Moving past passwords

February 2015 Security Services & Risk Management

In the past, enterprises could focus most of their energy on securing the network perimeter, confident that static passwords were more than enough to authenticate users inside their firewalls. This is no longer adequate as IT administrators grapple with challenges including today’s Advanced Persistent Threats (APTs) and the vulnerabilities created by the Bring Your Own Device (BYOD) mobility model. Increasingly, the only reliable way to combat today’s escalating threats is to employ strong authentication and a multi-layered security strategy that spans remote access, key applications and servers, and cloud-based systems.

Choosing an effective strong authentication has recently become much easier. Past solutions did not provide sufficient security, they were difficult to use, and their implementation was costly and complex. This has changed with the adoption of smartphones, smartcards and other smart devices that can carry secure credentials. Today’s new strong authentication model enables enterprises to:

• Create converged solutions that not only deliver secure logical access to the network and cloud-based services and resources, but also control physical access to buildings.

• Support mobile security tokens that give users an extremely convenient and secure access solution they can use on smartphones or tablets.

• Integrate intelligence for enhanced security including device identification and using built-in technologies such as GPS for location awareness.

• Achieve more effective threat protection using multifactor authentication as part of a multi-layered security strategy.

Tap in authentication

Previous hardware OTPs, display cards and other physical devices have provided a solution for two-factor authentication (i.e., something the user knows, such as passwords, plus something the user has, such as a mobile or web token). Unfortunately, hardware OTPs are inconvenient and only useful in a limited number of applications. Software OTPs carried on mobile phones, tablets and browser-based tokens are easier to use, but more vulnerable to security threats. Alternatives like smartcards based on the Public Key Infrastructure (PKI) are more secure, but tend to be costly and difficult to deploy.

A better approach is to take advantage of short-range connectivity technology, such as Near Field Communications (NFC) technology, that is becoming available in smartcards, and a standard feature on smartphones and laptops. These devices can be used to gain access to resources by simply 'tapping in'. The tap-in model eliminates the need for multiple devices to issue and manage, or for entering a password on a touch-screen device. Users can tap-in to facilities, VPNs, wireless networks, corporate intranets and cloud- and web-based applications, as well as SSO clients.

Besides improving cost, security and convenience, the tap-in strong authentication model will also enable enterprises to achieve true access control convergence. A single solution can be used to access IT resources while also enabling many types of physical access control applications such as secure print management, cashless vending, and biometric templates for additional factors of authentication. With the new tap-in strong authentication model, all of these applications would be delivered on the same smart card or phone alongside OTPs, eliminating the need for users to carry any additional tokens or devices.

A layered security approach

In addition to user authentication, several other security layers should be considered. The second layer is device authentication, which goes beyond determining that the user is who he or she claims to be, to also verify that the person is using a known device. The best approach is to combine endpoint device identification and profiling with such elements as proxy detection and geo-location.

The third layer to employ is one that ensures the user’s browser is part of a secure communication channel. Although this browser protection layer can be implemented through simple passive malware detection, this approach does not yield the strongest possible endpoint security. A more effective approach is to use a proactive hardened browser that provides a mutual secure socket layer connection to the application.

The fourth layer to consider is transaction authentication/pattern-based intelligence. Implementing this layer increases security for particularly sensitive transactions. A transaction authentication layer can include several elements such as Out-Of-Band (OOB) transaction verification, transaction signing for non-repudiation, transaction monitoring, and behavioural analysis.

The final layer to implement is application security. This layer protects applications on the mobile devices used to deliver sensitive information. Ideally, the application must not only be architecturally hardened, but also should be capable of executing mutual authentication. Data theft is much more difficult and costly for hackers who are confronted with this security layer.

Each of these security layers can be implemented using an integrated versatile authentication platform with real-time threat detection capabilities. This type of platform has seen proven use for quite some time in online banking and ecommerce. Now, similar types of threat detection technology platforms are expected to migrate to the corporate sector, where they can provide one more layer of security for such remote access use cases as VPNs or virtual desktops.

Making the transition

As manufacturers enable more and more phones, tablets and laptops with short-range connectivity technology, this has led many companies to seriously consider the benefits of incorporating secure physical and logical access into their facilities and IT access strategies using these mobile platforms. Making the transition to these capabilities requires a multi-technology smartcard and reader platform that is extensible and adaptable. To maximise flexibility and interoperability, this platform also should be based on open architecture to it can support current and future technologies while staying ahead of evolving threats. Finally, it should also enable both legacy and new credential technologies to be combined on the same card while also supporting mobile platforms.

