Organisations which for so long had only to focus on firewalls and virus scanners at the periphery of their network are now having to deal with customer data transiting to the cloud, employees bringing their mobile devices to work (and expecting them to be accepted) and hackers looking to score the next big information leak or credit card database.
All of these present significant challenges to the information security professional, who was already pressured into doing more with less. Information security demands answers to questions such as these:
•With so many threats and technologies being offered to address those threats, how do I know which I should prioritise and which solutions are best for my organisation?
•How do I create a strategy that helps me meet my compliance goals, but also leaves my organisation protected against unforeseen challenges?
•Can one product, or suite of products, help me comply with key regulations and also mitigate against a host of potential threats across my organisation?
•What technologies do I need to invest in that are easy for my users to use, cost effective and also security‐effective?
John B Harris, Security Specialist On behalf of GMO GlobalSign Ltd, writes on achieving a comprehensive information security strategy using certificate‐based Network Authentication.
If an organisation’s ‘strategy’ is to simply react to threats and requirements as they present themselves, that organisation becomes a pinball, bouncing between threats and regulations. Organisations need to spend time developing and then implementing a security policy that relies on top level best practices, such as user authentication, network intrusion detection and prevention, business continuity and disaster preparedness, employee education and training, malware detection and prevention, data loss prevention (DLP) and encryption.
Access control and identity management is a key technology area within a best practices‐based security regime. Certificate‐based network authentication is a good example of a solution that’s easy to implement, simple for users, meets requirements and can address challenges on the desktop, on mobile devices and even in the cloud.
Certificate‐based network authentication is the use of a Digital Certificate (credential) to identify a user and often a device (or devices) employed by a known user on the network and is oftentimes deployed in coordination with traditional user authentication methods such as username and password.
By itself, certificate‐based network authentication can verify that devices connected to the organisation’s network are those that are authorised. When combined with user authentication, organisations can clearly verify that user A logged on with laptop PC B and can make a determination if in fact that laptop is registered to user A. If yes, the user can be granted access to the network on that device.
Authentication is typically described in ‘factors’: something you know (a password), something you have (a physical token), or something you are (your fingerprint). Single factor authentication tends to be the norm, but relying on only one factor provides a single point of failure for your network and systems that can at times be easily defeated by phishing and other attacks. When various factors of authentication are combined, they provide multiple layers of defense that make a system much more difficult to breach. Tossing a bunch of factors together doesn’t mean your organisation will suddenly be more secure, however. Organisations need to consider user impact, the risks involved and other aspects. Since certificate‐based network authentication can be implemented with no burden on users, multifactor authentication is as easy as your users logging in with their own usernames and passwords on their assigned devices. For example, device Digital Certificates represent ‘something you have’ and the device becomes part of the authentication alongside a user’s name and password (‘something you know’).
Organisations need to be focused on security strategies that meet their business requirements for agility and revenue, while at the same time properly securing their data, intellectual property and systems against the risks inherent in a dynamic environment. To implement that strategy, organisations must invest in technologies that can effectively address security needs across the company, mitigate broad risks and assist in complying with the variety of regulatory imperatives facing today’s businesses. Certificate‐based network authentication has been shown to provide multifactor authentication without imposing burdens on an organisation’s user population: more security doesn’t have to mean less agility. Access management, auditing and forensic analysis of access history are improved, as data and network access can be tied not only to a user, but also to a specific device at a specific time. Mobile devices are redefining the way in which consumers and employees are accessing content.
The payment card industry responded to credit card fraud risk and losses by authoring a highly detailed list of data security requirements for merchants, financial institutions, card vendors and other associated firms. First published in 2004, the PCI Data Security Standard has now been updated to version 2.0. PCI DSS includes specific provisions regarding strong access control procedures. Organisations must use at least one factor of authentication (something you know, have or are) for general access and use two‐factor authentication for remote access to networks. The transparent nature of certificate‐based network authentication makes it well‐suited to assisting in compliance with this aspect of PCI DSS.
IT departments face innumerable challenges in their mission to protect their organisation, its data and its customers, while also achieving compliance with multiple regulations. The optimal approach requires an organisation to step back from day‐to‐day reactive actions and assess the needs of the business and the broader, longer‐term security goals of the organisation. Following formal documentation and periodic review of those requirements, the organisation should choose technologies that can best be leveraged to meet those goals. A best practices‐based model guarantees that an organisation can remain agile and secure simultaneously. Certificate‐based network authentication is a technology investment that keeps users productive while also improving security posture. This solution is easy to deploy and can enhance authentication practices on desktops and mobile devices. It is also superior to other authentication methods as it provides multifactor security without requiring users to carry an additional device or restrict their logins to specific locations. No matter the compliance target or industry, certificate‐ based network authentication meets the needs for multifactor, strong authentication while keeping the technology easily accessible, dynamic and mobile. It’s clear that certificate‐based network authentication can be a valuable part of a comprehensive information security strategy and process.
