By Simon Duddy
Authentication is an increasingly important part of the security puzzle. This technology, whether password, biometric or token-based, has become ubiquitous in modern business and society. NME examines contrasting types of authentication and determines how the enterprise can use it to its advantage.
|~|Trend-Micro-Justin-Doo_mmm.jpg|~|“Some firms are addressing he problem better than others, but awareness is not growing as fast as the threat. The recent Mashraqbank case is proof of this. The company should be lauded for highlighting the issue.” - Justin Doo, managing director of Trend Micro in the Middle East and Africa.|~|Identity has always been important, after all, no company has ever been comfortable with strangers wandering through its premises unannounced. The information age, however, has made it all the more important as there are now more entry points to the enterprise which must be guarded. Each point of entry has the potential for compromise, which means the secure enterprise needs to know who is accessing the network and how. This is where authentication, in all its dizzying variations, comes in.
These fall into a variety of categories according to the job they tackle and the type of information they contain. Physical security is important and access control systems work to ensure that buildings are only accessed by authorised people. Similarly, in the virtual world, companies are keen to ensure that intruders do not trespass on their network or website. Authentication solutions here work generally work on a non-physical basis, through the use of passwords and randomly generated numbers.
Two factor authentication is thought to be a minimum level of safety for businesses such as banks that depend on customers accessing services online. These combine a PIN number, which the customer knows and a random number that is generated by a token he has. This is known as time synchronous authentication with the number created by the token changing every minute. The company’s server is aware which code any token will generate at any given time.
The advantage of this type of authentication is that keyloggers must intercept the number in real time to be able to use it to penetrate an account, which makes the process much more difficult for the bad guys.
“Known methods for authentication may be grouped under three categories: something you know (password), something you have (smartcard or token), and something you are (fingerprint, voice and other biological features),” says Dr Nabeel Murshed, MENA managing director for SECUDE.
The need for robust authentication was emphasised recently when UAE bank Mashreqbank was targeted by hackers, who captured information from users’ PCs and used this to try to infiltrate and steal cash.
The bank was able to track the efforts of the hackers and thwart them, but arguably banks could have done this more easily with more robust authentication. The hackers were probing the bank’s connections as users were doing transactions but use of a one time pass code authentication, alongside multiple-use password, at the transaction level will prevent this.
That said, the bank should be praised for coming forward and discussing the issue, which can only raise awareness among end users and enterprises and make this kind of attack more difficult for the hackers.
“Some firms are addressing the problem better than others, but awareness is not growing as fast as the threat. The recent Mashraqbank case is proof of this. The company should be lauded for highlighting the issue,” says Justin Doo, managing director of Trend Micro in the Middle East and Africa region.
Although the bank was not compromised by the attack, it has led to many commentators insisting that regional banks do not go far enough in securing their networks.
“Banks don’t do enough at present to secure themselves online,” says Naveed Moeed, technical consultant for RSA Security Middle East and Africa. “Some of the banks I’ve been in seem to be quite shoddy in their set up and the threat doesn’t so much come from outside as from inside. The fraud that happens from within the banks tends not to get reported,” he adds.
Authentication is a high priority in businesses such as banks, which are always under a high risk of attack, but the issues facing those implementing authentication solutions are universal, whatever the business type.
One of the main points to bear in mind is viewing security as a holistic issue. Therefore, not too much faith should not be placed in any one security measure or point solution. Fortunately these days many companies are coming at authentication from a variety of angles meaning that the enterprise can adopt a multi-layered approach to protection.
For example, switch vendors are building authentication into their products so that only authorised users are allowed on the network. These not only determine who can access the network but also who can access certain services and resources.
“An advantage that authentication brings to the table is that it elevates monitoring of traffic from only monitoring MAC and IP addresses into actually monitoring users. This is possible with the integration of technologies such as 802.1x and Foundry’s sFlow,” says Yarob Sakhnini, regional technical manager, Foundry Networks.
In combating more universal problems such as spam, companies are developing authentication tools for use at the gateway level. Simple Mail Transfer Protocol (SMTP) does not authenticate the sender of an e-mail, which makes it difficult to know if the sender is a spammer. Companies such as Microsoft are building authentication tools in their e-mail services, such as Hotmail, in order to allow them to block e-mails from sources they cannot verify.
A general rule is that the more layers an intruder has to get through, the greater the protection. These different methods guard against very different dangers, but they add up to a multi-layered matrix of protection.
“[In physical security] You can use a variety of access control elements with the more layers added the greater the protection. It could be as simple as using swipe cards, or as complicated as using multiple biometrics to make sure the right people get in and wrong people can’t get in,” says Tony O’Connor, security risk manager, National Bank of Dubai.
The huge variety of layered solutions makes the task of finding the correct solution for the enterprise a difficult one. For example, there is often a choice between point solutions that sit on top of the network and solutions that are pre-integrated into infrastructure.
If an organisation opts for a point solution the costs of acquisition, maintenance and management are typically higher. On the other hand, dedicated point solutions tend to offer more functionality and better performance than solutions that come pre-built into other products.
“Which way should an enterprise go? The way that fits its goals and requirements, although we have noticed top-rung organisations such as telcos and financial institutions tending towards very high standards in selection that can only be satisfied by point solutions,” says Sherif Shaltout, senior information security analyst at ISS ME.
Built-in solutions sometimes get a bad press, with performance estimated to be more modest than dedicated products.
