Best practices in strong authentication

In today’s world of cybercrime, this seems like a responsible question: With all of the billions being spent on IT security, how is it that so many large, respected companies get hacked? Why are firewalls, anti-virus, intrusion prevention systems and other common components of today’s infrastructures failing?

The simple answer in most cases is information systems are breached because someone’s identity and access privileges are compromised. More likely, several people.

It might start with social engineering, spearphishing,trickery or the latest zero-day attack using ZeuS or SpyEye Trojans, but it always finishes the same way—the hackers “own” the system by setting themselves up as super admins, privileged users with full system administration privileges.

How can enterprises and Cloud Service Providers (CSPs) stop criminals from stealing and using identity credentials?

CIOs and CISOs can close the security gap with an identitycentric approach that integrates stronger authentication using device-based PKI credentials and one-time password (OTP) authentication processes integrated with existing identity and access systems.

Strong authentication or multi-factor authentication complements access security based on something you know (the username and password) with something you have (a certificate carrying personal portable security device) or something you are (a biometric), or both.

For example, let’s say your company provided its employees with either OTP tokens or smartcard-based PKI identity credentials and required its use for all system access and administrative activity. Strong authentication greatly deters hackers because the typical attack method of stealing someone’s login credentials no longer works. Without the strong authentication device they cannot gain access. This single step eliminates most but not all threats. In today’s world, device-based strong authentication should be the baseline for access security.

For higher risk individuals and transactions, greater security is required. So for example, using PKI certificates you can enable digital signature validation of specific high risk actions or high profile users.

Here’s an example. A common hacker tactic is to create a new user, or several, with system administrator privileges. To block this attack, let’s say you establish a new security policy for creating system-privileged user accounts:

• System admin sessions must be strongly authenticated.
• High risk actions, such as creating privileged accounts, require a digital signature validation that includes a unique challenge/response exchange using PKI certificates outside of the browser session and presentation of a fingerprint biometric to validate the transaction.

Implicitly this policy means any such action is seen and approved by an individual with a smart card or other external certificate-based credential, and whose identity is bound to the credential by the biometric. A digital signature using a smart card credential provides an “out-of-band” (or second channel) authentication, because the signature is made by the processor and software on the smart card independently from the browser and the PC itself.

This identity-centric policy and digital signature technology put a virtually insurmountable barrier in front of the would-be hacker, effectively preventing the successful use of even man-in-the-middle (MITM) attacks. With MITM, a user’s network connection to the server has been compromised such that the hacker’s system is now between the user and the server, enabling the hacker to make fraudulent transactions that are hidden from the user. Requiring a digital signature prevents this by ensuring every high-value transaction will be seen and approved by the user out-of-band from the browser.

The use of smart card-based PKI credentials to protect against MITM attacks is also recommended by the U.S. National Institute of Standards and Technology (NIST) in its “Electronic Authentication Guideline” (NIST Special Publication 800-63-1, p.77). NIST rates authentication process assurance levels against specific threats including replay, eavesdropping, phishing and MITM attacks. Smart card PKI credentials are rated at Level 4 (strong, the highest rating) for MITM and the other threats. OTP tokens are rated as a level 3 assurance solution, weak against MITM attacks but effective protection against the others.

If a hacker gains access to the root of your system, they can do whatever they want. Often this process takes months, with the intruder planting a small seed that expands through networked systems, slowly making changes that are unnoticed until at some point they break through and are able to establish their own user accounts and set privileges. Then they are ready to harvest the data they want to steal. To prevent this from happening, day-to-day you need to be using strong authentication and digital signatures for anyone authorized to make edits to systems, create new users, set privileges and control Microsoft Active Directory or other equivalent identity management services.

The threat of cybercrime has never been greater. The near-weekly headlines of major global companies and government organizations being breached by hackers are clear proof that this threat is real and not going away anytime soon. Protecting your organization from these costly and reputation-damaging problems is reason enough to act.

But an identity-centric strategy is also a business enabler. Cloud applications, mobile, Bring-Your-Own-Device (BYOD) and virtualization are transforming the IT landscape for enterprises. Cloud Services Providers, or CSPs, are making utility computing a reality by offering Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS) as efficient and cost-effective alternatives to keeping everything in-house. Yet for companies offering cloud services as well as those using them, these innovations introduce new vulnerabilities to cybercrime threats, a matter of great concern for executives and managers responsible for IT security.

