DISASTER RECOVERY/COMPLIANCE

APPLICATION DEVELOPMENT

DATA CENTER MANAGEMENT

STORAGE ARCHITECTURE
TechGuide

BI/APPLICATIONS
VIRTUALIZATION

NETWORKING
HEALTH IT

SECURITY
CLOUD

1
EDITOR’S NOTE

Restore Balance With 2

RISK-BASED

Authentication Technologies
AUTHENTICATION

Cloud and mobility have essentially put organizations on security lockdown.

Could next-generation authentication technologies be the key?
3
CLOUD
AUTHENTICATION

4
MOBILE
AUTHENTICATION
 1
EDITOR’S NOTE

Next-Generation Authentication
takes on Cloud and Mobility

Cloud and mobility have taken organiza- functions that we all use every day, it hasn’t
Home tions to a new level of productivity. More flex- evolved much over time. Granneman goes on to
ibility, freedom and access to information have discuss testing password-based authentication,
Editor’s Note
blurred the once hard lines of security. This password hashing and knowing how to crack
new era of the way employees work is easier on and strengthen password-based authentication.
Risk-Based
Authentication
many, but it has also forced organizations to Lastly, Randall Gamby explores enterprise
invest in more advanced authentication tech- mobile access and the security concerns that
Cloud nologies to ensure data is being protected. come along with the mobile boom. With the
Authentication This TechGuide discusses emerging authen- demand for accessing enterprise resources
tication technologies and the ongoing chal- from mobile devices, IT security pros must find
Mobile lenges IT security pros have when dealing with best practices and technology options avail-
Authentication authentication. Brad Causey kicks things off able to provide strong authentication services
with assessing the value proposition of risk- to protect enterprise information. Gamby dis-
based authentication, reviewing the technology cusses how to assess the risks of mobile access
options available and conceptualizing an imple- to enterprise information compared to other
mentation to reduce organizational risk while electronic channels, how to create good enter-
limiting user frustrations. prise mobile access governance and how mobile
Joseph Granneman dives into password- devices authenticate to the data they access. n
based authentication and flaws in using it
to protect cloud-based information assets. Rachel Shuster
While this is one of the most critical technical Associate Managing Editor, Security Media Group

2   R E S T O R E BA L A N C E W I T H AU T H E N T I C AT I O N T E C H N O L O G I E S
 2
RISK-BASED
AUTHENTICATION

Reduce Organizational Risk

With Risk-Based Authentication

Protecting data from unauthorized ac- authentication process for users while reducing
Home cess while making it available to authorized organizational risk.
personnel is the IT security professional’s ul-
Editor’s Note
timate objective. While simple passwords and
basic data protection methods are becoming AN INTRODUCTION TO RISK-BASED
Risk-Based
Authentication
less effective, technologies like multi-factor AUTHENTICATION
authentication, biometrics, out-of-band PINs Risk-based authentication, sometimes called
Cloud and even voice callbacks are being used to com- adaptive authentication, can most easily be
Authentication bat risk. described as a matrix of variables whose com-
The problem is that most users don’t want to bination results in a risk profile. Based on that
Mobile answer a call or enter a PIN every time they do risk profile, additional authentication require-
Authentication something. But by using an intriguing concept ments may be added before certain functions
called risk-based authentication, it becomes can be performed.
possible to require additional steps only when These functions are typically those in which
the risk is elevated. I’ll explain how risk-based a significant risk exists should they be allowed.
authentication works, what typical use cases Examples include login requests (both for in-
look like and how to conceptualize a smooth ternal network or systems access as well as

Protecting data from unauthorized ac­cess while making it available to

authorized personnel is the IT security professional’s ultimate objective.