“Most authentication tools built into existing solutions are based on user name and password – which has been shown to be very weak and insufficient for protecting valuable enterprise resources,” says Philip Richardson, managing director of Entrust.
“On a positive note, most network solutions are built to be open and interoperable — which allows for improved security by adding strong authentication,” he adds.
However, many in-built authentication solutions offer much more robust security than passwords. For example, Cisco’s network admissions control (NAC) initiative uses network hardware plus trust agents and 802.1x protocols to enforce admissions policy. The main argument for in-built solutions is that they provide cost savings along with good performance. The most important question is often not what is best from a technology standpoint, but what satisfies business requirements at a reasonable cost.
Cost is also not the only issue, as authentication is counter-productive if it hampers normal company business. Thus IT managers must tailor their authentication solutions to be easy to use and cause a minimum of disruption. It makes sense that the more secure a network is the more difficult it will be for users to negotiate.
“If a user has to be authenticated several times before they reach a file or service, this can slow down the network and create unhappy customers and employees,” says Abderrafi Belfakih, manager of systems engineers at Cisco Middle East.
Qatar’s Aspire sports academy gets around this issue by using biometrics plus a single sign-on to access its network. After biometric verification, all systems can be accessed through one password to promote ease of use. Aspire also believes this is more secure than using numerous passwords, as users can easily remember one password, which they can then frequently change. When users have several passwords they sometimes struggle to remember them and a result write them down, making it easier for intruders.
Soubhi Abdulkarim, IT manager at the Aspire sports academy says the security at the complex is stringent but only because of the high risk that comes from managing a workplace with public access.
“The sports stadium is open to the public for events and will have public connectivity networks, therefore it is important to have robust security to make sure the private network is not compromised,” he explains.
Despite the risks, IT managers must always consider that over-zealous implementations can damage business. SITA INC, which manufactures biometric kiosks for use authenticating passengers in airports, designed its products to increase security while keeping the flow of people through check-in brisk. SITA’s Registered Traveller kiosks use both iris scanners and fingerprint readers.
“The kiosks are typically managed by security staff but are essentially standalone devices serving to validate a smart card in the possession of a passenger against the passenger’s biometric,” says Eyad Shihabi, vice president of Airport & Desktop Services at SITA INC, Middle East, Africa, South and Central Asia.
The downside is that the system needs a reference database, which means collecting biometric information from desired populations, which is a lengthy and potentially fault-ridden process.
Similarly, hardware solutions are generally more robust than software varieties, as they are harder to forge and can be expired or locked out if lost.
“Hardware authentication tokens are generally considered more secure because a software token residing on a laptop can be compromised if there is a Trojan or sniffer program on the machine,” says Peter Barlow, director for Secure Computing MEA.
A combination of software and an affordable hardware solution can provide formidable two factor authentication, for example, a token with active directory authentication.
Another example would be a smartcard with secondary level user name and password.
But picking the appropriate authentication technology begins with understanding the risk and impact of inappropriate access to a given business. There is no ‘one size fits all’ solution.
“The purpose served by the solution is key — a children’s education software development firm need not be as comprehensively secured as a sensitive government agency,” says Hubert Borges-Da-Silva, eCommerce professional at Jilanda Securemart.
Whichever solution is selected, proper processes must be followed to ensure the technology is effectively deployed. Employees will often lapse into complacency and not change passwords often enough. Users also often underestimate the value of the data on their PC and so do not take security seriously. But while a hacker may not be interested in the data on a PC, he will be able to use that PC as a launch pad to infiltrate more valuable parts of the network. This is a key reason why passwords need to be rigorously enforced across the enterprise.
“Security is 20% technology and 80% policies, procedures, and awareness. The required levels of security can’t be achieved without a solid strategic plan,” says Murshed.
Abdulkarim places a strong emphasis on employees at Apsire, to ensure that technology is utilised efficiently, using tools such as newsletter tips of the week and regular training.
While current technology is still filtering slowly towards the enterprise there are some exciting developments taking place at the cutting edge of the authentication business, such as developing managed services.
Providers such as the UAE’s eCompany that issue public key infrastructure (PKI) certificates are seeing growing business, as many small businesses that don’t have the funds or resources to implement authentication themselves turn to a third party. Perhaps even more exciting for the future is federated identity management, which allows individuals to use the same user name, password or other personal identification to sign on to the networks of more than one enterprise in order to conduct transactions. It will allow companies to share applications without needing to enforce restrictive uniformity in terms of directory services, security and authentication technology.
“Authentication vendors should see a major increase in market opportunities once federated identity mechanisms have been standardised and successfully integrated with these mechanisms,” says Mary McEvoy, senior manager, SonicWall worldwide PR.
Authentication is an important security issue and the coming years are likely to see robust authentication technologies becoming more commonplace in the enterprise. These will often be point solutions but it will be very important for the network professional to be able to integrate these effectively in a company’s overall security and IT systems.
As the risk and damage resulting from intrusion grows, so will the use of authentication solutions. While many companies today get by using swipe cards and passwords, in the future they may have to invest in smartcards, tokens and even biometrics to ensure safety. Even if a technology revamp is not on the agenda, companies will be well advised to police password policies much more seriously.
“In a recent survey by analytics software and solutions provider SPSS, 44% of respondents claimed they never changed their password, which is an extremely worrying figure,” says Wael Fakharany, regional manager, 3Com Middle East. “People must change their passwords regularly, particularly those who are part of a network system,’ he adds.||**||