Using strong authentication solutions empowers a business to maximize these new efficient computing models while at the same time minimizing risks. For example, let’s say you see big opportunities to reduce desktop costs by using cloud-based apps, but like most CIOs, you are concerned about security. Implementing a security policy that requires a certificate-based device like a smart card credential significantly increases your security posture, because a stolen login credential can no longer be used as a method for illegally accessing your network.

Ready to move your infrastructure to the cloud but concerned about delegating your access security to a third party provider? As in the example above, mandate the use of digital signature and biometric validation of system-level access.

Or perhaps you’re a CSP that wants to protect your clients—and your own company—from risks. Build in strong authentication digital security solutions and offer your clients the peace of mind of identity-centric security.

Here are seven best practices—the keys to success—on how to enable efficiency, leverage new IT infrastructures and maximize security with an identity-centric strategy based on PKI credentials.

Following these best practices will significantly reduce your risks of a successful attack on you or your clients. By taking an identity-centric approach to your IT security, you can lock down critical processes and systems and ensure you have complete control over who has access.

• Integrate OTP tokens and certificate-based credentials into identity and access management systems and mandate their use from the highest levels of the organization. A second authentication factor is only effective if it is used, and it will only be used if it is required. Strong leadership and policies enforced by the executive team will be needed for success.
• Prioritize implementation based on risk starting with system administrators and executives. Lock down critical weak points such as the ability to create new user accounts with system admin privileges and other common exploits to prevent catastrophic penetration of infrastructure by attackers.
• For a quick start, begin with OTP and migrate rapidly to smart card based PKI certificates. Add-on new apps, such as digital signature and email encryption, over time.
• Remove the second authentication credential from the PC by using personal portable security devices such as a smart card ID badge, or OTP on a token or smart phone. Create this second line of defense so it is completely independent of the PC, requiring the attacker to compromise two completely separate systems. Even if someone’s PC or login credentials are compromised, they will be useless to attackers without the secondary device.
• Require use of two-factor authentication with all new remote or cloud-based applications. Enable strong authentication solutions that are a front end to single sign-on systems, increasing efficiency for users and security at the same time. This is particularly true for healthcare ePrescription applications for controlled substances, where a certificate and credential can be used to digitally sign an online prescription, proving its validity.
• Establish a thorough provisioning process that strongly binds credentials to an individual user.
• Develop secure and thorough exception processes and backup access methods for common user situations such as forgotten, lost and stolen credentials. Automate common support tasks such as PIN resets.

One final bit of good news is that provisioning, deploying and using OTP tokens and smart card-based credentials with identity certificates are very straightforward today. All leading IT infrastructure suppliers, including Microsoft, IBM, HP, CA, Citrix, Adobe and many more are already fully supporting the use of smart card-based two-factor authentication. In fact, many of these IT leaders already use smart card ID credentials internally themselves.

If your organization or your clients are primarily operating a Microsoft environment, you can be assured your core infrastructure is ready to evolve into identity-centric security. There is no need to install additional middleware; it is as simple as adjusting some settings and enabling software modules to get started. Key Microsoft components that support smart card-based credentials and certificates include:

• Forefront Identity Manager (FIM): A simplified framework for managing and provisioning user identities, user accounts and access, password and certificate-based credentials such as smart cards, and identity-based policies across Windows and heterogeneous environments.
• Certificate Authority, Active Directory and Active Directory Federated Services (ADFS): Tools for certificate issuance, authentication and access control for credentials and identities.
• Windows desktops and server operating systems: Full support for desktop logins, terminal services and security policy enforcement, as well as self-service provisioning and maintenance with FIM for everyday tasks like PIN resets.
• Applications including Outlook, SharePoint, Office: Login, digital signature and encryption capabilities.
• Office 365: Microsoft’s cloud-based apps support the use of smart card-credentials as well.

For Linux and Apple infrastructures, implementation at the desktop level is also readily achieved using off-the-shelf resources. Provisioning can be accomplished using Microsoft’s FIM or Gemalto’s cloud-based provisioning and life cycle management solutions for example, as well as services from other providers.

Every week brings new stories of companies damaged by the breach of sensitive information, a problem that can be prevented by the best security practices discussed here. Further, much like the early days of the Internet or PCs, new mobile technologies and cloud services are introducing new security risks. Preventing data loss and protecting sensitive information from unauthorized access should be a top concern of every company.

While better security is needed enterprise-wide, it is essential that executives and board members get personalized attention and the greatest levels of information and remote access protection. It is evident that username and password authentication is simply not a secure way to protect the high levels of information within a company to which these executives have access. Using sandboxes, OTPs, smartcard-based multi-factor authentication and biometrics as part of your login and identity verification procedure can prevent data loss and protect your confidential information.