3. Multi-factor Authentication Bolsters Security
Multi-factor authenticationisexponentiallymoresecurethanpasswordsalone.Before
accessingenterprisesystems,employeesandpartnersmustenteratleasttwocredentials:
somethingtheyknow(passwordoranswertoaquestion), somethingtheyhave(one-time
codefrom mobile app ortextmessage),orabiometric(typicallyafingerprint,voiceprint,or
retinascan).
Untilnow,strongersecuritycameattheexpenseofbudgetsandtheuserexperience.Multi-
factorauthenticationmeantpayingupforhardwaretokensorsmartcards.Todayyoucanadopt
multi-factorauthenticationaffordablyandwithoutcompromisingtheuserexperience.Follow
thefiverecommendationsbelow.
1. FOCUS ON THE USER EXPERIENCE
Giveusersachoiceofhowtoreceivetheirone-timepasscode—forexample,mobileapp,
email,SMStextmessage,orautomatedcalltoaphonenumberonrecord.Aconvenientuser
experienceencouragesadoption,whichacceleratesproductivitygainsfrommobilityandBYOD.
Tousebiometricsasasecondorthirdfactor,considermobileapps.Biometricsappsarealready
availableforscanningfingerprints,voices,faces,earprints,gestures,andretinas.Hands-free
authenticationbasedonproximityrequiresevenlesseffortfromusers.Theworkstationverifies
theuser’scredentialbyconnectingautomaticallytotheuser’smobiledevice.Topreventa
criminalcarryingastolendevicefromgainingaccess,besuretosupplementproximity-based
authenticationwithapassword.
2. TAKE ADVANTAGE OF CLOUD ECONOMICS
AND SCALABILITY
Thecloudmodelshiftscapitalexpenseforserversandsoftwaretoapredictableoperational
expense.Youpayasyougo.Savingsinclude:
• Noon-premisesinfrastructure(servers,storage,andnetworkresources).
• Nomaintenancefeesandhardwareandsoftwareupgrades.Youalwayshaveaccesstothe
latestfeatures.
• Noadditionalcapitalexpendituresasyouaddusers.
• Avoidanceofproductivitylosswhenon-premisessystemsgodown.Cloudservice
providerscantakeadvantageofeconomiesofscaletoimplementhigh-availability
architectures.
OutsourcingtoacloudproviderwithexpertiseinauthenticationalsofreesuptimeforyourIT
teamtofocusonthecorebusiness.
Gartner projects that
the number of identity
and access management
purchases involving
authentication as a service
will double from 20% in
2016 to 40% in 2020.
MagicQuadrantforIdentityand
AccessManagementasaService,
June6,2016
2
synchronoss.com
4. NISTLevel 1 NISTLevel 2 NISTLevel 3
Usernameandpassword
Secondfactor,suchasone-timecode
Usernameandpassword
Secondfactor
Fullsocialsecuritynumberanddateof
birth,checkedagainstpublicdatabases
Responsetoacalloremailtothe
phonenumberoremailaddress
onrecord
Usernameandpassword
Secondfactor
Fullsocialsecuritynumber,dateof
birth,andfinancialdata,checked
againstpublicdatabases
Responsetoacalloremailtothe
phonenumberoremailaddress
onrecord
OneormoreKnowledgeBased
Assessmentquestions,suchas
monthlymortgagepaymentor
makeandmodelofcarin2012
3. BEFORE ISSUING CREDENTIALS, VERIFY
THAT USERS ARE WHO THEY SAYTHEY ARE
Beforehiringemployeesyouverifytheiridentitybyreviewingofficialdocumentssuchasdriver’s
license,socialsecuritycard,orpassport.It’smorechallengingtoverifyoffsitepartners’and
contractors’identitybeforeissuingcredentials.HowcanyouverifythatJohnSmithisreally
theJohnSmithwhoworksforyouraccountingfirm—notsomeoneelsemasqueradingasJohn
Smith,orevenabot?Verifyingtheidentitiesofthirdpartiesisimportantinallenterprises,
andmandatedforcertaintypesofusers.Examplesincludehealthcareproviderswhouse
e-prescribingsoftwareandfinancialservicescustomerswhoconducthigh-valuetransactions.
TheU.S.NationalInstituteofScienceandTechnology(NIST)definesthreelevelsofidentity
proofing(levelsofassurance)thatdonotrequireanin-personvisit(Table1).Lookforacloud
providerthatoffersNISTLevel3identityproofingandisapprovedbyFederalIdentity,
Credential,andAccessManagement(FICAM).