3   R E S T O R E BA L A N C E W I T H AU T H E N T I C AT I O N T E C H N O L O G I E S
 2
RISK-BASED
AUTHENTICATION

Web application scenarios), sensitive data re-

quests or modification of security information.
risk. For example, a user on his or her home
computer accessing online banking once a day
represents little risk, because it is a predictable
(logging in once a day) and logical method and
RISK-BASED AUTHENTICATION VARIABLES source (from the home computer). If that login
There are two sets of values in this matrix. request instead came from a computer located
Home The first set is the user or client-side vari- in the Shanxi province in central China at 1:00
ables. These variables are derived from the a.m., those variables would suggest an unau-
Editor’s Note
client, and include information such as origi- thorized login attempt and the system would
nating IP address, hardware identification
Risk-Based
Authentication
(MAC address, brand of hard drive and other Risk-based authentication systems
static identifiers), browser, time of day, how
are de­signed to identify heightened
Cloud long it takes to enter the user’s password and
Authentication others. This set of information is used to de-
authentication risk.
termine if the user is the same one who logged
Mobile in with the applicable account credential determine that the risk of that user actually
Authentication previously. being a hacker is elevated. In such a case, the
Application developers define the second set system can challenge the user login request
of values, which are based on the effect of a po- with a request for additional out-of-band in-
tential compromise of the function in question, formation or even prompt the user to answer
such as letting a hacker log in as another user. security questions.
This is a simple example, but the method
is currently in use and highly effective. Login
RISK SCENARIOS time and location information may not be
Risk-based authentication systems are de- enough to detect a change in the risk profile, so
signed to identify heightened authentication a plethora of other identifiers can be included

4   R E S T O R E BA L A N C E W I T H AU T H E N T I C AT I O N T E C H N O L O G I E S
 2
RISK-BASED
AUTHENTICATION

in the risk matrix to determine if client-side

variables have changed, such as hardware iden-
a business negatively. This methodology also
presents minimal disruption to most Web us-
tification, SMS text messages or even voice ers, who want only to view information in 99%
calls from an automated system. of use cases. This way, only 1% of user interac-
tions with a website would require multi-factor
authentication.
Home EXPANDED USE CASES
Not all login attempts will appear suspect,
Editor’s Note
which is why risk-based authentication Allow­ing an attacker to log in and
shouldn’t be limited to login requests. Other, view basic data isn’t a high-risk
Risk-Based
Authentication
high-risk transactions, such as banking sce-  threat, but letting an attacker with-
narios involving a transfer or change to noti-  draw money or shut down services
Cloud fications, should receive extra scrutiny. In   affects a business negatively.
Authentication an enterprise setting, access to sensitive  
sales or financial data or applications presents
Mobile more risk for the organization than simply Taking this a step further, using device and
Authentication accessing an email account, so a risk-based user data such as behavior, it is possible to
authentication system can be configured combine the source risk with the transaction
to require users to provide additional user risk to create a matrix that streamlines the au-
information. thentication process. Device identification data
Often with Web applications, Web design- automatically can detect if a new computer is
ers are instructed to only require risk-based attempting to log in and user behavior history
challenges on high-risk transactions. Allow- on the site can indicate, with some degree of
ing an attacker to log in and view basic data accuracy, if it’s the same person. This is done
isn’t a high-risk threat, but letting an attacker using navigation patterns and timing. If the
withdraw money or shut down services affects user always take the same URL or click path

5   R E S T O R E BA L A N C E W I T H AU T H E N T I C AT I O N T E C H N O L O G I E S
 2
RISK-BASED
AUTHENTICATION

through the site to arrive at the point where the

high-risk transaction takes place and it always
corporate systems or requests data, an inte-
grated adaptive authentication system profiles
takes them three to six seconds to do it, then a users’ actions so that their behaviors and other  
deviation in which an attacker directly accesses pertinent details about their sessions can be
the high-risk transaction page and does so in compared with future sessions. If an impor-
only two seconds would indicate an anomaly tant risk indicator changes from one user ses-
Home and greater risk, and should be challenged sion to the next, it can be a clue that something
accordingly. is up, and further authentication details can be
Editor’s Note
requested.
It’s no surprise that Gartner Inc. forecasts
Risk-Based
Authentication
VENDORS AND IMPLEMENTATIONS that three out of every 10 of business-to-
Vendors such as RSA (the security division of business and business-to-enterprise user au-
Cloud EMC Corp.), CA Technologies, Entrust Inc. thentication implementations will incorporate
Authentication and others have taken risk-based or adaptive adaptive access control capability by 2015.
authentication to a whole new level with easy, Combining the latest two-factor and multifac-
Mobile intuitive integration processes. By integrating tor authentication technology with user and
Authentication the technology into the websites, applications device data tracking, risk-based authentication
and authentication suites that enterprises use, technology can go a long way in helping en-
the technology can build profiles for users terprises protect sensitive systems data, while
through monitoring behavior and activities. As making the experience as painless as possible
each user logs in, browses a website, accesses for users. —Brad Causey

