Strategy: Authentication
Who Are You? Choosing the Right Authentication Strategy
Whether it’s just a password, or a complex multifactor authentication method including a user name, one-time password (OTP) and geolocation, authentication is a necessity for all businesses. However, the evolution of the threat landscape isn’t making the decision of how to address authentication any easier. For example, malware can now perform “man-in-the-browser” attacks to usurp a real user’s credentials. And, as business needs change, enterprises have to choose -- or retrofit -- an authentication system that can be adapted as they add more users, more services and more customers.
Fail to base your authentication strategy around interoperability and standards, and you’ll likely be left with a hodgepodge of systems and directory information sources. The heart of the problem is that security is then playing catch-up, as enterprises have deployed off-the-shelf and custom applications and services with no real integration and no plan to handle the eventual need to expose some of those services to the Internet for Web users and remote workers.
The decision of which method, or methods, to choose must be based on risk assessments focused on the criticality of the services and sensitivity of the data to be protected. Here’s how to make a smart selection that will grow with the business and adapt to new threats.
Table of Contents
3 Author’s Bio
4 Executive Summary
5 Authentication as You Grow
5 Looking Beyond Passwords
6 Regulatory Forces Driving Authentication
7 Assess Your Authentication Requirements
8 Levels of Assurance
9 Figure 1: NIST Electronic Authentication Guideline
10 Understanding Authentication Options
12 Weighing Risk Against Cost
13 The Future of Authentication Is Cloudy
13 Figure 2: Authentication Types Compared
About the Author
John H. Sawyer is a senior security engineer with the University of Florida, Gainesville and a Dark Reading, Network Computing and InformationWeek contributor and blogger. Sawyer’s current duties include network and Web application penetration testing, intrusion analysis, incident response and digital forensics. He was recently awarded a 2010 Superior Accomplishment Award from the University of Florida for his work as part of the UF Office of Information Security and Compliance.
Sawyer is a member of team 1@stplace, a small group of righteous hackers that won the electronic Capture the Flag computer hacking competition at DEFCON in Las Vegas in 2006 and 2007. His certifications include Certified Information Systems Security Professional and GIAC Certified Web Application Penetration Tester, Incident Handler, Firewall Analyst and Forensic Analyst. He is a member of the SANS Advisory Board and has spoken to numerous groups, including the Florida Department of Law Enforcement and Florida Association of Educational Data Systems (FAEDS), on network attacks, incident response and malware analysis.
He holds a Bachelor’s of Science in Decision and Information Science from the University of Florida.
Be the first one to comment.