Concentrating on securing the network perimeter and relying on static passwords is no longer an adequate option for enterprises, as IT administrators grapple with challenges including Advanced Persistent Threats (APTs) and the vulnerabilities created by the Bring Your Own Device (BYOD) mobility model. Increasingly, the only reliable way to combat these escalating threats is to employ strong authentication and a multi-layered security strategy that spans remote access, key applications and servers, and cloud-based systems.
Past solutions did not provide sufficient security, were difficult to use, and their implementation was costly and complex. This has changed with the adoption of smartphones, smart cards and other smart devices that can carry secure credentials. Today’s strong authentication model enables enterprises to create converged solutions that deliver secure logical access to the network and cloud-based services and resources, and control physical access to buildings. Alongside this, it supports mobile security tokens that give users a convenient and secure access solution for smartphones or tablet use, enables the integration of intelligence for enhanced security including device identification and using built-in technologies such as GPS, and it also enables effective threat protection using multifactor authentication as part of a multi-layered security strategy.
Strong authentication is gaining traction as an the alternative, since it takes advantage of short-range connectivity technology such as Near Field Communications (NFC) – popular in smart cards, and a standard feature smartphones and laptops. These devices can be used to gain access to resources – without a password – by simply "tapping in" to facilities, Virtual Private Networks (VPNs), wireless networks, corporate intranets, cloud and web-based applications, and single sign-on (SSO) clients.
Besides improving cost, security and convenience with the tap-in strong authentication model enabling enterprises to achieve true access control convergence via the same smart card or phone, it also makes it possible to use many applications such as secure print management, cashless vending, and biometric templates for additional factors of authentication.
In addition to user authentication, there are several other security layers to consider:
– Device authentication. This goes beyond determining that the user is who he or she claims to be, to verify that the person is using a "known" device. The best approach is to combine endpoint device identification and profiling with such elements as proxy detection and geo-location
– Ensuring the user’s browser is part of a secure communication channel. Although this browser protection layer can be implemented through simple passive malware detection, this approach does not yield the strongest possible endpoint security. A more effective approach is to use a proactive hardened browser that provides a mutual secure socket layer connection to the application
– Transaction authentication/pattern-based intelligence. Implementing this layer increases security for particularly sensitive transactions. A transaction authentication layer can include several elements such as Out-Of-Band (OOB) transaction verification, transaction signing for non-repudiation, transaction monitoring, and behavioral analysis
– Application security. This protects applications on the mobile devices used to deliver sensitive information. Ideally, the application must not only be architecturally hardened, but also should be capable of executing mutual authentication. Data theft is much more difficult and costly for hackers who are confronted with this security layer
Each of these can be implemented using an integrated versatile authentication platform with real-time threat detection capabilities, which has been successfully used in online banking and ecommerce. Now, similar types of threat detection technology platforms are expected to migrate to the corporate sector, where they can provide one more layer of security for such remote access use cases as VPNs or Virtual Desktops.
As more phones, tablets and laptops are enabled with short-range connectivity technology, more companies are considering incorporating secure physical and logical access into their business. Making the transition to these capabilities requires a multi-technology smart card and reader platform that is extensible and adaptable. To maximise flexibility and interoperability, this platform also should be based on open architecture to support current and future technologies while staying ahead of evolving threats, and also enable both legacy and new credential technologies to be combined on the same card while supporting mobile platforms.
To optimise security, the smart card and reader platform should use contactless high frequency smart card technology that features mutual authentication and cryptographic protection mechanisms with secret keys. It should also employ a secure messaging protocol that is delivered on a trust-based communication platform within a secure ecosystem of interoperable products. These will help ensure that organisations have the highest level of security, convenience, and interoperability on either cards or phones, and that they can adapt their solutions to meet future needs including strong authentication to protect data and cloud applications, and contactless high-frequency smart card technology for numerous physical access control applications.
With the right foundation, organisations can solve the strong authentication challenge while protecting everything from the cloud and desktop to the door. Effective planning also ensures they can reduce security solution deployment and operational costs by leveraging their existing physical access control credential investment to seamlessly add logical access control for network log-on. The result is a fully interoperable, multi-layered security solution that spans all of the organisation’s networks, systems and facilities.
Tim Phipps is Vice President of Product Marketing, Identity Assurance, at HID Global