Anda di halaman 1dari 14

Authentication Best Practices for 2013

Proven tactics, tips and best practices for enterprise authentication

Contents
Cloud Identity Management as a Service: Not quite ready for prime time Intro to two-factor authentication in Web authentication scenarios Two-factor authentication options, use cases and best practices

Industry experts Jonathan Hassel and Ajay Kumar take a deep dive into the murky waters of identity management and authentication to explore whether the newest kid on the block, cloud identity management, is ready for prime time, and also provide a comprehensive introduction and best practices for two-factor authentication.
Cloud Identity Management as a Service: Not quite ready for prime time

Cloud Identity Management as a Service: Not quite ready for prime time
Jonathan Hassell As the cloud becomes more vital for CIOs, there exists another problem -- or, shall we say, a challenge -- that needs to be addressed: cloud identity management. How can we verify that users are who they say they are, how do we authorize them to use services, and how can we account for their activities once they've been authenticated and authorized? Dealing with identity on-premises is difficult enough. You have generally disparate systems. Years ago, the big push was to enable your host integration service to talk to Novell Directory Services, while your accounting or payroll system utilized NDS as well. Such integration makes user provisioning simple when employees come and go. It also makes security policy application more consistent and enables complete control over monitoring and auditing controls. The integration was made possible with protocols like Lightweight Directory Access Protocol and the use of central directory services like Active Directory. Those protocols and serious investments each made more efficient use of centralized user information in the private data center. Get ready to reinvent the wheel when it comes to the movement to cloudbased computing. Cloud identity management presents an entirely new set of challenges. Why? There are a couple of reasons. First, different providers

Page 1 of 14

have different internal systems. Imagine that you're considering purchasing a cloud-based CRM solution. If you've already migrated your email and calendaring groupware solution to a cloud provider, how do you integrate

Contents
Cloud Identity Management as a Service: Not quite ready for prime time Intro to two-factor authentication in Web authentication scenarios Two-factor authentication options, use cases and best practices

identities among these providers? User conveniences like password integration and single sign-on might not be possible with disparate providers. You may also have trouble with logging and service support and provisioning. Maintaining a single identity among different providers using different systems can be challenging, to say the least. The other reason involves compliance and auditing. Just think about how you're handling on-premises data center now. How do you fulfill compliance requirements for your regulators, financial institutions and business partners? What is the impact of identity across all of your business systems? How will you know who can do what? Cloud-based computing magnifies these obstacles, but with the added complexity of different user interfaces, reporting platforms, data security and geographical residency attributes. Some vendors have an eye toward integrating identities across various providers. You may have already seen this with popular social networking sites as the bedrock: Many upstart cloud providers and consumer service providers allow users to create accounts and be authenticated using Twitter, Facebook, LinkedIn and other sites. Obviously, enterprise and business corporate customers are not going to be interested in forming the basis of their online identity systems using Facebook accounts, but this is an area that CIOs should watch in coming years. The future of Cloud Identity as a Service As the coming years unfold, you'll see an increase in the utility of Federation as a Service. Organizations -- in particular, larger corporate customers -- will decide that given the current state of affairs, they should become the service providers for identity: authentication, authorization and accounting. Businesses will invest in systems that allow users to federate their identities among on-premise systems, mainframes that are still in use as line-ofbusiness applications, and cloud services -- in effect, reversing the roles of customer and provider. Businesses of all sizes will demand of their cloud providers the ability to consume identity information from their on-premises

Page 2 of 14

directory services. "Being their own customers" allows midmarket companies to solve challenges in several ways.

Contents
Cloud Identity Management as a Service: Not quite ready for prime time Intro to two-factor authentication in Web authentication scenarios Two-factor authentication options, use cases and best practices

First, they will maintain the ultimate control of identity centrally, and permit services to consume the information necessary to provide services on an ad hoc basis. Companies will also keep data safeguarded within the confines of the corporate network, and allow services to get only "yes or no" information from the on-premises federation service. They will also enable smoother rollout of other cloud-based services by exposing standardized application programming interfaces that those services can consume, and then authorizations that those services can exchange with others. Finally, by adapting this method, they will permit assurance that regulatory and compliance requirements are still being met. The customer is still in control of authorization and accounting, as well as ensuring that the appropriate logging is taking place and ensuring full transparency. All in all, don't jump into cloud identity management anytime soon. Identity Management as a Service is not ready for primetime. Instead, look for ways to expose your current identity services through federation, and then push cloud-based service vendors to consume that information from your onpremises resources.

