Professional Documents
Culture Documents
Restore Balance With Next-Generation Authentication - HB - Final
Restore Balance With Next-Generation Authentication - HB - Final
APPLICATION DEVELOPMENT
BI/APPLICATIONS
VIRTUALIZATION
NETWORKING
HEALTH IT
SECURITY
CLOUD
1
EDITOR’S NOTE
Authentication Technologies
AUTHENTICATION
4
MOBILE
AUTHENTICATION
1
EDITOR’S NOTE
Next-Generation Authentication
takes on Cloud and Mobility
Cloud and mobility have taken organiza- functions that we all use every day, it hasn’t
Home tions to a new level of productivity. More flex- evolved much over time. Granneman goes on to
ibility, freedom and access to information have discuss testing password-based authentication,
Editor’s Note
blurred the once hard lines of security. This password hashing and knowing how to crack
new era of the way employees work is easier on and strengthen password-based authentication.
Risk-Based
Authentication
many, but it has also forced organizations to Lastly, Randall Gamby explores enterprise
invest in more advanced authentication tech- mobile access and the security concerns that
Cloud nologies to ensure data is being protected. come along with the mobile boom. With the
Authentication This TechGuide discusses emerging authen- demand for accessing enterprise resources
tication technologies and the ongoing chal- from mobile devices, IT security pros must find
Mobile lenges IT security pros have when dealing with best practices and technology options avail-
Authentication authentication. Brad Causey kicks things off able to provide strong authentication services
with assessing the value proposition of risk- to protect enterprise information. Gamby dis-
based authentication, reviewing the technology cusses how to assess the risks of mobile access
options available and conceptualizing an imple- to enterprise information compared to other
mentation to reduce organizational risk while electronic channels, how to create good enter-
limiting user frustrations. prise mobile access governance and how mobile
Joseph Granneman dives into password- devices authenticate to the data they access. n
based authentication and flaws in using it
to protect cloud-based information assets. Rachel Shuster
While this is one of the most critical technical Associate Managing Editor, Security Media Group
2 R E S T O R E BA L A N C E W I T H AU T H E N T I C AT I O N T E C H N O L O G I E S
2
RISK-BASED
AUTHENTICATION
Protecting data from unauthorized ac- authentication process for users while reducing
Home cess while making it available to authorized organizational risk.
personnel is the IT security professional’s ul-
Editor’s Note
timate objective. While simple passwords and
basic data protection methods are becoming AN INTRODUCTION TO RISK-BASED
Risk-Based
Authentication
less effective, technologies like multi-factor AUTHENTICATION
authentication, biometrics, out-of-band PINs Risk-based authentication, sometimes called
Cloud and even voice callbacks are being used to com- adaptive authentication, can most easily be
Authentication bat risk. described as a matrix of variables whose com-
The problem is that most users don’t want to bination results in a risk profile. Based on that
Mobile answer a call or enter a PIN every time they do risk profile, additional authentication require-
Authentication something. But by using an intriguing concept ments may be added before certain functions
called risk-based authentication, it becomes can be performed.
possible to require additional steps only when These functions are typically those in which
the risk is elevated. I’ll explain how risk-based a significant risk exists should they be allowed.
authentication works, what typical use cases Examples include login requests (both for in-
look like and how to conceptualize a smooth ternal network or systems access as well as
3 R E S T O R E BA L A N C E W I T H AU T H E N T I C AT I O N T E C H N O L O G I E S
2
RISK-BASED
AUTHENTICATION
4 R E S T O R E BA L A N C E W I T H AU T H E N T I C AT I O N T E C H N O L O G I E S
2
RISK-BASED
AUTHENTICATION
5 R E S T O R E BA L A N C E W I T H AU T H E N T I C AT I O N T E C H N O L O G I E S
2
RISK-BASED
AUTHENTICATION
6 R E S T O R E BA L A N C E W I T H AU T H E N T I C AT I O N T E C H N O L O G I E S
3CLOUD
AUTHENTICATION
Password-Based Authentication:
A Weak Link in Cloud Authentication
Technology has developed so rapidly in the breaches occurred with consumer cloud
Home most areas of computing it is easy to overlook services, commercial cloud providers often use
the areas that haven’t developed in decades. the same technology. Consequently, companies
Editor’s Note
Password-based authentication is probably one looking to securely store proprietary informa-
of the most critical technical functions that we tion with a cloud-based provider need to un-
Risk-Based
Authentication
use every day, yet it hasn’t evolved much since derstand not just what cloud authentication is,
the first multi-user computer systems. We but how that authentication is implemented
Cloud continue to use this archaic form of authenti- behind the scenes. This knowledge, coupled
Authentication cation out of convenience even as more secure with an understanding of the encryption func-
methods are developed. Moore’s Law, which tions and attack methods, will help a company
Mobile continually provides faster processors to crack truly understand the risk of using a particular
Authentication password databases in less time, marches on cloud provider.
