IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticators benefits security and reduces cost
 

Like this? Share it with your network

Share

IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticators benefits security and reduces cost

on

  • 183 views

Identity and authentication management, or IAM, represents the greatest security return on investment an organization can make. Former National Coordinator for Security, Infrastructure Protection, and ...

Identity and authentication management, or IAM, represents the greatest security return on investment an organization can make. Former National Coordinator for Security, Infrastructure Protection, and Counter-terrorism for the United States, Richard Clarke, once famously said, "If you spend more on coffee than on IT security, then you will be hacked." Many analysts concur that spending on strong authentication provides the greatest security return on investment. This educational white paper, written by Richard Stiennon, Chief Research Analyst at IT-Harvest and Executive Editor of securitycurrent, explores the concept of identity platforms.
• How to fix intrinsic weaknesses in authentication regimes that result in gaping and trivially exploitable vulnerabilities
• Explore the core features of an authentication and identity platform
• Examine specific features and components organizations should require in a software authentication platform

Statistics

Views

Total Views
183
Views on SlideShare
183
Embed Views
0

Actions

Likes
0
Downloads
2
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticators benefits security and reduces cost Document Transcript

  • 1. © 2014 IT-Harvest | 1IDENTITY PLATFORMS This paper is sponsored by Entrust. IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticators benefits security and reduces cost Identity and authentication management represents the greatest security return on investment an organization can make. Former National Coordinator for Security, Infrastructure Protection, and Counter-terrorism for the United States, Richard Clarke, once famously said, “If you spend more on coffee than on IT security, then you will be hacked.” An internal discussion at Gartner arising from Clarke’s statement led to the conclusion that spending on authentication would provide the greatest security return on investment. Since his 2002 tirade against complacent industry practices, there has been tremendous investment in IT security with strong authentication mechanisms and identity management representing a healthy segment. Yet, deployment of physical access cards, one-time- passcode-generating tokens, digital certificates, biometrics, and even fingerprint readers on the latest iPhones, has led to new problems. In examining the most pressing issues of communications and information confidentiality, the two largest categories of vulnerabilities in the current systems employed by enterprises are authentication and encryption key management. While recent attacks on encryption infrastructure are eroding trust, we are reminded by Bruce Schneier to “trust the math.” Encryption is still fundamentally sound. The way encryption and keys are deployed and managed are the problem. Furthermore, intrinsic weaknesses in authentication regimes have created gaping and trivially exploitable vulnerabilities that are procedural and operational — not technical — in nature. As an example, the sheer complexity of many enterprises’ authentication regimes has led to users undermining and abusing the very systems put in place to assure adherence to company security policies. Shared credentials for server administration is just one of the ways IT departments still introduce holes in an otherwise good security architecture. Identity Platforms January 2014 Entrust Mobile Solutions Device certificates MDM integration Application Protection Analytics Strong Authentication (OTP, Grid, SMS) Smart Credentials Transaction Signing
  • 2. © 2014 IT-Harvest | 2IDENTITY PLATFORMS This paper is sponsored by Entrust. Mobile devices and the growth of cloud-enabled applications highlight, but by no means define, the acuteness of this enterprise identity crisis. For decades, users have wrestled with frustrating password regimes and two-factor schemes and have created security problems ranging from petty revolts (e.g., re-using the same easy-to-guess password until forced to change) to fundamentally-human coping mechanisms (e.g., taping the doctor’s one-time-passcode token to the monitor at the nurse’s station). These problems have multiplied under stress from mobility; with each employee who is issued a mobile device by the company possessing at least two (and often more) such devices, and with increasing amounts of each employee’s online lives (including social media, Web browsing, news and entertainment Web-surfing, etc.), enterprises are experiencing a critical need for centralized, authoritative identity management whose reach extends from deep in the heart of the corporate core all the way out to these mobile devices. One thing we know to be true: policy, training and awareness campaigns will not stop or even slow employees’ adoption and use of these devices. It is essential that enterprises provide a technical framework capable of permitting activities that employees will engage in — all in a manner that is controllable or at least understandable by the security organization. This paper examines the core features required of an authentication and identity platform. First and foremost, in addition to handling heterogeneous device and mobile device certificates, the easy management of identities is essential. The ability for employees to use multiple devices for multiple purposes, role-based and fine-grained access control and easily defined permissions based on the appropriate role and identity are fundamental. Hand in hand with these capabilities goes the requirement to quickly replace or revoke lost or misappropriated credentials as soon as the untrusted status of a credential is understood. Identity Platforms January 2014 Entrust: Widest Range Of Digital Certificates In The Market User certificates Device certificates Server certificates Specialty Certificates (National ID Cards)
