and risk assessment. This allows user identities to be verified via an authentication type that is appropriate for the transactions they conduct and any associated risk.
The growth of mobile devices is changing the landscape for enterprise authentication. A Forrester study highlighted that 48 percent of enterprises were planning to invest in mobile applications to their employees. While 70 percent of enterprises support BlackBerry devices, the iPhone and Android platforms are gradually establishing their mark – 29 percent of organizations now support the former, and 13 percent support the latter. And a survey by Morgan Stanley found that more than 50 percent of large enterprises expect to purchase tablets for employees into 2012.
As mobile devices are used increasingly to access corporate networks, enterprise authentication strategies must take consider how users can strongly authenticate to the network with these devices. At the same time, the proliferation of such devices provides IT organizations with a simple platform for authentication, using soft tokens that can be deployed easily to a mobile device. This approach dramatically reduces obstacles that have traditionally made enterprise-wide deployment of physical one-time-passcode (OTP) tokens impractical.
Secure access convergence
With the evolution of smartcard technology, enterprises can integrate two security environments – physical and logical access – to provide consolidated management, improved ROI and a total security view. Easy for the end-user and more efficient for organizations, this convergence enables everything from credentialing, secure access to facilities, strong authentication to desktops and network resources, and digital signature capabilities – all via a single smartcard credential. Comprehensive physical and logical access is secured by the use of digital certificates, public key infrastructure and a proven strong authentication platform. Some organizations often require an end-to-end solution, which can include data capture, design, vetting, personalization, printing and issuance. The push toward coupling physical and logical access security not only consolidates efforts, it saves money and reduces the burden on end-users. This approach means there’s only one card to carry, one PIN to remember and only one process for authenticating users who “left their card at home.” End-user acceptance helps reduce cost and unburdens help desks.
A balancing act
The boundaries of the corporate network are being challenged as more employees need access wherever they are. Extranets, intranets, Web mail and now, more than ever, desktops need strong authentication as they are being accessed from beyond the boundaries of the corporate network. This increasing pressure to make more information available to employees anywhere, at anytime, must be balanced with increasing pressure for corporate and regulatory compliance. From the PCI-DSS (Payment Card Industry Data Security Standard) to SOX (Sarbanes- Oxley Public Company Accounting and Investor Protection Act) and HIPAA (Health Insurance Portability and Accountability Act), most organization have or are rolling out new practices to achieve regulatory compliance. Simple passwords, even for users operating exclusively internally, are no longer enough to prevent breaches, protect privacy and achieve compliance. Strong authentication must be deployed to a wider audience – efficiently and cost-effectively.
Looking at enterprise authentication as a whole, the flexibility to secure different users and their connectivity using different and appropriate authentication methods is critical. Using risk assessment and policy to determine when stronger security is required for access to resources with greater value allows authentication to be layered as needed. A versatile authentication platform used across VPN remote access, Microsoft desktop and Web implementations can provide a suitable, cost-effective and easier way to manage enterprise authentication – and can evolve as requirements change.
Authentication factors are independent ways to establish identity and privileges. They play a key role in helping to determine that you are who you say you are. Authentication methods can involve up to three factors: knowledge – something the user knows (password, PIN); possession – something the user has (ATM card, smart card); attribute – something the user is (biometric, fingerprint, retinal scan). Adding factors of authentication adds security and helps limit vulnerability to attacks. Properly designed and implemented strong authentication methods offers stronger breach prevention with minimal user impact.
Traditionally, organizations have relied on simple username and passwords, combined with business processes, to manage risk. Risks have significantly increased as mobile workforces access the corporate network from remote locations and identity attacks have become more common. Now, breaches occur more often, brands are impacted by fraud incidents and important regulations have been implemented to help protect users and information. These issues have made the necessity of multifactor authentication increasingly apparent.
Demystifying methods
As part of an identity-based security approach, the wide variety of authentication options available today can help increase security for specific activities and user communities. A number have proven themselves to be very effective for enterprise authentication, including physical tokens, security grid cards , soft tokens, digital certificates, smart cards, biometrics.
There are also several new methods that are playing an increasing role in enterprise authentication: machine authentication, knowledge-based authentication, out-of-band authentication and IP-geolocation
When comparing authentication options, a solution that provides multifactor authentication methods from a single administration and management platform provides the most flexibility and allows organizations to match the appropriate authentication method with the user risk profile. It is crucial to assess key criteria when evaluating an enterprise versatile authentication solution:
- cost – there are two critical components to total cost of ownership and operating cost. Be sure to thoroughly evaluate both the up-front purchase costs and the costs over the lifetime of the deployment
- usability – no matter what the authentication method or deployment plan, new authentication methods should not fundamentally change the way employees are accustomed to working. Choose a system that can follow existing user-interaction models and minimize additional technology knowledge
- flexibility – invest in a platform with multiple authentication options that allow companies to match the authentication method to the risk profile of the user. Choose a platform that addresses all needs now and can grow and change over time.
- integration – authentication is one part of an identity-based security model. Choose a platform that is integrated with key enterprise applications, including: leading IP-SEC and SSL VPN remote access vendors using the Radius standard to ensure rapid, consistent integration across remote-access products; standard Microsoft Windows client; web services and leading applications
- security leadership – choose a company that is an established security leader with a trusted reputation and focused dedication to assist
- selection – ensuring that an organization selects the appropriate vendor for an enterprise will require an assessment of the vendor’s solution to determine if it is able to addresses individual authentication requirements now and as requirements change in the future.