The best practice for authentication, and the solution required by many regulatory and industry mandates, is to deploy a strong authentication solution. But what is strong authentication? Strong authentication is a way of identifying a user or device using more that one authentication factor.An authentication factor can be something you know, something you have, or something you are:“Something you know” is the category into which traditional passwords fall. You know your username and password; however, it can be other information known only to you and the organization to which you need to authenticate.“Something you have” is the category of authentication factors that includes traditional one-time-password tokens but can also include a digital certificate installed on a user’s machine or on a smart card.“Something you are” is a way of authenticating based on a trait inextricably tied to the user, such as a fingerprint. More generically, “something you are” can also refer to the sum total of past behaviors and interactions the user has had with the organization – a user who behaves in a different way from you and the organization’s interactions with you in the past is probably not you.Strong authentication combines two or more of these factors, dramatically increasing the difficulty of impersonating an individual. If, for example, an enterprise requires a username/password with a one-time-password token to access the network, then someone would now need to steal both the user’s password and their token in order to be able to impersonate the user. This is far more difficult than simply stealing a password, and is therefore more resilient to attack.
PKI requires several security elements to be working in concert in one complete solution.First, it’s Strong Authentication—two factor authentication that prevents unauthorized access to apps and remote access for your mobile workers—it’s part of that visible security profile that builds trust.Next, it’s Encryption—protecting data in transit or at rest.And finally, it’s about digital signatures—validating the integrity of the transaction by verifying that the user is who they say they are and validates document integrity—these digital credentials are very hard to spoof, break, or forge.PKI is all about trust. In fact, PKI is a hierarchical trust model. And PKI solutions can be trusted only as much as the implementation of PKI itself can be trusted. And that is where it is critical to understand that a successful, trustworthy PKI is far more than a piece of software that generate certificates.NEXT SLIDE
User Authentication for Government
Symantec Government Technology Summit User Authentication for Government 20 March 2012Nick PiazzolaSr. Director, GovernmentAuthentication SolutionsNick_Piazzola@symantec.com443-604-4069
E-Authentication in the Federal Government Players: President, OMB, Federal CIO/CIO Council, FICAM Policies/Mandates: • HSPD-12 • OMB: M-04-04, M-07-16, M-11-11 • Federal CIO Memo Technical Standards: • FIPS 201 • FIPS 199 • NIST SP 800-63-1 Implementation Standards/Guidance: • Federal PKI Certificate Policy • Trust Frameworks (Non-PKI)
OMB M-04-04 E-Authentication Guidance Electronic authentication (E-Authentication) is the process of establishing confidence in identities presented remotely over an open network to an information system. OMB M-04-04 defines four levels of identity assurance for electronic transactions requiring authentication, where the required level of assurance is defined in terms of the consequences of authentication errors and the misuse of credentials. Level 1 – Little or no confidence in the asserted identity Level 2 - Some confidence in the asserted identity Level 3 - High confidence in the asserted identity Level 4 - Very high confidence in the asserted identity
OMB M-04-04 E-Authentication Guidance• Requires agencies to review new and existing electronic transactions to ensure that authentication processes provide the appropriate level of assurance. 1. Conduct a risk assessment of the e-government system. 2. Map identified risks to the applicable assurance level. 3. Select technology based on e-authentication technical guidance. 4. Validate that the implemented system has achieved the required assurance level. 5. Periodically reassess the system to determine technology refresh requirements.
Maximum Potential ImpactsFIPS 199 Risk/Impact Profiles Assurance Level Impact Profiles Potential Impact Categories for 1 2 3 4 Authentication ErrorsInconvenience, distress or damage to standing or Low Mod Mod HighreputationFinancial loss or agency liability Low Mod Mod HighHarm to agency programs or public interests N/A Low Mod HighUnauthorized release of sensitive information N/A Low Mod HighPersonal Safety N/A N/A Low Mod HighCivil or criminal violations N/A Low Mod High
NIST Special Publication SP 800-63-1 Electronic Authentication Guideline• Provides technical guidelines for Federal agencies implementing electronic authentication.• Defines electronic authentication (e-authentication) as the process of establishing confidence in identities electronically presented to an information system.• Applies to remote electronic authentication of users over open networks.• Defines four levels of increasing assurance: Levels 1,2,3,4 and the threats to be mitigated at each of these levels.• Defines technical requirements in the areas of identity proofing, registration, tokens, management processes, authentication protocols and related assertions.