6   R E S T O R E BA L A N C E W I T H AU T H E N T I C AT I O N T E C H N O L O G I E S
 3CLOUD
AUTHENTICATION

Password-Based Authentication:
A Weak Link in Cloud Authentication

Technology has developed so rapidly in the breaches occurred with consumer cloud
Home most areas of computing it is easy to overlook services, commercial cloud providers often use
the areas that haven’t developed in decades. the same technology. Consequently, companies
Editor’s Note
Password-based authentication is probably one looking to securely store proprietary informa-
of the most critical technical functions that we tion with a cloud-based provider need to un-
Risk-Based
Authentication
use every day, yet it hasn’t evolved much since derstand not just what cloud authentication is,
the first multi-user computer systems. We but how that authentication is implemented
Cloud continue to use this archaic form of authenti- behind the scenes. This knowledge, coupled
Authentication cation out of convenience even as more secure with an understanding of the encryption func-
methods are developed. Moore’s Law, which tions and attack methods, will help a company
Mobile continually provides faster processors to crack truly understand the risk of using a particular
Authentication password databases in less time, marches on cloud provider.
as well. The dismal results of this continued
focus on convenience over security were dem-
onstrated through recent password breaches at TESTING CLOUD PASSWORD-
social networking giant LinkedIn, radio stream- BASED AUTHENTICATION
ing service LastFM and online dating site Cloud providers have many options available to
eHarmony. safely store password information but most use
These breaches demonstrate a potentially the same open-source hashing libraries. This is
fatal flaw in using password authentication to true of LinkedIn, LastFM, eHarmony and prob-
protect cloud-based information assets. While ably many other sites as well. A cloud provider

7   R E S T O R E BA L A N C E W I T H AU T H E N T I C AT I O N T E C H N O L O G I E S
 3CLOUD
AUTHENTICATION

following this model only stores an encrypted

version of a password using a one-way crypto-
for Windows as well for those not comfortable
with the Linux command line. Enter the fol-
graphic hash. lowing at a command prompt in your favorite
Some simple tests can verify that the cloud Linux distribution to generate an MD5 en-
provider is using some type of password en- crypted hash:
cryption. The first test is to request a password
Home reset. If the password is emailed back in clear echo –n ’asdfghj’|md5sum>password.txt
text, that’s an obvious failure that shows the
Editor’s Note
provider is storing the password in clear text This combination of commands sends the
without any encryption. The other test is to text string “asdfghj” through the md5sum com-
Risk-Based
Authentication
examine the characters that can be used to cre- mand and redirects the output to password.
ate the password. If the system restricts special txt. The text string “asdfghj” should now be
Cloud characters from being used in the password, represented by the encrypted hash of “c83b-
Authentication it’s a good possibility the password is stored in 2d5bb1fb4d93d9d064593ed6eea2.” This is how
clear text. The reason for this is that SQL da- the password would be represented in the data-
Mobile tabases interpret certain special characters as base of a cloud provider such as eHarmony. The
Authentication providing special functions and not as simply cloud provider does not know what the original
as data, so they need to be restricted. A system password was nor can it reverse the encryption
that fails either of these tests should not be to recover the password.
trusted with any confidential data. This is where Moore’s Law turns into a det-
riment instead of a benefit. The one-way en-
crypted hash algorithm was conceived when
PASSWORD HASHING processors lacked the performance required to
Hashing tools are built into Linux distributions compute all the possible combinations in a rea-
and provide a good platform for understanding sonable amount of time. In the past, the only
password encryption. These tools are available way to attack these hashes was to attempt to

8   R E S T O R E BA L A N C E W I T H AU T H E N T I C AT I O N T E C H N O L O G I E S
 3CLOUD
AUTHENTICATION

brute-force the encryption, which took months

or years. Today, pre-computed (rainbow) tables
memory and wider I/O channels to facilitate
rapid computation. This design element has an
of encrypted hashes encompassing all possible unintended consequence: These GPUs are well-
combinations are freely available for download. suited for cracking encryption. For example, a
An attack on password-based authentication single GeForce GTX 680 contains 1536 cores
then becomes a simple comparison function that can be put to work matching hashes to
Home between the rainbow tables and the target rainbow tables.
hashes. This is an easy task for modern com-
Editor’s Note
puting hardware.
CRACKING PASSWORD-BASED
Risk-Based
Authentication
AUTHENTICATION
Modern cracking programs I evaluated several tools that use GPUs to ac-
Cloud
use high-end video cards to celerate the rainbow table hashing matching
Authentication boost performance of the CPUs process. Each tool has its strengths and weak-
to further reduce the time nesses; some are strong on SHA1 or MD5
Mobile hashes, while others are focused on cracking
necessary for matching hashes.
Authentication Microsoft Windows NTLM hashes used in
enterprise networks. I focused on Crytpohaze
Modern cracking programs use high-end GRTCrack because it supports multiple types
video cards to boost performance of the CPUs of hashing algorithms as well as both GPU
to further reduce the time necessary for manufacturers, AMD and NVIDIA. It also runs
matching hashes. These graphic processing equally well on 64-bit Windows or Linux and
units (GPUs) were designed to do the high-end is fairly easy to set up with rainbow tables. It
math necessary to render modern 3D video can even be run on an Amazon EC2 instance, if
games. They are often faster than the CPU at the appropriate hardware is unavailable.
these predefined tasks and contain much faster Cryptohaze GRTCrack uses rainbow tables

