Modernizing authentication (part 2)
In part 1 of this post, I talked about how the traditional authentication method of a user name and password is no longer strong enough to deter unauthorized access to corporate resources. Here, I'll be explaining how authentication is adapting to cloud-based services and the influx of personal devices entering the enterprise network.
enter IAM and IDaaS
IAM (Identity and Access Management) is one of the most pressing concerns that security managers have on their hands as corporate infrastructures shift from premise-based to cloud-based platforms, and as more software services are delivered and access through the cloud. Corporate IT needs to maintain visibility over who is accessing corporate resources at all times.
With IDentity as a Service (IDaaS), Brice explained that IT can adapt its security policy according to
- the individuals accessing the corporate resources (manager vs. staff)
- the devices they’re using (e.g., iOS vs. Android, personal vs. company owned)
- and lastly the location they are connecting from (e.g., on campus or from a public hotspot)
For example, an employee using a corporate device from his regular office on a Monday morning will be able to have a seamless authentication service, with authentication according to the corporate directory, regardless of the application. When the same user later connects from home with his personal smartphone to corporate cloud resources (if allowed), he’ll be required to pass through multi-factor authentication.
don’t forget user experience
For any new service to be successful, it needs to be easy to administer, but also easy for users to follow, otherwise they’ll start to cut corners. Tsion Gonen, Chief Strategy and Marketing Officer at SafeNet summed this requirement up nicely in his article on usability and security in Forbes earlier this month... According to Brice, the beauty of IDaaS solutions is that for one of the first times, end-users and administrators hold a common interest: users get simplified authentication and single sign-on and IT managers are able to maintain access control to their cloud-based applications.
The IT department will be able to decide if the multi-factor authentication is based on
- multiple personal questions like Facebook is doing
- a one-time password send via SMS or email
- an authentication grid
- via a software or a hardware token
BYOD and cloud are not going away, and neither are the near-constant threats to enterprise security, especially in a time when a brute force attack can crack a standard eight-character password in less than six hours. As more organizations adopt cloud services, and as employees work virtually from just about anywhere – whether by choice or necessity – enterprises needs to stay one step ahead with their security policies and leverage the latest authentication technologies that users can easily follow .
Any bets on when we’ll see widespread use of biometric three-factor authentication?
PS: for more information on authentication, our partner SafeNet has made Gartner’s 2013 User Authentication Magic Quadrant available on their website (registration required).
image © ekostsov - Fotolia.com
August 1, 2014
May 2, 2014
March 19, 2014