Strong Authentication A Combination of Two or More Authentication FactorsSomething You Know Something You Have Something You AreUsername/Passwords Hardware OTP TokenMother’s Maiden Name Fingerprint Digital CertificateTransaction History Iris Pattern Smart Card
E-Authentication Assurance Levels (OMB M-04-04) HSPD-12 PIV CardIncreased Strength Multi-Factor Token PKI/ Digital Signature Biometrics One-Time Password Very High Knowledge-Based High PIN/User ID Medium Low Access to Applying Obtaining Employee for a Loan Govt. Screening Protected Website Online Benefits for a High Risk Job Increased Need for Identity Assurance
User Authentication Product Family Public Key Infrastructure Symantec Identity Protection Fraud Detection Service Rules Eng. Behavior Eng. RISK SCORE PKI service issues certificates Shared cloud-based two-factor for strong authentication, authentication solution offering Risk-Based authentication and encryption and digital signing multiple token choices software-based fraud detectionGovernment Enterprise eCommerce Financial Services
Symantec Solutions for Authentication OTP Card SMS and Voice Browser Toolbar OTP Tokens Mobile OTP OTP USB PKI TokensSmartcards Strong AuthenticationDigital (User and Site)Certificates SSL Cert Secure Seal VIP Fraud Detection ServiceVeriSign® Identity Protection Network (fraud intelligence and shared authentication)
What PKI Enables… • Prevent unauthorized access Strong through enhanced authenticationAuthentication • Primary integration points: Web applications, remote access, desktop logon, and wireless • Provides data integrity and enable non- Digital repudiation for electronic transactions Signatures • Primary integration points: Email, Adobe, and custom applications • Protect sensitive information whether data is in transit or at rest Encryption • Primary integration points: Email, disk, file/folder, and databases
Managed PKI Services for the Public Sector– Federal Shared Service Provider PKI Enables Federal agencies to comply with HSPD-12. VeriSign SSP PKI services and Card Management System are certified and on the GSA FIPS-201 Approved Products List (APL)– Non-Federal Shared Service Provider PKI Enterprise PKI for any organization needing interoperability with the Federal government. Provides interoperability with the Federal PKI at multiple assurance levels through cross-certification with the Federal Bridge Certification Authority (FBCA).– ECA Certificates Enable organizations, contractors and individuals to securely communicate with Federal, state and local government agencies.
Non-Federal SSP PKI CustomersU.S. Government – U.S. Nuclear Regulatory Commission – U.S. Senate – Dept of State (Millennium Challenge Corporation)State Government – State of Kansas – State of Colorado – State of California (CA Prison Healthcare Systems) – State of Virginia (Fairfax County Government)Universities – University of HoustonGovernment Contractors – Booz Allen & Hamilton -General Dynamics – Noblis (Mitretek) -Dyncorp
Symantec Validation and ID Protection User with Enterprise VIP Authentication Symantec VIP Service Token Consumer Portal, Business Partner Extranet Government Network
Symantec/Experian Two Factor Authentication Solution Symantec Experian Symantec OTP OTP Token Precise ID Authentication (NIST 800-63-1 Level 3) Service User Online Government Application 1. NIST Level 3 Remote Identity Proofing using Experian Precise ID. 2. Multiple form-factors for OTP tokens for multiple platforms. 3. Two-Factor Authentication with PIN, OTP and in-the-cloud validation service.
Summary• The two primary user authentication technologies in use today are PKI and OTP. Symantec delivers/supports both of these for government customers via cloud services.• While both PKI and OTP are used for e-authentication, only PKI can deliver a full suite of security services including confidentiality, integrity and non- repudiation.• OTP solutions are more likely to be used for remote access and external constituent access to government services because of their reduced cost and complexity.• NIST SP 800-63-1 Level 3 assurance is the target for most applications involving personally identifiable information and/or valuable transactions.• Experian and Symantec have collaborated to provide a suite of integrated identity proofing and authentication services that supports NIST SP 800-63-1.• In the future government agencies are expected to transition from being providers of credentials to accepting identity credentials issued by external identity providers.