9   R E S T O R E BA L A N C E W I T H AU T H E N T I C AT I O N T E C H N O L O G I E S
 3CLOUD
AUTHENTICATION

that can be downloaded, but only limited

lengths are available due to size restrictions.
test rig in a very short 15 seconds with the
decrypted password “asdfghj.” Password
The password length determines the num- hashes are easily bypassed even with low-end
ber of possible password combinations; these hardware.
file sizes vary greatly from 41 GB for a seven-
character table to a whopping 1.4 TB for an
Home eight-character table. The addition of a single STRENGTHENING PASSWORD-
character increases the size of the size of the BASED AUTHENTICATION
Editor’s Note
file by over 3,400%. The massive increase in There are several ways to limit the effective-
size demonstrates how password length is   ness of these powerful password cracking tools.
Risk-Based
Authentication
crucial when using cloud-based services; it’s The first is to use salted hashes. A salt is ran-
much faster to evaluate 41 GB of hashes than domly generated information that is added to
Cloud 1.4 TB.   the data before running through the hashing
Authentication I now had all the components in place to run process. This way the encrypted value cannot
Cryptohaze against the password.txt file that I be pre-computed, rendering rainbow tables
Mobile generated earlier. The format of the command useless for cracking the password. The salt
Authentication is: must be stored in the database, which could  
get compromised. However, the salt should be
 RTCrack-OPenCL -h MD5 -f password.txt /
G different for each password, which dramatically
pathtorainbowtables/rainbowtable.grt increases the amount of time necessary to  
decrypt each record. LinkedIn is adding salt  
The results showed up on my very modest to all accounts as passwords are changed or

Salt hashes and two-factor authentication limit

the effective­ness of password cracking tools.

1 0   R E S T O R E BA L A N C E W I T H AU T H E N T I C AT I O N T E C H N O L O G I E S
 3CLOUD
AUTHENTICATION

created to increase security since its breach.

Two-factor authentication is another
One thing is certain: Technology will con-
tinue to advance, making password-based
method that may be required to increase secu- authentication for cloud services less viable
rity when authenticating to cloud-based ser- in the future. Password length will need to
vices. Google Authenticator is a free tool for increase until the point that it becomes im-
adding two-factor authentication to Google practical to manage. Companies looking to use
Home accounts, but it can also be added to Linux cloud services need to investigate the type of
systems. Many of the newer Linux distribu- password hashing and the use of salted hashes
Editor’s Note
tions already include the code necessary to use when evaluating potential cloud providers. Se-
Google Authenticator. This is an inexpensive curity professionals need to keep current on
Risk-Based
Authentication
way to add additional security to prevent unau- password hashing technologies as well as new
thorized access, even in the event of a hashed attack vectors to effectively manage this evolv-
Cloud password breach. ing type of risk. —Joseph Granneman
Authentication