To optimise security, the smartcard and reader platform should use contactless high frequency smartcard technology that features mutual authentication and cryptographic protection mechanisms with secret keys. It should also employ a secure messaging protocol that is delivered on a trust-based communication platform within a secure ecosystem of interoperable products. These will help ensure that organisations have the highest level of security, convenience, and interoperability on either cards or phones, and that they can adapt their solutions to meet future needs including strong authentication to protect data and cloud applications, and contactless high-frequency smartcard technology for numerous physical access control applications.

With the right foundation, organisations can solve the strong authentication challenge while protecting everything from the cloud and desktop to the door. Effective planning also ensures they can reduce security solution deployment and operational costs by leveraging their existing physical access control credential investment to seamlessly add logical access control for network log-on. The result is a fully interoperable, multi-layered security solution that spans all of the organisation’s networks, systems and facilities.

For more information contact HID Global, +27 (0)82 449 9398, [email protected], www.hidglobal.com



Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

NIS2 compliance amplifies skills shortages and resource strain
Information Security Security Services & Risk Management
A new Censuswide survey, commissioned by Veeam Software reveals the significant impact on businesses as they adapt to this key cybersecurity directive, with 95% of EMEA businesses siphoning other budgets to try and meet compliance deadline.

Read more...
SA company develops world-first safe K9 training for drug detection
Editor's Choice News & Events Security Services & Risk Management Government and Parastatal (Industry)
The Braveheart Bio-Dog Academy recently announced the results of its scientific research into training dogs to accurately detect drugs and explosives without harming either the dogs or their handlers.

Read more...
Understanding South Africa’s Cybercrimes Act
Information Security Security Services & Risk Management
The Cybercrimes Act No.19 of 2020 is a comprehensive legislative response to the evolving landscape of cyberthreats in South Africa. Its effectiveness, however, relies on enforcement, which relies on implementation, international cooperation, and collaboration between the public and private sectors.

Read more...
Partnership addresses fire hazard mitigation
Brigit Fire (a Division of Hudaco Trading) Elvey Security Technologies Fire & Safety Security Services & Risk Management
Brigit Fire has partnered with the Elvey Group. The collaboration will see Brigit Fire distributing both the advanced C-TEC addressable fire detection systems (CAST Technology) and GreenMist lithium extinguishers.

Read more...
Fire protection for a solvent extraction plant in Africa
FS Systems Fire & Safety Security Services & Risk Management Mining (Industry)
A prominent mining site operates a state-of-the-art solvent extraction (SX) plant, integral to separating and purifying metals from ores, which pose significant fire risks, as SX processes involve highly flammable organic solvents and elevated operating temperatures.

Read more...
Taking fire safety seriously
G2 Fire Editor's Choice Fire & Safety Security Services & Risk Management
To gain insights into how fire systems must be designed, installed and maintained, SMART Security Solutions asked Nichola Allan, MD of G2 Fire, for some insights into the local fire market.

Read more...
New data privacy trends increase large cyber claims
Security Services & Risk Management News & Events
Frequency and value of sizeable cyber insurance claims up 14% and 17% year-on-year in the first half of 2024, with a growing trend in the US for litigation against large corporations related to privacy violations.

Read more...
Streamlining and securing enterprise risk management
Security Services & Risk Management
[Sponsored] A new enterprise risk management web app from Zulu Consulting, called Risk-IO, is designed to automate and streamline the enterprise risk management process, ensuring no steps are skipped and everything is securely documented.

Read more...
Professional Firearms Trainers Council slams SASSETA’s skills programme
News & Events Security Services & Risk Management
The Professional Firearms Trainers Council (PFTC), the body responsible for private sector firearms training accreditation, has raised concerns with the Minister of Higher Education regarding a new skills programme proposed by SASSETA, which could put 42 000 jobs at risk.

Read more...
Data protection investments grow
Infrastructure Security Services & Risk Management
Senior IT professionals in small to large-sized businesses are allocating a significant portion of their IT budget to data protection and recovery, according to a recent survey from Arcserve.

Read more...