Table 1 — Sample User Experience ForThree Levels of Identity Proofing
3
synchronoss.com
5. 4. CHOOSE A CLOUD SERVICE THAT MEETS
YOUR INDUSTRY’S SECURITY GUIDELINES
Table2listscommonsecurityrequirementsforregulatedindustries.Tomeetthese
requirements,cloudprovidersinvestindatacenters,technology,andprocessesthatcomply
withgovernmentstandardssuchasNISTandFederalInformationProcessingStandards(FIPS)
intheU.S.,andEUGeneralDataProtectionRegulationintheEU.
Table 2 — Data Security Requirements by Industry
INDUSTRY SAMPLE REQUIREMENTS
Financial Services U.S.PaymentCardIndustry(PCI)
U.S.Gramm-Leach-BlileyAct(GLBA)
U.S.SecuritiesandExchangeCommission(SEC)
U.S.FinancialIndustryRegulatoryAuthority(FINRA)
U.S.FederalFinancialInstitutionsExaminationCouncil(FFIEC)
U.K.tScheme
EuropeanBankingAuthority(EBA)
EuropeanSecuritiesandMarketsAuthority(ESMA)
EuropeanInsuranceandOccupationalPensionsAuthority(EIOPA)
BaselCommitteeonBankingSupervision(BCBS)
Healthcare U.S.HealthInformationPortabilityandAccountabilityAct(HIPAA)
U.S.HealthInformationTechnologyforEconomicandClinicalHealth(HITECH)
FederalIdentity,CredentialandAccessManagement(FICAM)
Life sciences U.S.FoodandDrugAdministration(FDA)
EuropeanMedicinesAgency(EMA)
GoodAutomatedManufacturingPractice5(GAMP5)
All enterprises Corporatesecuritypolicies
Sarbanes-OxleyAct(SOX)
4
synchronoss.com
6. 5. DON’T FORGET PEOPLE AND PROCESS
Eventhemostsophisticatedauthenticationtechnologycannotpreventbreachesresultingfrom
usersleavingtheirpasswordsinplainvieworreusingtheirworkpasswordforotherservices.
Requireemployeestoattendmandatorycybersecurityawarenesstrainingthatcovers:
• Regulatorycompliance.
• Creatingstrongpasswordsandkeepingthemsecure.
• Recognizingphishingattacks.Somecompanieskeepemployees’skillssharpby
periodicallysendingoutafakephishingemail.Employeeswhoclickthelinkaretaken
toawebpageexplainingthatthelinkcouldhavebeenmalicious.
• Understandingthevalueofmulti-factorauthenticationandusingyour
organization’ssolution.
ImplementsecureITpracticesinconjunctionwithemployeetraining.Besuretosegmentthe
networktolimitriskifacybercriminaldoesgainaccessusingstolencredentials.Inaddition,
monitorthenetworkfordatatransfersoutsidetheorganizationtoidentifyandmitigate
vulnerabilities.
Synchronoss Universal Identity,
Authentication in the Cloud
SynchronossUniversalIdentity(ID)isacloud-basedservicethatreducestheriskoftargeted
attacks,credentialtheft,andidentifyfraudbyprovidingapowerfullayerofauthentication
security.Whetheryouextendaccesstoemployees,partners,vendors,orcustomers,
Synchronossreliablyverifiesuseridentitiesandensuresthatonlytherightpeoplegain
accesstoyournetwork.Theresult:yourcompanyandyouruserscanconductbusinesssafely,
confidently,andsecurely.
SIMPLE GROWTH, LOW PER-USER COSTS
Asacloudservice,SynchronossUniversalIDrequiresnoon-premiseshardwareorsoftware.
There’snoupfrontcapitaloutlay,andyoualwayshaveaccesstothelatestfeaturesandsecurity
enhancements.Helpdeskcostsarenominalbecauseuserscanresettheirownpasswords.The
pay-as-you-gomodelmakesiteasyandaffordabletoaddnewemployeesandotherusersas
yourbusinessexpands.
In the 2016Verizon study,
92% of all phishing attacks
aimed for passwords.
The most effective phishing
websites succeed 45% of
the time in enticing visitors
to enter information.4
VerizonDBIR,2016
4
http://services.google.com/fh/files/blogs/google_hijacking_study_2014.pdf
5
synchronoss.com