How many vendors of physical and logical security are talking about providing your enterprise with different authentication mechanisms. They talk about HID cards with "multi-factor" authentication, "biometrics", "digital certs", "RSA tokens", etc. All of which is supposed to better protect the enterprise...right? Well maybe not. That's what this blog is going to discuss.
I am going to use an old analogy of putting the cart before the horse and not getting anywhere until the horse is in front of the cart. The cart in this analogy is the many different authentication mechanisms. While each vendor emphasizes one, tow or three different authentication mechanisms, the focus is all on the technology and not on risk, different degrees of risk and having a way to measure this against authentication. This is the horse.
Many large Fortune 500 enterprises I have dealt with had no overall enterprise risk assessment done for all physical locations, their logical infrastructure and their content. They had pieces of this done. Where the risk assessment was done it was silo-ized. The people who did it were usually separate from the people who were applying the security. The risk wasn't measured against authentication.
When I consult with my clients, one of the first thing I go hunting for is enterprise risk assessments and where they don't exist, I then create them. While there are different ways of measuring risk, in the end, we usually come up with ratings for physical, logical and content security as critical, high, medium and low.
In parallel to the risk assessment efforts, I then begin to develop an enterprise authentication risk chart. I get the enterprise to create a chart where "0" is no trust at all in the authentication of the identity and "100" is absolute certainty the identity is who they claim to be.
The next step is to then apply numerical measurement against different types of authentication. For example, uid and passwords is the most common form of logical authentication and also one of the least secure methods. I normally rate this a score of "15". Then we go up the numerical ladder rating different methods and combination's of methods.
Note that I educate my clients on the many, many types of authentication. Just because you are using a "biometric" doesn't necessarily mean that it is good. "A biometric is NOT A SECRET" as Bob Blakely from Burton Group has repeatedly made in his numerous presentations over the years. Nor is a "finger scan" the same as a "digital fingerprint" or an "iris scan" etc. Likewise, having a token in one's possession, like a proximity security badge, is also not that strong assertion that the identity holding it is the one who it claims to be.
I get my clients to agree on numerical points where we can then relate this to "zones of trust" i.e. our enterprise risk assessment. For example, we might say that score of 15 or less is acceptable for our low risk zones. 30 is the beginning of our medium risk zone, 60 is the beginning of our high risk zone and 85-90 is the beginning of our high risk zone.
This chart allows us to then add in new methods of authentication as they become available in the future. It allows for different combinations to be used. It gets the clients head out of the authentication "vendor sands" and allows them to see risk applied to authentication in a measured way.
We then create logical rules requiring certain minimum scores in order to enter or gain logical access to the zones of trust. In the future, as some of my recent blogs indicate, I think that more and more risk assessment will be done in the ERP and then enforced by ERP access control modules.
Don't allow your enterprise to be swayed by vendors pitching one authentication method against another. Too many IT and physical security people only have a limited knowledge of authentication. They mouth the words but don't understand the underlying risk, nor do they have a enterprise tool to measure risk against. The cart is trying to drive the horse.