Trust but verify

Among the most important best practices is authentication beyond simple passwords. Enterprises have typically focused on securing the network perimeter, and relied on static passwords to authenticate users inside the firewall. This is insufficient given the multifarious nature of today’s Advanced Persistent Threats (APTs), ad hoc hacking, and internal risks associated with Bring Your Own Device (BYOD) adoption. Static passwords can be a recipe for disaster and must be extended with other authentication factors.  Additionally, multi-factor authentication must be part of a multi-layered security strategy, including device authentication, browser protection, transaction authentication/pattern-based intelligence, and application security.  This requires the use of an integrated multi-layered authentication and real-time threat detection platform.  

Fraud detection technology has been used in on-line banking and ecommerce for quite some time.  Significant changes in this landscape led the industry to institute stringent compliance and customer data protection requirements. Compliance requires the full gamut of authentication and fraud prevention strategies, as well as both on-line and mobile payment security.  Additionally, solutions must comply with multifactor authentication options including mobile One Time Password (OTP) Soft Tokens, transparent authentication, and Public Key Infrastructure (PKI) certificates, along with proactive fraud detection and tamper-evident audit reporting.  

Fraud detection technology is expected to cross over into the corporate sector as a way to provide an additional layer of security for remote access use cases such as VPNs or Virtual Desktops.    Meanwhile, two-factor authentication measures, which have typically been confined to OTP tokens, display cards and other physical devices, are now also being delivered through “soft tokens” that can be held on such user devices as mobile phones, tablets, and browser-based tokens. A phone app generates an OTP, or OTPs are sent to the phone via SMS.  For greater security, the authentication credential is stored on the mobile device’s secure element or subscriber identity module (SIM) chip.  Mobile tokens also can be combined with cloud app single-sign-on capabilities, blending classic two-factor authentication with streamlined access to multiple cloud apps on a single device.  

As identity management moves to the cloud there are other critical considerations.   Today, much of the security discussion is focused on securing the platform, but as enterprises continue to move applications into the cloud and take advantage of the Software as a Service (SaaS) model, it will be critical to resolve challenges around provisioning and revoking user identities across multiple cloud-based applications, while also enabling secure, frictionless user login to those applications.  

In the BYOD environment, secure authentication becomes even more important, and several other security issues also emerge.  IT departments won’t be managing these devices, so it won’t be possible to control other, potentially untrustworthy personal apps they may carry, or to load a standard image onto them with anti-virus and other protective software.  Nor will organizations be able to retrieve devices when employees leave.  We will need to find new and innovative ways to address these and other challenges.  Notwithstanding the risks, the use of BYOD phones, tablets and laptops for access control opens opportunities for powerful new contactless authentication models, from tapping your corporate ID badge to a personal tablet for authenticating to a network, to using an NFC-enabled phone not only as your access credential but also the key for entering your building or apartment.

Tony Ball is senior vice-president, identity and access management (IAM), HID Global.