printer friendly version

A converged approach to enterprise security

There is an urgent requirement for organisations to reinforce control over access to their systems.

In terms of managing identity, Applied Identity Control (AIC) is certainly the new kid on the block. Despite the astonishing losses caused by rising incidents of ICT-based crime, organisations are still battling to manage identity throughout their business processes.

Marius Coetzee

From insider fraud and banking scams through to the cyber theft of corporate secrets and customer data, it is clear that there is an urgent requirement for organisations to reinforce control over access to their systems and the activities within them. Enter Applied Identity Control or AIC.

Hi-Tech Security Solutions spoke to Ideco MD, Marius Coetzee, and Mark Eardley of Supervision about the concept of AIC and how it positions identity authentication at the heart of a converged or unified approach to systems-based security.

Mark Eardley

The four cornerstones of AIC

The four cornerstones of AIC are authenticate, authorise, audit, automate. According to Eardley, security-conscious organisations whose operations are heavily reliant on ICT will probably already be using established technologies to create competencies in the last three of AIC’s principles. “They will have governing systems in place that are designed to authorise and audit activities. But, almost universally, the integrity of these automated functions is completely undermined by an inability to accurately authenticate users.”

Eardley stresses that the strength of any form of identity management system is based entirely on the accuracy of the authentication component. “If that is weak, the whole structure comes tumbling down. Organisations are so busy looking at the top of the security mountain – where they want to be – that they have not noticed the gaping crevasse at their feet.

“Consequently, a rising number of organisations are falling into that dangerous hole. The Postbank cyber heist of R42m at the start of 2012 is reported to have been based on a failure to authenticate users of the bank’s payment systems. As part of the theft, strong passwords and complex PINs may well have been authenticated, but these things are not people, are they? These credentials can only identify themselves. They do not identify people. In terms of AIC they most certainly do not authenticate.”

The starting point for AIC

Coetzee says, “When we use the word ‘authenticate’ in the context of AIC we are talking about the consistent ability to accurately identify people. Cards, PINs and passwords – or CPPs - do not have this ability. Because their use cannot be restricted to a specific person, they have never been able to authenticate identity.

“So, we say it is quite wrong, that it is absolutely incorrect and also completely misleading to talk about CPPs as being able to authenticate identity. They cannot and they do not.”

Coetzee supports his views by pointing out that the world of physical security recognised this fundamental security flaw many years ago, “For example, many organisations know that fingerprint-based authentication ends the losses caused by people sharing cards and clocking-on for one another. But organisations are perhaps much less aware about what happens when CPPs are exploited by insider fraudsters and cyber villains to access systems and commit their crimes.”

“Failure to authenticate, or FTA, is a fundamental flaw common to all forms of CPP,” says Eardley. “They cannot tell if the user is Jack or Jill. They cannot differentiate between the people using them, which means that they cannot authenticate.”

Eardley sees FTA as such an important concern because of the immense risks it creates in all sorts of IT-based systems and processes. People acquire other people’s CPPs and then access systems and operate within them as if they were authorised users.

“And what is to stop them?” asks Eardley. “If a particular smartcard and PIN is authorised to transfer money from your bank account, then that is exactly what the system allows. The fact that you did not make the transfer is totally irrelevant as far as the system is concerned. The system works. It might not work in the way it was intended to, but it still transfers your money.

“We should not underestimate the enormous losses that organisations are suffering as a direct consequence of FTA. After all, it is the basis for the vast majority of cybercrime.”

For Eardley, that blunt fact warrants some heavy emphasis. “If you think about all the various forms of cybercrime, from having your payment cards and bank account defrauded through to multi-million cyber-heists, almost all of it comes down to someone using someone else’s card, password or PIN. From crooked insiders making illicit EFT payments through to organised villains stealing highly sensitive corporate information, failure to authenticate is leading directly to escalating losses across all sorts of organisations and in all sorts of IT-based systems.”

Overcoming the risks and losses caused by FTA

The consequences of FTA can take many forms. For example, a container-load of goods is delivered to your warehouse. How do you know what was delivered and who took the goods into stock? Some scribbled signatures on a delivery note are not much help when half the stock goes missing before it gets added to your inventory. Or maybe it all gets entered on the inventory but only half actually ends up in the warehouse.

Coetzee says that AIC deals with the who, what, when and where of business transactions: “The ‘who’ bit is clearly really important. Who delivered the goods? Who took them into stock? Who added them to the inventory? Failure to authenticate these identities creates risks and leads directly to recurring losses. FTA leaves the doors wide open for the villains.”

Addressing the challenge of FTA is not difficult. Coetzee points out that for millions of local employees, fingerprint-based authentication systems verify their identities every day as they access the workplace and clock-on to attendance and payroll systems. The whole purpose of fingerprint technology in these systems is to authenticate – to accurately confirm the identities of these employees. Who is where on your premises? Who is authorised to be in that hazardous environment? Who is being recorded by the time and attendance system?

The importance of convergence in AIC

Coetzee says that thousands of SA organisations are using fingerprint-based systems to address each of these questions accurately and securely. He is however adamant that fingerprint authentication can deliver even more commercial benefits: “Who is certified as technically competent and duly authorised to operate that machinery. Who is altering your invoices? Who is making EFT payments and who is reading sensitive documents and making copies?

“If any of these operational functions are controlled by CPPs, then you are fully-exposed to the full spectrum of abuses that arise from FTA. And that leads directly to the escalating losses caused by all the various forms of systems-based crime.”

Beyond applications within physical workforce security, Coetzee sees the integration of fingerprint technology into all of an organisation’s identity-reliant processes as an obvious way to complete the circle in terms using accurate user-authentication as a business tool to reduce risks and prevent losses.

“Systems integration is one of Ideco’s key strengths, giving us the technical capabilities to incorporate fingerprint-based authentication into a diversity of business systems,” says Coetzee. “The business case for fingerprint technology is already well established within physical security systems because it cuts the losses caused by unauthorised access and activity. I would encourage organisations to now start thinking about how to extend that proven success into other areas of their operations.”

Authorise, audit, automate: no problem at all

In Eardley’s opinion, compared to the way we authenticate identity, we really are light-years ahead in terms of how technologies routinely authorise and audit access and activity within commercial processes. “Just consider everything that happens automatically when you use the functionality provided for your online banking. You can move money around your accounts, check transaction histories, make payments and create lists of beneficiaries. You can download proof-of-payment and receive SMS or mail messages concerning activity on your accounts.”

Within corporate IT systems, assigning authorisations and tracking activities is something we take for granted – established, proven technologies just handle it all for us. Want e-mail alerts for exception-reporting? No problem. Want them pushed via SMS. Easy. Want stock-control systems that are linked to sales points? Done it. Want behavioural analysis of activity in your IT system? Got it.

The way we process identity data and what we can do with it seems to be only limited by the objectives we set for these automated functions.

But as long as FTA remains a persistent, recurrent problem within all sorts of business systems, the question Eardley poses is this: why bother with all that expenditure and effort if you cannot authenticate the identity of the people using your systems?

Share this article:

Further reading: