In today’s digital world, the identity of users is defined by their digital credentials. The ability to demonstrate their identity, or authenticate, should be a simple and straightforward action – but surprisingly, it’s not. The reality is that verifying the digital identities of all users accessing the corporate network from multiple access points is one of the toughest security challenges organisations are faced with. It goes without saying that any violation of digital identities causes severe reputation and monetary damage for the organisations affected.
However the challenges of digital identity management become significantly greater and more complex with a cloud service. Managing user authentication in a cloud environment means every user is effectively a remote user. To further complicate the issue, many organisations support a mix of on-premise and cloud IT services making user authentication even more challenging. If we add to the picture the issues around managing user access from different mobile devices, it becomes clear why organisations are finding it so difficult to effectively manage user authentication in the emerging cloud and mobile computing infrastructures.
To secure digital identities in these heterogeneous user and systems environments, organisations need to adopt robust multi-factor authentication solutions as part of a holistic security strategy that offers multiple layers of protection. These layers of protection should include encryption, access controls, encryption key management, network security and strong authentication.
A strong authentication solution that secures both the identity of users and applications that access non-public areas of an organisation’s network, is the first step to ensuring data protection. The lack of adequate authentication mechanisms can result in critical vulnerabilities in organisation’s ability to protect sensitive information throughout its lifecycle.
One of the areas where authentication vulnerabilities are most critical is online banking. In this electronic age, where banks are fighting off increasingly sophisticated cyber threats, it is vital that a bank customer’s digital identity be protected at all times. Unfortunately, single-factor authentication solutions do not offer comprehensive protection against more sophisticated threats such as Man-in-the-Browser (MitB) and Man-in-the-Middle (MitM) attacks in which hackers hijack legitimate user identities during a transaction and redirect funds.
Such attacks could be better prevented with next generation authentication devices that use optical sensors to read financial transaction data from the screen and generate a unique electronic signature that validates each transaction. The user then keys the signature into the browser and confirms the payment. An approach that combines secure electronic transaction signing with OTP (one time password) strong authentication eliminates the risk of transaction tampering, as well as forgotten, stolen, or hacked passwords and mitigates the risk of identity theft.
Additional layers of security could be added by using certificate-based authentication (CBA) or context-based authentication. CBA provides authentication using public key cryptography and unique digital keys which are associated with the authentication device and the person who owns it. On the other hand, context-based authentication uses contextual information to verify users’ identity or limit access to specific systems or content based on different risk profiles and user criteria.
When deciding on their device and user authentication strategy, IT managers need to determine what type of authentication devices will be deployed across the organisation based on cost as well as on what users, data and access points will have to be secured. For example, organisations might want to adopt hybrid hardware tokens for maximum protection but might not be able to afford the upfront costs. This might prompt IT management to consider software-based solutions that offer similar level of protection at a lower ownership cost. Such software solutions can be installed on desktops or mobile devices offering OTP and certificate-based authentication.
By marrying strong multi-factor authentication with effective security and password management policies, organisations will be able to significantly reduce the risk of unauthorised access to corporate assets and data.
However, another issue to consider is how to manage authentication in a heterogeneous users and systems environment. There are different approaches that could be adopted here – from tailoring authentication to specific use cases to centralising authentication management across multiple access points. By centrally managing ID federation, access controls and authentication to both on-premise and cloud applications, organisations will be able to improve control and visibility while reducing administrative costs. This, coupled with strong data encryption and on-premise digital keys management, will provide the needed multi-layered protection to ensure the highest security standards are met.
In order to achieve this, CIOs and CTOs will need to establish effective mechanisms for effectively managing, monitoring and dealing with security risk. Utilising strong authentication solutions as part of a multi-layered approach to data security will enable organisations to resolve the challenges of cloud computing and IT consumerisation, while ensuring trust in their IT infrastructure.
As we can see, we already have the technology necessary to make the issuing, utilisation and management of digital credentials painless and highly secure, but we need to acknowledge that a change is needed now in the approach to end user credential security and strong authentication. On the other hand, and in order to maintain end-user trust and avoid e-security paranoia (so rightly justified nowadays, may I add), can we collectively afford not to do it?