The sheer number and destructiveness of data breaches in the past few years are alarming and discouraging. However, there is cause for hope. Most of the cyber attacks had a lot in common. One of the most alarming similarities in a majority of the attacks was the use of compromised credentials. As many as three-quarters of all breaches were largely due to weak or stolen credentials.
The good news is that the vast majority of security breaches could have been prevented by implementing and enforcing basic security best practices. Best practice recommendations for preventing security breaches come from every corner of the industry, analysts, consultants, governmental bodies and security organizations alike, and they speak as if with one voice.
The consensus: Adopt strong multi-factor authentication to lock the front door and prevent the most common attacks on corporate networks. But what do you consider? Not all enterprises and applications share the same risk profiles. What criteria should be part of the evaluation when formulating an individual approach to an authentication solution?
Consider the following:
1. Completeness of Solution
It is common for enterprises to have complex IT environments incorporating a wide variety of platforms and applications, both old and new. Left unsecured, these assets, including PCs, mobile devices, servers, thin clients, VPN clients, Windows applications, cloud applications and even green screen mainframe applications, are potential targets of cyber attacks. Leaving even one of these systems without strong authentication protection could compromise your entire network.
2. Ease of Implementation
The principal barriers to multi-factor authentication adoption have been the cost and disruption that such projects frequently entail. Rolling out strong authentication solutions can quickly balloon into complex projects lasting from months to years, consuming prodigious amounts of critical IT resources that are expensive and in short supply. When selecting a strong authentication vendor, insist on a full disclosure of the implementation requirements and solution attributes.
3. Administration and Management
Installation and provisioning are just the first hurdles in adopting a strong authentication solution. Administration and maintenance can be equally daunting, taxing already overextended IT personnel and requiring security skills that are expensive and hard to find.
4. Policy-based Access Controls
Employees need access to platforms, applications and data in order to fulfill their job responsibilities. However, security considerations and compliance mandates dictate that such access be granted based on the principle of least privilege: only provide access to assets that are essential to a user’s job function. Further, user access to platforms, applications and data should be governed by authentication safeguards appropriate to and in accordance with the security risk those resources represent. Best practice is to aggregate users into groups based on functional roles, map those roles to access rights and apply appropriate levels of authentication to secure access.
5. Breadth of Authentication Factors
Enterprises are faced with an ever growing mixture of endpoints, users, geographies and applications which have varied risk profiles and capabilities. IT security administrators need the widest possible spectrum of authentication options allowing them to choose the strength of security based on the type of transaction and the authentication factors appropriate to the endpoint. No single type of credential is a “magic bullet.” Solutions with a rich and varied set of authentication methods used individually or in combination provide the flexibility to tailor policies based on an organization’s unique security environment, industry best practices and regulatory mandates.
6. Single Sign-On
Single Sign-on has seen an increased adoption by enterprises of all types in order to provide an improved user experience and increased productivity. A typical user accesses a large number of IT resources during the course of a working day. SSO simplifies the authentication process allowing users to sign-in once and subsequently access all their applications, transparently. There are many other benefits that SSO affords, but look for solutions that include SSO federation as an integral part of their offering.
7. Password Management
Synchronizing and managing passwords across all enterprise platforms, applications and data stores can be time consuming and a major resource drain on IT departments. When evaluating strong authentication solutions, look for password management features that include central management of passwords across all platforms and applications, self-service password reset and automatic password generation and entry.
8. Administrative Accounts
While it is important to secure all user accounts with access and authentication polices, special attention should be given to those with administrative privileges. It is vital to authenticate their identities with multi-factor authentication and audit their activities in order to shut down illicit activities before damage occurs. Look for those that provide a uniform way to secure both privileged and non- privileged user access, making deployment and management easier.
9. Security Architecture
In the past, organizations have adopted multiple point security solutions based on discrete use cases. The problem with this approach is that as the number of disjunct solutions increases, the difficulty and cost of maintaining them skyrockets. Considering solutions that incorporate a broad range of authentication factors into one single architecture based on open standards provides the best option for building an effective layered security infrastructure now while allowing organizations to respond to future security threats as they arise.
10. Ease of Use
Strong authentication methods can inversely affect usability, lowering productivity and causing users to search for ways to circumvent the system. Conversely, users will be inclined to adhere to easy to use authentication methods that minimally impact workflow.
The best approach is to select an authentication solution that provides a wide array of authenticators with varying usability attributes allowing you to tailor authentication requirements in accordance with transactional risks.
Next time we will take a look at scalability, adaptability, extensibility, flexibility, portability and compliance considerations when selecting an authentication solution.
Don’t want to wait – download the complete white paper now.
Chris Trytten has over two decades of technical and managerial experience in systems and security at leading companies in Silicon Valley, including positions with Crossmatch, DigitalPersona, Interlink Networks, Apple, Siemens and Amdahl. In his current position as Market Solutions Manager at Crossmatch, he is using his experience serving the Financial and Retail markets by guiding the product and market teams to address the security needs of these industries. Chris is the author of multiple security white papers and articles.