printer friendly version

Moving past passwords

In the past, enterprises could focus most of their energy on securing the network perimeter, confident that static passwords were more than enough to authenticate users inside their firewalls. This is no longer adequate as IT administrators grapple with challenges including today’s Advanced Persistent Threats (APTs) and the vulnerabilities created by the Bring Your Own Device (BYOD) mobility model. Increasingly, the only reliable way to combat today’s escalating threats is to employ strong authentication and a multi-layered security strategy that spans remote access, key applications and servers, and cloud-based systems.

Choosing an effective strong authentication has recently become much easier. Past solutions did not provide sufficient security, they were difficult to use, and their implementation was costly and complex. This has changed with the adoption of smartphones, smartcards and other smart devices that can carry secure credentials. Today’s new strong authentication model enables enterprises to:

• Create converged solutions that not only deliver secure logical access to the network and cloud-based services and resources, but also control physical access to buildings.

• Support mobile security tokens that give users an extremely convenient and secure access solution they can use on smartphones or tablets.

• Integrate intelligence for enhanced security including device identification and using built-in technologies such as GPS for location awareness.

• Achieve more effective threat protection using multifactor authentication as part of a multi-layered security strategy.

Tap in authentication

Previous hardware OTPs, display cards and other physical devices have provided a solution for two-factor authentication (i.e., something the user knows, such as passwords, plus something the user has, such as a mobile or web token). Unfortunately, hardware OTPs are inconvenient and only useful in a limited number of applications. Software OTPs carried on mobile phones, tablets and browser-based tokens are easier to use, but more vulnerable to security threats. Alternatives like smartcards based on the Public Key Infrastructure (PKI) are more secure, but tend to be costly and difficult to deploy.

A better approach is to take advantage of short-range connectivity technology, such as Near Field Communications (NFC) technology, that is becoming available in smartcards, and a standard feature on smartphones and laptops. These devices can be used to gain access to resources by simply 'tapping in'. The tap-in model eliminates the need for multiple devices to issue and manage, or for entering a password on a touch-screen device. Users can tap-in to facilities, VPNs, wireless networks, corporate intranets and cloud- and web-based applications, as well as SSO clients.

Besides improving cost, security and convenience, the tap-in strong authentication model will also enable enterprises to achieve true access control convergence. A single solution can be used to access IT resources while also enabling many types of physical access control applications such as secure print management, cashless vending, and biometric templates for additional factors of authentication. With the new tap-in strong authentication model, all of these applications would be delivered on the same smart card or phone alongside OTPs, eliminating the need for users to carry any additional tokens or devices.

A layered security approach

In addition to user authentication, several other security layers should be considered. The second layer is device authentication, which goes beyond determining that the user is who he or she claims to be, to also verify that the person is using a known device. The best approach is to combine endpoint device identification and profiling with such elements as proxy detection and geo-location.

The third layer to employ is one that ensures the user’s browser is part of a secure communication channel. Although this browser protection layer can be implemented through simple passive malware detection, this approach does not yield the strongest possible endpoint security. A more effective approach is to use a proactive hardened browser that provides a mutual secure socket layer connection to the application.

The fourth layer to consider is transaction authentication/pattern-based intelligence. Implementing this layer increases security for particularly sensitive transactions. A transaction authentication layer can include several elements such as Out-Of-Band (OOB) transaction verification, transaction signing for non-repudiation, transaction monitoring, and behavioural analysis.

The final layer to implement is application security. This layer protects applications on the mobile devices used to deliver sensitive information. Ideally, the application must not only be architecturally hardened, but also should be capable of executing mutual authentication. Data theft is much more difficult and costly for hackers who are confronted with this security layer.

Each of these security layers can be implemented using an integrated versatile authentication platform with real-time threat detection capabilities. This type of platform has seen proven use for quite some time in online banking and ecommerce. Now, similar types of threat detection technology platforms are expected to migrate to the corporate sector, where they can provide one more layer of security for such remote access use cases as VPNs or virtual desktops.

Making the transition

As manufacturers enable more and more phones, tablets and laptops with short-range connectivity technology, this has led many companies to seriously consider the benefits of incorporating secure physical and logical access into their facilities and IT access strategies using these mobile platforms. Making the transition to these capabilities requires a multi-technology smartcard and reader platform that is extensible and adaptable. To maximise flexibility and interoperability, this platform also should be based on open architecture to it can support current and future technologies while staying ahead of evolving threats. Finally, it should also enable both legacy and new credential technologies to be combined on the same card while also supporting mobile platforms.

To optimise security, the smartcard and reader platform should use contactless high frequency smartcard technology that features mutual authentication and cryptographic protection mechanisms with secret keys. It should also employ a secure messaging protocol that is delivered on a trust-based communication platform within a secure ecosystem of interoperable products. These will help ensure that organisations have the highest level of security, convenience, and interoperability on either cards or phones, and that they can adapt their solutions to meet future needs including strong authentication to protect data and cloud applications, and contactless high-frequency smartcard technology for numerous physical access control applications.

With the right foundation, organisations can solve the strong authentication challenge while protecting everything from the cloud and desktop to the door. Effective planning also ensures they can reduce security solution deployment and operational costs by leveraging their existing physical access control credential investment to seamlessly add logical access control for network log-on. The result is a fully interoperable, multi-layered security solution that spans all of the organisation’s networks, systems and facilities.

Share this article:

Further reading: