Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Session 7 e_raja_kailar


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Session 7 e_raja_kailar

  1. 1. PHIN Systems Securityand Two Factor AuthenticationRaja Kailar, Ph.D.Senior Security Consultant, IRMO/,
  2. 2. Problem DescriptionPHIN – Collaborating partners, sharing public healthinformation over un-trusted networksSecurity depends on reliable identification andauthentication (I&A)Many public health partners rely solely on login + passwordfor I&ANeed additional authentication factors for security…
  3. 3. PHIN - Operational Environment
  4. 4. PHIN Users, Interactions, Security PerimetersUsers – External, InternalInteractions – B2B, C2BPerimeter – Firewalls, DMZ
  5. 5. High Level Security RequirementsStrong Authentication Importantfor most requirements
  6. 6. Authentication ConsiderationsWhat are your PHIN applications? Who are your users?Is your user population relatively stationary or mobile?From where do your users need to access PHIN applications?Intranet?Internet?Both?Does your network infrastructure provide adequate protectionto PHIN data (GAP analysis)?
  7. 7. Minimum AuthenticationRecommendation: C2B/Internal UserNote: If you also have external users, use same(DMZ) proxy and 2 factor authentication for all users
  8. 8. Minimum AuthenticationRecommendation: B2B Applications
  9. 9. Minimum AuthenticationRecommendation: C2B/External User
  10. 10. What is Two Factor Authenticationand Why do we need it?Authentication FactorsWhat I know (password, PIN)What I have (token, private key)Who I am (thumbprint, retina, voice)Two Factor AuthenticationWhat I know + what I have (PIN + token)What I know + who I am (PIN + thumbprint)Strong Identity Assurance – harder to spoof
  11. 11. Two Factor Authentication –One Time Password (Secure Token)
  12. 12. Two Factor Authentication -Digital Certificates
  13. 13. Two Factor Authentication -Biometrics
  14. 14. Authentication Mechanisms –System DifferentiationDigital CertificatesPKCS12 FilesSuited for laptop usersOne time passwords (Secure Tokens)Key-fob: MobileSmart Cards: Need card, readersBiometricsHardware/software readersMobility / Ease of Use
  15. 15. Authentication Mechanisms –System DifferentiationDigital CertificatesBinary matchOne time password (Secure Token)Binary matchBiometricsFuzzy matchFalse positives/negatives possibleAssurance Level / Accuracy
  16. 16. Authentication Mechanisms –System DifferentiationDigital CertificatesOpen standards based (X.509, SSL)Digital Signatures (XMLDSIG)InteroperableOne time passwords (Secure Tokens)Proprietary, domain specificBiometricsProprietary, domain specificUse in Automated Authentication Handshaking (B2B)
  17. 17. Authentication Mechanisms –System Differentiation$100,0001000Biometrics$60,000 - $100,000$100,000 - $200,000Deployment Cost(approximate)10001000UsersSecure TokensDigital CertificatesSystem• Deployment cost based on market leaders (low cost alternatives exist)• Lifecycle management costs are implementation and environment dependent.Cost
  18. 18. And the winner is?Depends on your PHIN usage:Digital Certificates - only technology that supports OpenStandards based Interoperability forAutomated B2B authentication (e.g., PHIN web-services)Asymmetric key based encryption for messagingDigital Signatures for communication non-repudiationSecure token (key-fob) - mobility and ease of use forC2B authenticationDigital certificates needed for server authentication(SSL)
  19. 19. Authentication - Approach AUsers authenticate to a DMZ web-server (proxy) usingpassword + client certificates over SSLB2B applications authenticate to a DMZ proxy web-server using client certificates over SSLSuited for relatively static user populations or for laptopusersSingle authentication infrastructure to implement andmanage
  20. 20. Authentication – Approach BUsers authenticate to DMZ web-server (proxy) using key-fobExternal B2B applications authenticate to DMZ using clientcertificates over SSLMay be required if user population is highly mobileTwo infrastructures to manage/keep in sync
  21. 21. Other Perimeter Security ConsiderationsAuthorization, Access Control, User IdentityLifecycle ManagementSingle Sign-on
  22. 22. Questions?