About the author Jonathan Hassell is president of 82 Ventures LLC. He's an author, consultant and speaker in Charlotte, N.C. Hassell's books include RADIUS, Learning Windows Server 2003, Hardening Windows and, most recently, Windows Vista: Beyond the Manual. Contact him at editor@searchcio-midmarket.com.

Page 3 of 14

Contents
Intro to two-factor authentication in Web authentication scenarios

Cloud Identity Management as a Service: Not quite ready for prime time Intro to two-factor authentication in Web authentication scenarios Two-factor authentication options, use cases and best practices

Intro to two-factor authentication in Web authentication scenarios


Ajay Kumar Recently Apple joined a growing number of major consumer brands like Facebook, Google, Microsoft and PayPal in offering two-factor authentication (2FA) to help customers better secure their user accounts against hacking. For Apple Inc., the new feature is designed to block unauthorized changes to iCloud or iTunes accounts and prevent attackers who steal Apple IDs from making purchases using the credit cards stored in customers' iTunes and Apple store accounts. While most information security professionals are quite familiar with the concept of two-factor Web authentication, for those who aren't, it is a more rigorous and complex method of authenticating an account then with a simple password-only process. In this tip, we'll examine the benefits, challenges and technical considerations of implementing two-factor authentication in a consumer-facing website environment. An introduction to two-factor authentication A password is inherently weak. It can easily be lost or forgotten; many people write their passwords down where they can be seen by others; some use the same password over and over or use weak passwords that can be easily guessed. The use of two-factor Web authentication ensures that this won't happen. A password is one of two necessary authentication factors that must be provided before access is granted. All 2FA systems are based on two of three possible factors: a knowledge factor (something the user knows, like a password), a possession factor (something the user has, like a token; more on that below), and an inherence factor (something the user is, such as a

Page 4 of 14

fingerprint). In this scenario, even if a malicious party obtains a person's password, he or she would not be able to provide the relevant second element needed to complete the authentication process. This lowers risk and

Contents
Cloud Identity Management as a Service: Not quite ready for prime time Intro to two-factor authentication in Web authentication scenarios Two-factor authentication options, use cases and best practices

the potential for unscrupulous behavior, as a compromised password alone is not enough to compromise the authentication system. In the enterprise, two-factor Web authentication systems rely on hardwarebased security tokens that generate passcodes; these passcodes or PINs are valid for about 60 seconds and must be entered along with a password. In a consumer-oriented Web-based environment, it's cost-prohibitive for a service provider to distribute physical tokens to each and every individual user. Instead, most websites ask users to undergo a one-time registration process during which users register one or more of their mobile devices with the website provider. This is a trusted device under the users' control that can receive a verification code via SMS or another means to verify the user's identity. Any time a user signs into the website, a passcode is sent to the registered device. The user must enter the password and verification code to fully sign in and use the services. 2FA Web authentication: Challenges and considerations In consumer-oriented environments, the challenges lie in the complexity of it, where the consumers have access to more than one service from the service provider and each requires seamless and secure transactions. If the second factor of authentication is not secure then it's not worth implementing at any cost. Thus it presents a critical and challenging requirement that the 2FA system should be protected in such a way that the hacker or attacker cannot get to it and compromise its integrity. Further, it's difficult to integrate two-factor authentication seamlessly with an entire service portfolio or set of Web products. It requires the website and product development teams to understand changing consumer needs and business scenarios so that increased customer security doesn't negatively affect sales, registrations or other metrics of business success.

