AuthenticationWorld.com
The business of authentication
- Authentication Categories
- Password Authentication
- Single Sign On Authentication
- Access Control Authentication
- Authentication -Enterprise Security
- Authentication Strength
- Authentication Transaction
- Authentication Management
- User Authentication
- Authentication Federation
- Authentication-Biometric
- PKI Authentication
- Token Authentication
- Wireless Authentication
- Document Authentication
- Authentication -Outsourcing
Authentication - Enterprise Security
Today's enterprise environment is very different than the operating environment ten to fifteen years ago. In those days, the enterprise operated behind a network firewall with only a handful of super users running the shipping, financial, human resource, manufacturing, payroll and customer sales systems. Compare that to today where customers, business partners' employees, vendors, research partners, outsourced third parties and many employees are now allowed into the enterprise right into the heart of many applications and information systems. Further, they are doing so while often on the move, using wireless devices.
This has had a profound effect on enterprise security. While the firewall is still important, it is only part of the enterprise security model. A modern enterprise security strategy uses a layered identity approach as the underpinnings of its security.
What is a layered identity strategy?
The foundation is built upon a risk assessment model. All enterprise systems, applications, information systems, facilities, buildings and rooms are assigned enterprise risk. As the user digitally or physically approaches higher risk applications or a physical location the stronger authentication is used.
Outer firewall and use of id and password:
The type of authentication strength required is also based on a risk attack assessment. For example, consider the enterprise firewall and the use of id and passwords for login.
In today's world, criminals can order, via the internet, custom designed malware software that will work against specific firewalls. The most insidious of these are rootkit attacks where the software embeds itself in the core operating network system's kernel software. While most enterprise security managers and firewall vendors will claim their firewalls will prevent these attacks, the reality is that practically speaking the firewall is likely to be breached at some or many points in the future. Therefore, while keeping the firewall up to date with security patches when they become immediately available is strongly recommended, the enterprise must assign the risk of successful attack against its outer firewall as highly likely.
Then consider the use of id and password. There is a wide variety of successful attack tools against id and passwords easily available to the criminal population, many of which are legally purchased. This includes hardware keyboard loggers and dictionary attack software which can generate 75 million password per minute on an average computer. Hardware keyboard loggers have been successfully used by high school students to obtain their teachers' and administrators' passwords as well as criminal gangs where they often use janitors to deploy these devices in about 10 seconds on targeted enterprise users' computers.
Additionally software keyboard logger attacks via malware software now are very common. During this year it is estimated that several thousand new types of malware software will be created.
Add to this the reality that criminals can now construct their own hardware devices to record remotely the office keyboard sounds as the keyboard is clicked on by the user and then translate these sounds into character recognition. What was once in the realm of spy agencies is now in the public domain.
Finally consider the social engineering attacks on passwords. It is often quite easy to use social engineering to obtain a user's id and password and then masquerade as the user.
If the enterprise security is compared to an arms race, the current advantage at the outer edge of the enterprise firewall is with the attacker. Therefore, the reliance by the enterprise on the outer enterprise firewall and password authentication as the key defence bastion must be significantly reduced. THE AGE OF KEYBOARD ENTERED PASSWORDS IS DEAD.
Implementing a layered identity strategy:
This requires rethinking conventional enterprise strategies using layers of identity based defences.
For example, an enterprise may still continue to use a id and password and, if successful, allow a user, beyond the outer firewall into the enterprise to access only low risk systems, applications and information. However, when the user then tries to digitally access a higher risk application, system or information system, the enterprise security systems will demand stronger authentication.
This could take the form of digital certificates, security tokens, smart cards and biometrics. It could also take the form of transactional security. While the user may successfully use their id and password the transaction security software would examine the IP address the user is coming in from, their geographic position, the time of day, the type of physical computer the user is using and their behavioural pattern. If any of these differ from the past, then system alarm bells may start ringing resulting in the user being asked more personal questions, the action being stopped or security and business managers being paged in real time.
Certain key positions within the enterprise, such as senior system administrators, will require much stronger authentication to logon to their system administration. Financial transaction processes may use transaction software as well as two authorized users to successfully authenticate using stronger authentication and approve financial transactions where the risk warrants it.
As the user drills towards higher and higher risk systems, applications and information systems, the authentication strength will increase. Additionally, if the user is coming into the system from a wireless device, their ability to enter into the systems, applications and information systems will be different than their ability if they are inside the enterprise doing so.
The layered identity enterprise security also applies to databases and documents. Those with low risk will require little or no authentication. However, as the database row or document increases in enterprise risk, the authentication strength required to access it will correspondingly increase.
The same layered identity strategy will also apply to physical access. Some areas will require no security badge to enter. Low to medium risk areas will require a general security badge. Higher risk areas may require a smart card, a password and/or a biometric in order to access the area.
Like layers of an onion, an enterprise must construct its security strategy protecting its most sensitive systems, applications, information systems and facilities with stronger and stronger identity authentication and authorization systems.
Enterprise layered identity strategy's potential weak spots:
A layered identity system's weak spots are:
- It is only as good as the initial identity validation and registration process used. If a person is accepted without doing a good background check, then the layered identity system is at risk since the person masquerading as another will always be successfully authenticated.
- It relies heavily upon good identity information. If the identity provisioning systems (those systems and business processes creating, modifying the identity roles and terminating the identity) are poor, then the layered identity system will be easily compromised.
- Centrally managed enterprise security system polices. Requires the ability to assign enterprise risk to each system, application, information system, facility, building and room. Then the authentication, authorization and audit policies need to be created. If this is not done, then the layered identity security strategy will fall apart in operational practice creating security holes.
- Policy enforcement points connected to policy management authorities and enterprise security policy management. Each of the enterprise contact points (policy enforcement points) with the user, be they digital or physical, need to be integrated with the policy management authority to interpret security polices and decide whether to accept the authentication and authorize them. The policy management authorities need to be integrated with the enterprise security policy management. If any of these processes are broken, then the layered identity strategy fails.
- End to end audit and user lifecycle sessions. The ability to see what an identity did over the course of their user session or their lifetime interactions with the enterprise's systems, applications, information systems and physical access is required to do historical audits. Without this ability, the enterprise never can learn from its past layered identity mistakes.
AN ENTERPRISE LAYERED IDENTITY STRATEGY IS ONLY AS GOOD AS THE WEAKEST LINK. Hire a good authentication/identity security consultant to guide you through the process of creating your own enterprise layered identity strategy.
Battling the Botnets and Rootkits: A Layered Identity Strategy
Authentication - Strength
Password
Authentication
Single
Sign On Authentication Access
Control Authentication Authentication-Enterprise
Security Authentication
Strength Authentication
Transaction
Authentication
Management User
Authentication Authentication
Federation Biometric
Authentication PKI
Authentication Token
Authentication Wireless
Authentication Document
Authentication
Authentication - Outsourcing