Mobile
Authentication

1 1   R E S T O R E BA L A N C E W I T H AU T H E N T I C AT I O N T E C H N O L O G I E S
 4MOBILE
AUTHENTICATION

Enterprise Mobile Access: Considerations

for Two-Factor Mobile Authentication

With more and more workers requesting Before this question is answered, it’s im-
Home to access corporate data through their mobile portant to understand that there are not just
devices, managers are stuck between wanting one or two operating systems on these mobile
Editor’s Note
to provide enterprise mobile access to their devices. Workers can walk through the organi-
employees and heeding concerns about the se- zation’s doors with a device sporting any one
Risk-Based
Authentication
curity risk they pose to the business if these of several widely used platforms, including
devices are lost or compromised. In Symantec Windows Mobile, iOS, BlackBerry, the various
Cloud Corp.’s report, “A Window Into Mobile Device flavors of Android or some other proprietary
Authentication Security,” the vendor wrote about the security operating system, each at different release
capabilities of the mobile operating systems levels; all these operating systems may run
Mobile from Apple (iOS) and Google (Android), stating on anything from a mobile phone, to a mobile
Authentication that “…[While the vendors’ new] security pro- gaming device, to a tablet. Capabilities, com-
visions raise the bar, they may be insufficient munications options and functionality can vary
to protect the enterprise assets that regularly greatly from device to device, resulting in an
find their way onto devices.”   authentication complexity that can be over-
So with the strong demand for accessing en- whelming for even the most flexible organiza-
terprise resources from mobile devices, what tions. So how can an organization reduce this
are the best practices and technology options problem to a manageable level?   
available to organizations that want to provide To start, organizations must assess the
strong authentication services to protect their relative risks of mobile access against other
information? electronic channels used to access enterprise

1 2   R E S T O R E BA L A N C E W I T H AU T H E N T I C AT I O N T E C H N O L O G I E S
 4MOBILE
AUTHENTICATION

information. These security risks include the

lack of security capabilities in mobile applica-
of sensitive data, such as financial data, is al-
lowed by a mobile device.
tions, the growing threat of mobile malware
and the ever-present prospect of device mis- ■■ Whetherstorage of business data will be al-
placement or theft.  lowed on the device, and if so, whether or
To mitigate these risks, an organization must not it must be stored in an encrypted format.
Home create good enterprise mobile access gover-
nance by establishing security policies and pro- ■■ What mobile operating systems, versions and
Editor’s Note
cedures. These procedures should include how applications will be supported, including any
the mobile devices will be protected, how they prerequisite software such as software fire-
Risk-Based
Authentication
can be used and what data can be accessed and walls, antivirus software and other corporate
stored on them. Without establishing a set of standards for protecting computing devices.
Cloud hard-and-fast rules for access, an organization
Authentication cannot begin to manage the security risks these In addition to these examples, enterprise and
devices pose or reduce the chance of loss or de- end-user rights and responsibilities must be
Mobile struction of the data these devices access.  clearly defined. Examples of such regulations
Authentication This governance process must begin with include mandatory support for password length
an organization’s executive management con- and complexity, reporting of lost devices and
ducting a meeting with their IT leadership devices shared with friends and family. In the
team to negotiate what is “in bounds” and “out case of a reported loss of a device, whether the
of bounds” when it comes to mobile access to organization has the right to remotely wipe the
enterprise information. Examples of decisions device and physical protection against unau-
that must be made include: thorized access is important. Finally, organiza-
tions need to know what mobile devices will
■■ Whether access to regulated data such as access their information. This should be done
protected health information or other types by setting up a formal request for an access

1 3   R E S T O R E BA L A N C E W I T H AU T H E N T I C AT I O N T E C H N O L O G I E S
 4MOBILE
AUTHENTICATION

process as well as by providing minimal mobile

device security training for the end user. 
these strategies, many organizations are now
requiring their workers to install mobile secu-
After mobile access governance procedures rity products that support strong public-key
have been defined, the next decision enter- authentication, based on a digital certificate
prises must make is how mobile devices will that is provided through the mobile device’s
authenticate to the data they access. Many communications channels, such as MMS, text
Home organizations rely on password credentials to messages and email. Vendors including McAfee
authenticate users, so they must establish min- Inc., Good Technology Inc., Certgate GmbH,
Editor’s Note
imum password length and complexity rules. In
addition, many organizations use strike coun-
Risk-Based
ters on their boundary applications that, after Many organizations rely on password
Authentication
repeated login failures, can lock down or hard- credentials to authenticate users, so
Cloud reset a mobile device. While these access con- they must establish min­imum pass-
Authentication trols can be effective, many managers question word length and complexity rules.
if passwords are a strong enough credential
Mobile technology to provide for something that can
Authentication fall out of a worker’s pocket on the train or be HID Global, SafeNet Inc. and others provide
used to access enterprise data from anywhere mobile security commercial-off-the-shelf
in the world. Because of these risks, organiza- products based on these technologies for many
tions are now evaluating and deploying stron- of the most popular mobile operating systems
ger alternative authentication methods. For and devices.
example, numerous smartphones now include For those mobile devices that are allowed
fingerprint readers that offer an alternative to retain enterprise data on internal storage,
to power-on passwords and a few mobile se- authentication information can now be stored
curity products can also process handwritten on a removable media smart card (MMC, SD).
signatures entered with a stylus. In addition to This is a strong form of authentication because

1 4   R E S T O R E BA L A N C E W I T H AU T H E N T I C AT I O N T E C H N O L O G I E S
 4MOBILE
AUTHENTICATION

certificates are nearly impossible to forge.