Page 5 of 14

Another challenge is interoperability; every organization does business with other organizations, and users or consumers access other providers'

Contents
Cloud Identity Management as a Service: Not quite ready for prime time Intro to two-factor authentication in Web authentication scenarios Two-factor authentication options, use cases and best practices

services. So interoperability becomes an important challenge to address while implementing the 2FA. This involves considerations such as whether to buy or build a 2FA product that is based on an industry standard (the burgeoning FIDO Alliance is a compelling new option), and whether to plan for interoperability with the authentication mechanisms offered by other major Web brands, like Facebook or Google. Don't underestimate the challenge of implementing an interoperable, user-friendly 2FA system that keeps consumer account details secure. Be sure to consider exception scenarios such as when a user can't receive a text message while traveling overseas. The solution might be an app for smartphones or tablet/laptops that can generate security codes on its own with simple steps to set up the app before starting the travel. Web 2FA costs The costs associated with planning, procuring, deploying and supporting a Web authentication system must be considered early on. There are one-time development and deployment costs, including the development/customization, installation and configuration of the system, and the cost of customization and integrating it with other applications. There are also ongoing system infrastructure costs for hosting the system. Finally, factor in support costs for ongoing support and administration of a 2FA solution, including helpdesk staff members who can help consumers resolve their issues in a timely fashion. To lower costs, organizations can subscribe to SaaS security vendors that provide a two-factor authentication service for combining cloud-based delivery and self-service administration with flexible authentication methods with low per-user costs. They are also easy to provision and inexpensive to maintain. Every Web service provider should consider using two-factor authentication - or begin moving Web authentication strategies in that direction -- to better

Page 6 of 14

secure the online services they provide and the safety of consumer data and account details.

Contents
About the author:

Cloud Identity Management as a Service: Not quite ready for prime time Intro to two-factor authentication in Web authentication scenarios Two-factor authentication options, use cases and best practices

Ajay Kumar is an information security manager who has worked for a decade in the information security and risk management domain and has expertise in infrastructure security, identity and access management, threat and vulnerability management, data protection and privacy, cloud security and mobile security. He specializes in the planning, design and implementation of the security services and systems required to protect the confidentiality, integrity, privacy and authenticity of the information stored in enterprise environments. Ajay can be reached at akumar_net2002@yahoo.com.

Two-factor authentication options, use cases and best practices

Two-factor authentication options, use cases and best practices


Ajay Kumar It's becoming increasingly obvious that security programs that are reliant on single-factor password-based authentication systems are doomed to fail. As Verizon noted in its 2013 Data Breach Investigations Report, the use of something other than a single-factor username-password credential would have likely thwarted 80% of the hacking attacks reported last year. Yet many enterprises still don't use multifactor authentication. With that in mind, let's look at two-factor authentication -- options offered by technology providers and how to make a strong business case for enterprises to implement it as part of a comprehensive enterprise security strategy. While many vendors have similar technology, they all come with their own pros and cons. For examples, the vendor with mature offerings may have proprietary authentication methods and a software development kit (SDK) that allows it to plug into enterprise applications or vendor applications.

Page 7 of 14

Others may focus on one or a few well known authentication methods such as one-time password (OTP) tokens and out-of-band (OOB) authentication methods.

Contents
Use cases for two-factor authentication

Cloud Identity Management as a Service: Not quite ready for prime time Intro to two-factor authentication in Web authentication scenarios Two-factor authentication options, use cases and best practices

Enterprise IT systems provide specific capabilities to specific users; for example, the tasks performed by a system administrator differ from those a security analyst or financial analyst performs. Authentication is a critical business process that connects users to applications and other resources without exposing data and processes to which users aren't authorized. In today's complex and cloud computing age, enterprises can adopt a twofactor authentication option to support one or more use cases to better protect enterprise assets and business data against unauthorized access. Those use cases include the following: 1. Internal or local access: Employee access to critical business or cloud-based applications, and/or administrator access to corporate servers and network devices. 2. External or remote access: Remote or mobile employee access to the corporate backend systems via the VPN or portal access. 3. Common network entry points: Between the public network/Internet and the internal corporate network, facilitating secure access to enterprise services like email or the VPN. Two-factor authentication options 2FA as a technology has matured in recent years and technology costs have gone down significantly. While there have been evolutions and enhancements in the technology, now employees no longer need to always carry a cumbersome token device with them. A simple mobile device carried by every employee today can be used as a second authentication factor to deliver the secure authentication code instead of a token to protect the enterprise assets from hackers or attackers. Some major two-factor authentication vendors are Entrust, RSA, SafeNet and Symantec; all offer established, broad technology options and a range of viable use cases for enterprises.

