Q&A: Strong authentication

Mike Moir is a Product Manager for the Entrust IdentityGuard solution. In this interview he talks about strong authentication.

Based on your experience, how critical is authentication in the overall security architecture of an organization?
Authentication plays a critical role in the security architecture of an organization. Like a castle or other military fortress, a networks security is only as secure as its most vulnerable point of entry. Many companies take great pains to put in first class physical and logical security measures but then only require user name and password to access the system.

Today’s sophisticated fraudsters can make quick work of user name and password protected security systems. The ability to accurately authenticate a user prior to giving them access to the internal network is vital to protecting an organizations intellectual property and other critical assets.

When it comes to strong authentication, can ease-of-use and security co-exist?
There is always going to be some trade-off between ease-of-use and security. However, strong authentication does not necessarily mean that the solution needs to be more intrusive to the end user, or harder on manage.

There are many strong authentication techniques today that provide strong security while minimizing user impact. Examples include authenticating the user’s machine and location (through IPGeolocation) which can be done under the covers. Using digital certificates or soft tokens on a mobile device can also greatly improve the user experience.

When evaluating strong authentication vendors it is important to look for a vendor who can provide a range of authentication options. This will allow you to select the right authenticators for users based on the sensitivity of the information you are trying to protect, the users ease-of-use needs and of course the cost.

How can an organization determine their requirements for strong authentication?
There are a number of factors to consider in determining an organization’s requirements for strong authentication. First consider who you want to authenticate. These could include internal employees, external contractors, partners, customer etc. These groups are not the same and will have different authentication requirements. Do you want to deploy a strong authentication solution to everyone right away or stage deployment? Will there be other groups added to the list in the future?

When looking at the different user communities Entrust encourages our customers to consider the Risk, Usability and Cost associated with strongly authenticating each group.

What is the risk associated with the information that is being protected. Gaining access to a retail consumer’s account that only has the shipping status of their last order is not the same as a Chief Financial Officer’s banking information. Implementing very secure but potentially more intrusive strong authentication makes sense for a Chief Financial Officer.

What are the usability requirements of the user? Deploying strong authentication to a broad range of consumers will necessitate an authentication method that is easy to understand since there is minimal opportunity to train. Deploying to employees who can be easily trained may influence what authentication method you use.

Finally cost is always a consideration. Are you deploying to 50 employees or 5 million consumers. What is the cost to deploy, replace and maintain the different authentication methods. Strong authentication is a long term investment and may cover a broad range of user groups. Consider a solution that will meet you current and long term needs.

How do the challenges of implementing strong authentication shift as an enterprise decides to deploy a mobile workforce?
There are some definite and unique challenges when deploying strong authentication to a mobile workforce. You no longer are able to “look them in the eye’ as they enter the building so the need to ensure their identity before granting remote network access to mobile workers increases. There is typically a broader range of locations and devices that a user may be accessing the network from; including work laptops, home desktops, kiosks and mobile devices.

It may also be more difficult and costly to deliver and support the strong authentication solution for the user and to train them on its use. These factors will have an impact on the type of authentication method used.

What type of strong authentication would you suggest for the enterprise?
Each organization is unique and there isn’t a single authentication method that meets everyone’s criteria.

• How many users need to be protected?
• Does it have partners and customers that need to be authenticated?
• What does it have a mobile workforce?
• How sensitive is the information being protected and what is the impact of a breach of security?
• How technology savvy are the users and how much training will they require?
• Is a physical form factor such as a token or grid card acceptable or desirable or do you want something more transparent?
• Is it possible to leverage their existing mobile devices?
• Could these factors change in the future?

All these questions will have an impact on the form of strong authentication that you choose. Invariably the answers will be different for various groups within and external to the organization. I would recommend an authentication platform. This allows you to have a common administrative back end but choose authenticators based on the answers to the questions above. Many organizations will deploy a variety of authenticating methods to their different user groups based on their unique circumstances.