  • 3. © 2014 IT-Harvest | 3IDENTITY PLATFORMS This paper is sponsored by Entrust. ELEMENTS OF A COMPLETE IDENTITY PLATFORM ARE: Deployable across multiple domains: Physical. Create, deploy and manage authenticators for access to secure facilities, data centers and segmented work environments. Logical: Control access to networks and devices. Solve the privileged user problem. Cloud: Control authentication to hosted environments for administrators and end- users of cloud applications. Mobile: Not only to secure mobile devices but leverage their unique characteristics to provide device centric assurance from strong authentication. It is in the category of mobile device access that authentication platforms are most crucial. The most common threat to enterprise data posed by mobile devices is careless, but well- intentioned people who travel with un- protected or under-protected mobile devices that have been set to access corporate applications, data stores and, especially, email. Many users, feeling that they simply must have access to all their email wherever they are, set their mobile device mail client to download their entire corporate inbox, and to keep it synchronized. By allowing role, persona and Geo-IP-based authentication tools and integrating well with an MDM, an authentication platform can help protect employees (and the enterprise) from themselves by automatically limiting the type and volume of data that may be accessed via a mobile device based on a range of circumstances such as country location. Identity Platforms January 2014 User Certificates Device Certificates Server Certificates Specialty Certificates • Reporting • Workflow • Discovery • Notifications • Management • Auditing • Online help • Licensing • Personalization • eCommerce • API’s • Communicator AdminSelfServiceAPI’s Entrust ® IdentityGuard Cloud Services
  • 4. © 2014 IT-Harvest | 4IDENTITY PLATFORMS This paper is sponsored by Entrust. Identity Platforms January 2014 FLEXIBLE AND EXTENSIBLE Many organizations have large investments in identity solutions. An identity platform should allow for the co-deployment of new authenticators alongside legacy solutions. Integrations into legacy systems and modern cloud-based applications will also improve the investment made in an identity-based security framework. A robust API should allow rapid integration with existing solutions. To improve authentication beyond traditional factor-based methods will also improve security by providing rich context- and risk-appropriate measures that enable trust elevation, when necessary. This is accomplished through the use of a flexible policy engine, leveraging context about the user’s environment and scoring the risk associated with transactions or access requests. By combining these mechanisms, a more intelligent decision can be made and, if necessary, an elevation of trust in the user’s identity required or potentially the request denied outright. EASE OF MANAGEMENT An identity platform should have a Web front-end that is easy to access, has strong security controls,and can handle all forms of authentication with role assignments, and graduated strength depending on use case (e.g., location, time, etc.). Users should be able to enroll and get the required credentials quickly and with the least pain. To the lay-user, the authentication platform will cause the most pain, and will be most expensive in terms of support. This will likely occur at the personal-authentication level with password and multi-factor authentication methods, including one-time passcode hardware or software tokens, biometric devices, USB, virtual or physical access cards. When these are combined with other factors such as Geo-IP limiting, cross-method compatibility is essential to provide a smooth experience. Nothing is more frustrating to a user than entering the correct credentials but being locked out of a critical business application, outside business hours, because of a security measure outside his control. Federation is one of the most difficult scenarios to accomplish, especially when multiple entities must be able to provide access to each other’s users. An identity platform should have the capability to overcome the complexities of federation. SAML (Security Assertion Markup Language) remains the dominant method used by enterprises and governments alike. This enables the use of third-party applications and systems without requiring user credentials to leave the secure environment. As cloud-based business practices expand, this capability will improve the user’s experience and drastically reduce the risk associated with relying on third-party security measures and the explosion of corresponding identities. Entrust Identity Platform Mobile Traditional Authentication Cloud/Federation Physical/Logical Access Transaction Signing X.509 as-a-service
  • 5. © 2014 IT-Harvest | 5IDENTITY PLATFORMS This paper is sponsored by Entrust. Leveraging open standards (e.g., SAML, OATH (Open Authentication) or x.509) is a crucial exercise for all security practices. The improved interoperability afforded by these standards helps streamline integration across various endpoints and systems that have no traditional ways of communicating. This also allows security assertions to be passed from an identity platform to a system that does not include built-in security mechanisms. In addition, the very nature of an open ecosystem is meant to increase collaboration to improve security and efficiency of the protocols. A prime example is the cryptography community’s focus on constantly improving the mathematical underpinnings of ciphers, algorithms and random- number generation, to name a few. By supporting authentication in such a modular, “as-a-service” or on-premise architecture, the inherent flexibility of the system will lend itself to a more secure experience. The simpler and more transparent the platform, the less likely will be efforts by users to subvert it. A robust identity platform will finally end the Tower-of-Babble of authentication solutions that most enterprises have struggled with as their identity solutions proliferate. Consolidation into a single identity platform will offer measurable op-ex savings while providing the best “security return on investment.” Richard Stiennon Chief Research Analyst IT-Harvest January, 2014 Identity Platforms January 2014