Page 8 of 14

RSA, the security division of EMC Corp., has its well-known brand of RSA SecureID one-time password hardware and software-based tokens. In

Contents
Cloud Identity Management as a Service: Not quite ready for prime time Intro to two-factor authentication in Web authentication scenarios Two-factor authentication options, use cases and best practices

addition, it offers adaptive authentication, which is used by large enterprises to take the advantage of contextual authentication/adaptive access control capabilities. Identify verification, another option, is a managed service that offers identity proofing with validation based on end-users' life-history questions and uses interactive user authentication processes. Most of its competitors sell similar products. The implementation pricing of 2FA basically depends on the scenarios. For example, the industry verticals, and the size of the enterprise, the usage pattern, user geography, helpdesk presence and sensitivity of the business or data and would cost between approximately $65,000 and $2 million for big financial and retail banking verticals. An example of a newer but established type of 2FA is the one offered by PhoneFactor (now owned by Microsoft). PhoneFactor leverages the user's existing phone in lieu of a token or other dedicated 2FA device, it's convenient for users and is a cost-effective, secure platform for enterprises. During the first step of the authentication process, the user must enter his user name and password. In the second step, the user can choose one from among these methods: a) PhoneFactor calls the user and user simply answers by pressing # on the phone keypad, b) PhoneFactor sends out a text message containing the passcode and then the user replies to the text message with the passcode, c) PhoneFactor pushes a notification to the PhoneFactor app on the user's smartphone and the user just taps "authenticate" in the app to complete the authentication process. For small organizations (up to 25 users), the vendor offers a free version. Considerations in selecting a two-factor authentication product Two-factor authentication technology helps enterprises protect user credentials and reduces the number of incidents related to unauthorized access and theft of credentials in the corporate environment. In addition, it brings the enterprise in compliance with the regularity standards and meets the compliance requirements. For example, PCI DSS 8.3 reads, "Incorporate

Page 9 of 14

two-factor authentication for remote access to the network by employees, administrators and third parties."

Contents
Cloud Identity Management as a Service: Not quite ready for prime time Intro to two-factor authentication in Web authentication scenarios Two-factor authentication options, use cases and best practices

Not all enterprises must be PCI compliant, but the PCI DSS is considered a baseline set of requirements, so organizations that don't already have a 2FA strategy in place would be wise to begin the process, which of course includes evaluating vendor technology. Organizations should consider the recommendations listed here while identifying their 2FA needs and plan the project accordingly. Understand the corporate IT environment -- This could include understanding the technologies landscape that's used inside or outside the enterprise to access information or data and knowing how the IT policies are enforced and what protections are in place. For example, are the employees allowed to access corporate information through mobile devices? Or is the enterprise using SaaS applications hosted by SaaS providers, and do the SaaS providers support the 2FA security measures to protect the data. Find the target users -- Is 2FA considered only for selected business units like sales or marketing departments or for remote works and partners as well? In general, most organizations only offer 2FA for VPN access. Limit the implementation, at least in the early stages, to specific use cases. Adopt a risk-based approach -- Most organizations today implement a technology if it will help reduce risk. So alternatively when there isn't a clear scope or group of target users, offer 2FA only to users who access business critical information or intellectual property, whether the user is an employee or third party and is accessing the information from within the corporate network or from a remote location. Avoid unnecessary cost and complexity -- The overall cost of the implementation can vary vendor to vendor depending on the size and requirements of the enterprise. Take into account the number of

Page 10 of 14

users, office locations, the global presence of the enterprise, plus support and help desk coverage factors when determining the cost.