as well. The dismal results of this continued
focus on convenience over security were dem-
onstrated through recent password breaches at TESTING CLOUD PASSWORD-
social networking giant LinkedIn, radio stream- BASED AUTHENTICATION
ing service LastFM and online dating site Cloud providers have many options available to
eHarmony. safely store password information but most use
These breaches demonstrate a potentially the same open-source hashing libraries. This is
fatal flaw in using password authentication to true of LinkedIn, LastFM, eHarmony and prob-
protect cloud-based information assets. While ably many other sites as well. A cloud provider
7 R E S T O R E BA L A N C E W I T H AU T H E N T I C AT I O N T E C H N O L O G I E S
3CLOUD
AUTHENTICATION
8 R E S T O R E BA L A N C E W I T H AU T H E N T I C AT I O N T E C H N O L O G I E S
3CLOUD
AUTHENTICATION
9 R E S T O R E BA L A N C E W I T H AU T H E N T I C AT I O N T E C H N O L O G I E S
3CLOUD
AUTHENTICATION
1 0 R E S T O R E BA L A N C E W I T H AU T H E N T I C AT I O N T E C H N O L O G I E S
3CLOUD
AUTHENTICATION
Mobile
Authentication
1 1 R E S T O R E BA L A N C E W I T H AU T H E N T I C AT I O N T E C H N O L O G I E S
4MOBILE
AUTHENTICATION
With more and more workers requesting Before this question is answered, it’s im-
Home to access corporate data through their mobile portant to understand that there are not just
devices, managers are stuck between wanting one or two operating systems on these mobile
Editor’s Note
to provide enterprise mobile access to their devices. Workers can walk through the organi-
employees and heeding concerns about the se- zation’s doors with a device sporting any one
Risk-Based
Authentication
curity risk they pose to the business if these of several widely used platforms, including
devices are lost or compromised. In Symantec Windows Mobile, iOS, BlackBerry, the various
Cloud Corp.’s report, “A Window Into Mobile Device flavors of Android or some other proprietary
Authentication Security,” the vendor wrote about the security operating system, each at different release
capabilities of the mobile operating systems levels; all these operating systems may run
Mobile from Apple (iOS) and Google (Android), stating on anything from a mobile phone, to a mobile
Authentication that “…[While the vendors’ new] security pro- gaming device, to a tablet. Capabilities, com-
visions raise the bar, they may be insufficient munications options and functionality can vary
to protect the enterprise assets that regularly greatly from device to device, resulting in an
find their way onto devices.” authentication complexity that can be over-
So with the strong demand for accessing en- whelming for even the most flexible organiza-
terprise resources from mobile devices, what tions. So how can an organization reduce this
are the best practices and technology options problem to a manageable level?
available to organizations that want to provide To start, organizations must assess the
strong authentication services to protect their relative risks of mobile access against other
information? electronic channels used to access enterprise
1 2 R E S T O R E BA L A N C E W I T H AU T H E N T I C AT I O N T E C H N O L O G I E S
4MOBILE
AUTHENTICATION
1 3 R E S T O R E BA L A N C E W I T H AU T H E N T I C AT I O N T E C H N O L O G I E S
4MOBILE
AUTHENTICATION
1 4 R E S T O R E BA L A N C E W I T H AU T H E N T I C AT I O N T E C H N O L O G I E S
4MOBILE
AUTHENTICATION
1 5 R E S T O R E BA L A N C E W I T H AU T H E N T I C AT I O N T E C H N O L O G I E S
ABOUT
THE
AUTHORS
BRAD CAUSEY is an active member of the security and fo-
rensics community worldwide and tends to focus his time
on Web application security as it applies to global and
enterprise arenas. He is a member of the OWASP Global
Projects Committee and the President of the Interna-
Restore Balance With Authentication Technologies
tional Information Systems Forensics Association chap-
is a Security Media Group e-publication.
Home ter in Alabama. Brad is an avid author and writer with
hundreds of publications and several books. Brad also Robert Richardson | Editorial Director
holds dozens of industry recognized certificates such as Eric Parizo | Senior Site Editor
Editor’s Note
CISSP, MCSE, C|EH, CIFI and CGSP. Kathleen Richards | Features Editor
1 6 R E S T O R E BA L A N C E W I T H AU T H E N T I C AT I O N T E C H N O L O G I E S