Session 7 e_raja_kailar

  • 127 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
127
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. PHIN Systems Securityand Two Factor AuthenticationRaja Kailar, Ph.D.Senior Security Consultant, IRMO/CDCrok9@cdc.gov, kailar@bnetal.com
  • 2. Problem DescriptionPHIN – Collaborating partners, sharing public healthinformation over un-trusted networksSecurity depends on reliable identification andauthentication (I&A)Many public health partners rely solely on login + passwordfor I&ANeed additional authentication factors for security…
  • 3. PHIN - Operational Environment
  • 4. PHIN Users, Interactions, Security PerimetersUsers – External, InternalInteractions – B2B, C2BPerimeter – Firewalls, DMZ
  • 5. High Level Security RequirementsStrong Authentication Importantfor most requirements
  • 6. Authentication ConsiderationsWhat are your PHIN applications? Who are your users?Is your user population relatively stationary or mobile?From where do your users need to access PHIN applications?Intranet?Internet?Both?Does your network infrastructure provide adequate protectionto PHIN data (GAP analysis)?
  • 7. Minimum AuthenticationRecommendation: C2B/Internal UserNote: If you also have external users, use same(DMZ) proxy and 2 factor authentication for all users
  • 8. Minimum AuthenticationRecommendation: B2B Applications
  • 9. Minimum AuthenticationRecommendation: C2B/External User
  • 10. What is Two Factor Authenticationand Why do we need it?Authentication FactorsWhat I know (password, PIN)What I have (token, private key)Who I am (thumbprint, retina, voice)Two Factor AuthenticationWhat I know + what I have (PIN + token)What I know + who I am (PIN + thumbprint)Strong Identity Assurance – harder to spoof
  • 11. Two Factor Authentication –One Time Password (Secure Token)
  • 12. Two Factor Authentication -Digital Certificates
  • 13. Two Factor Authentication -Biometrics
  • 14. Authentication Mechanisms –System DifferentiationDigital CertificatesPKCS12 FilesSuited for laptop usersOne time passwords (Secure Tokens)Key-fob: MobileSmart Cards: Need card, readersBiometricsHardware/software readersMobility / Ease of Use
  • 15. Authentication Mechanisms –System DifferentiationDigital CertificatesBinary matchOne time password (Secure Token)Binary matchBiometricsFuzzy matchFalse positives/negatives possibleAssurance Level / Accuracy
  • 16. Authentication Mechanisms –System DifferentiationDigital CertificatesOpen standards based (X.509, SSL)Digital Signatures (XMLDSIG)InteroperableOne time passwords (Secure Tokens)Proprietary, domain specificBiometricsProprietary, domain specificUse in Automated Authentication Handshaking (B2B)
  • 17. Authentication Mechanisms –System Differentiation$100,0001000Biometrics$60,000 - $100,000$100,000 - $200,000Deployment Cost(approximate)10001000UsersSecure TokensDigital CertificatesSystem• Deployment cost based on market leaders (low cost alternatives exist)• Lifecycle management costs are implementation and environment dependent.Cost
  • 18. And the winner is?Depends on your PHIN usage:Digital Certificates - only technology that supports OpenStandards based Interoperability forAutomated B2B authentication (e.g., PHIN web-services)Asymmetric key based encryption for messagingDigital Signatures for communication non-repudiationSecure token (key-fob) - mobility and ease of use forC2B authenticationDigital certificates needed for server authentication(SSL)
  • 19. Authentication - Approach AUsers authenticate to a DMZ web-server (proxy) usingpassword + client certificates over SSLB2B applications authenticate to a DMZ proxy web-server using client certificates over SSLSuited for relatively static user populations or for laptopusersSingle authentication infrastructure to implement andmanage
  • 20. Authentication – Approach BUsers authenticate to DMZ web-server (proxy) using key-fobExternal B2B applications authenticate to DMZ using clientcertificates over SSLMay be required if user population is highly mobileTwo infrastructures to manage/keep in sync
  • 21. Other Perimeter Security ConsiderationsAuthorization, Access Control, User IdentityLifecycle ManagementSingle Sign-on
  • 22. Questions?rok9@cdc.govkailar@bnetal.com