Contents
Cloud Identity Management as a Service: Not quite ready for prime time Intro to two-factor authentication in Web authentication scenarios Two-factor authentication options, use cases and best practices

Two-factor authentication implementation challenges Two-factor authentication is not easy to implement. For instance, security firm Duo Security recently reported a serious flaw in Google's two-step login process. The problem, which was soon fixed, stemmed from Google applying the feature across its many services. Despite being one of the Internet's giants, while its technology was solid, its implementation was flawed. To be clear, such a broad undertaking like 2FA is bound to have complications in any organization. But the lesson is that while implementing a single, secure infrastructure-wide two-factor authentication platform is not without stumbling blocks, being aware of likely problems before you begin can help lessen the effects. For example, legacy software and services must often be reworked to handle 2FA or may require an authentication framework that could be used among different in-house or outsourced tools to support the two-factor authentication enterprisewide. Sometimes it becomes clear that the two-factor authentication framework selected simply requires too much customization, something that can be difficult to determine until software architects actually get to work on integration aspects of the implementation. Two-factor authentication will likely be seen by users as a hassle. They may find it tedious to have a trusted device or hardware token with them at all times in order to log in. So some authentication scenarios may require an option for users to skip two-factor authentication for frequently accessed systems. These and other pain points of a two-factor authentication implementation may be eased with the following measures: Select a factor that fits enterprise needs. The options include hardware-/software-based tokens or sending SMS messages to smartphones. Enterprises that are geographically centralized will

Page 11 of 14

appreciate physical tokens, while others with a constantly moving workforce may wish to use software-based tokens or mobile options. Consider implementing a phased approach. Abrupt, enterprisewide cutovers don't make anyone happy. At the same time, application and system owners will find it easier to migrate everyone at a single go. But that just creates a nightmare for end users and help desk staff members who have to support and address the issues that occur during the migration. It could shoot up the project cost too. Provide sufficient user support. Getting the back-end server components installed and configured takes a while, and integrating and testing applications takes time too. Self-service, sufficient training and a well-staffed helpdesk and support team will be essential to get users accustomed to the technology and able to successfully navigate through the transition period. Two-factor authentication is becoming an essential element of modern enterprise IT security programs, yet it remains complex and difficult to understand, implement and manage. Organizations must understand that traditional and inherently weak password-only authentication mechanisms may no longer serve as an adequate security control. Furthermore, amid today's threat landscape, it's apparent that two-factor authentication is necessary in order to keep unauthorized users from obtaining access into key corporate systems and keeps persistent, sophisticated attackers at bay.

Contents
Cloud Identity Management as a Service: Not quite ready for prime time Intro to two-factor authentication in Web authentication scenarios Two-factor authentication options, use cases and best practices

Page 12 of 14

Contents
Cloud Identity Management as a Service: Not quite ready for prime time Intro to two-factor authentication in Web authentication scenarios Two-factor authentication options, use cases and best practices

Free resources for technology professionals


TechTarget publishes targeted technology media that address your need for information and resources for researching products, developing strategy and making cost-effective purchase decisions. Our network of technology-specific Web sites gives you access to industry experts, independent content and analysis and the Webs largest library of vendor-provided white papers, webcasts, podcasts, videos, virtual trade shows, research reports and more drawing on the rich R&D resources of technology providers to address market trends, challenges and solutions. Our live events and virtual seminars give you access to vendor neutral, expert commentary and advice on the issues and challenges you face daily. Our social community IT Knowledge Exchange allows you to share real world information in real time with peers and experts.

What makes TechTarget unique?


TechTarget is squarely focused on the enterprise IT space. Our team of editors and network of industry experts provide the richest, most relevant content to IT professionals and management. We leverage the immediacy of the Web, the networking and face-to-face opportunities of events and virtual events, and the ability to interact with peersall to create compelling and actionable information for enterprise IT professionals across all industries and markets.

Related TechTarget Websites

Page 13 of 14