Before the user attempts to access the infor-
methods require a certain level of interaction
with mobile devices to gain access to enterprise
mation, they must insert the card. As long as data. This technology, by its nature, flies in the
the card remains inserted, the information is face of the mobile device manufactures’ goals of
unlocked. However, to prevent a lost mobile providing increasingly intuitive, user-friendly
device from being compromised, when access applications and services. 
Home is no longer needed, the media smart card is re- To seek a balance between security and con-
moved and stored away from the device ensur- venience, industry authentication vendors are
Editor’s Note
ing the data is safe. investigating new ways of authenticating mo-
bile devices to achieve more balanced security
Risk-Based
Authentication
architecture. At the forefront of this research
The participants in MOBIO are process, the Mobile Biometry (MOBIO) project
Cloud
accomplishing this using face is attempting to ease the burden of strong au-
Authentication and voice rec­ognition software thentication by recognizing who the user is by
to strongly authenticate the user. using mobile device cameras and microphones,
Mobile something that’s included in almost every
Authentication mobile device. The participants in MOBIO are
Even though all the authentication methods accomplishing this using face and voice rec-
mentioned are available in the enterprise mo- ognition software to strongly authenticate the
bile marketplace, strong mobile security au- user.
thentication still requires the user to physically As enterprises struggle to define what data
add and remove hardware, read a message, view a mobile user will have access to, hopefully in
a text or swipe their finger for access. While the near future the problem of knowing who
enterprise security managers are beginning to the user is will be as easy as he or she speaking
sleep a bit better at night knowing their in- into the device and asking for the data. 
formation is safer, the current authentication —Randall Gamby

1 5   R E S T O R E BA L A N C E W I T H AU T H E N T I C AT I O N T E C H N O L O G I E S
 ABOUT
THE
AUTHORS
BRAD CAUSEY is an active member of the security and fo-
rensics community worldwide and tends to focus his time
on Web application security as it applies to global and
enterprise arenas. He is a member of the OWASP Global
Projects Committee and the President of the Interna-
Restore Balance With Authentication Technologies 
tional Information Systems Forensics Association chap-
is a Security Media Group e-publication.
Home ter in Alabama. Brad is an avid author and writer with
hundreds of publications and several books. Brad also Robert Richardson | Editorial Director

holds dozens of industry recognized certificates such as Eric Parizo | Senior Site Editor
Editor’s Note
CISSP, MCSE, C|EH, CIFI and CGSP. Kathleen Richards | Features Editor

Risk-Based Kara Gattine | Senior Managing Editor

Authentication JOSEPH GRANNEMAN, CISSP, has more than 20 years in Rachel Shuster | Associate Managing Editor
information technology and security with experience in Brandan Blevins | Associate Editor
Cloud both health care and financial services. He has been in- Sharon Shea | Assistant Editor
Authentication volved in the Health Information Security and Privacy
Linda Koury | Director of Online Design
Working Group for Illinois, the Certification Commis-
Neva Maniscalco | Graphic Designer
Mobile sion for Health Information Technology (CCHIT) Secu-
Authentication Doug Olender | Vice President/Group Publisher
rity Working Group and is an active InfraGard member.
dolender@techtarget.com

RANDALL GAMBY is the information security officer for TechTarget

the Medicaid Information Service Center of New York.
Prior to this position he was the enterprise security ar-
chitect for a Fortune 500 insurance and finance com-
pany. He also was an analyst for the Burton Group’s
Security and Risk Management Services group. He cov-
ered secure messaging, security infrastructure, identity
and access management, security policies and proce-
dures, credential services and regulatory compliance.
275 Grove Street, Newton, MA 02466 
www.techtarget.com
© 2013 TechTarget Inc. No part of this publication may be transmitted or re-
produced in any form or by any means without written permission from the
publisher. TechTarget reprints are available through The YGS Group.
About TechTarget: TechTarget publishes media for information technology
professionals. More than 100 focused websites enable quick access to a deep
store of news, advice and analysis about the technologies, products and pro-
cesses crucial to your job. Our live and virtual events give you direct access to
independent expert commentary and advice. At IT Knowledge Exchange, our
social community, you can get advice and share solutions with peers and experts.

1 6   R E S T O R E BA L A N C E W I T H AU T H E N T I C AT I O N T E C H N O L O G I E S