13 Jun 2014

Enterprises have typically focused on securing the network perimeter and relied on static passwords to authenticate users inside the firewall. This is insufficient, given the nature of today’s Advanced Persistent Threats (APTs) and internal risks associated with Bring Your Own Device (BYOD) adoption. Static passwords can be a potential recipe for a security disaster. In this article Julian Lovelock, Vice President of Product Marketing, Identity Assurance HID Global explains that enterprises would benefit from not only employing strong authentication for remote access, but also extending its use to cover the desktop, key applications, servers, and cloud-based systems as part of a multi-layered security strategy.

Unfortunately, choosing an effective strong authentication solution for enterprise data protection has traditionally been difficult. Available solutions have been inadequate either in their security capabilities, the user experience they deliver, or in the cost and complexity to deploy them. Now, we have the opportunity to eliminate these problems using Near Field Communications (NFC)-enabled credentials that can reside on smart cards or smartphones, and can be employed to secure access to everything from doors, to data, to the cloud. Versatile, NFC-based strong authentication solutions can:

  • Support converged secure logical access to the network and cloud-based services and resources, as well as physical access to buildings, offices and other areas;
  • Support mobile security tokens for the most convenient and secure access from smartphones or tablets; and 
  • Deliver multifactor authentication capabilities for the most effective threat protection, as part of a multi-layered security strategy.

The challenges of strong authentication

Multi-factor authentication, also known as strong authentication, combines something the user knows (such as a password) with something the user has (such as mobile and web tokens), and can also be extended to include a third factor in the form of something the user is (which can be ascertained through a biometric or behaviour-metric solution).

Users have grown weary of the inconvenience of hardware OTPs, display cards and other physical devices for two-factor authentication. Additionally, OTPs are useful only for a limited range of applications. The industry is now replacing hardware OTPs with software tokens that can be held on such user devices as mobile phones, tablets, and browser-based tokens. With software OTPs, organizations are able to replace a dedicated security token with the user’s smartphone, enabling the two-factor authentication to grow in popularity and convenience. A phone app generates an OTP, or OTPs are sent to the phone via SMS. However, there are security vulnerabilities with software OTPs that have driven the need for a far more secure strong authentication alternative, such as smart cards based on the Public Key Infrastructure (PKI). The downside to this approach, however, is its high cost and level of complexity to deploy. 

Future mobile opportunities

NFC-based mobile model will deliver particularly robust security, and will be especially attractive in a BYOD environment

The benefits of NFC technology are many as it becomes a standard feature of smart phones, tablets and laptops targeted at the enterprise market. Users can have a smart card or smartphone that grants access to resources by simply “tapping in” – without the need to enter a password on touch-screen devices, or the need for additional devices to issue and manage. In addition, there are a number of steadily growing NFC-based tap-in use cases that are poised for strong adoption in the enterprise, including tap-in to facilities, VPNs, wireless networks, corporate Intranets, cloud- and web-based applications, and SSO clients, among many other scenarios. These benefits and the wide range of potential applications – along with the fact that manufacturers are enabling more and more phones, tablets and laptops with NFC -- are driving many companies to seriously consider incorporating secure NFC-based physical and logical access into their facilities and IT access strategies.

The mobile model will deliver particularly robust security, and will be especially attractive in a BYOD environment. It will be implemented within a trusted boundary, and use a secure communications channel for transferring identity information between validated phones, their secure elements (SEs), and other secure media and devices. The authentication credential will be stored on the mobile device’s secure element, and a cloud-based identity provisioning model will eliminate the risk of credential copying while making it easier to issue temporary credentials, cancel lost or stolen credentials, and monitor and modify security parameters when required. It will also be possible to combine mobile tokens with cloud app single-sign-on capabilities, blending classic two-factor authentication with streamlined access to multiple cloud apps on a single device that users rarely lose or forget.

The NFC tap-in strong authentication model will not only eliminate the problems of earlier solutions, it will also offer the opportunity to achieve true convergence through a single solution that can be used to access IT resources while also enabling many other applications. These include such physical access control applications as time-and-attendance, secure-print-management, cashless vending, building automation, and biometric templates for additional factors of authentication – all delivered on the same smart card or NFC-enabled phone alongside OTPs, eliminating the need to carry additional tokens or devices. Historically, physical and logical access control functions were mutually exclusive within an organization, and each was managed by different groups. Now, however, the lines between these groups will begin to blur.

Enterprises would benefit from employing strong authentication for cloud-based systems as part of a multi-layered security strategy

Additional considerations for the cloud

As identity management moves to the cloud and enterprises take advantage of the Software as a Service (SaaS) model, there are other critical elements to consider. For instance, it will be critical to resolve challenges around provisioning and revoking user identities across multiple cloud-based applications, while also enabling secure, hassle-free user login to those applications.

The most effective approach for addressing data moving to the cloud will likely be federated identity management, which allows users to access multiple applications by authenticating to a central portal. It also will be critical to ensure the personal privacy of BYOD users, while protecting the integrity of enterprise data and resources. Several other security issues also emerge. IT departments won’t have the same level of control over BYODs or the potentially untrustworthy personal apps they may carry, and aren’t likely to be loading a standard image onto BYODs with anti-virus and other protective software. Nor is it likely that organizations will be able to retrieve devices when employees leave. We will need to find new and innovative ways to address these and other challenges. Notwithstanding the risks, the use of mobile phones equipped with SEs, or equivalent protected containers, opens opportunities for powerful new authentication models that leverage the phone as a secure portable credential store, enabling use cases ranging from tap-in strong authentication for remote data access, to entering a building or apartment.

Additionally, as BYOD continues to grow in popularity and many cloud-based applications are accessed from personal devices, enterprises will need to take a layered approach to security, recognizing that no single authentication method is going to address the multiple devices and multiple use cases required by today’s mobile enterprise.

A Layered security approach

In addition to multi-factor user authentication as the first layer of security, both inside the firewall and in the cloud, there are four other layers that should be implemented.

The second layer is device authentication. In other words, once it is determined that the user is who he or she says she is, it is important to verify that the person is using a “known” device. For this step, it is important to combine endpoint device identification and profiling with such elements as proxy detection and geo-location.

Migration to NFC-based strong
authentication and true converged
solutions requires an extensible
and adaptable multi-technology
smart card and reader platform

The third layer is ensuring that the user’s browser is part of a secure communication channel. Browser protection can be implemented through simple passive malware detection, but this does not result in the strongest possible endpoint security. It is more effective to use a proactive hardened browser with mutual secure socket layer connection to the application. 

The fourth layer is transaction authentication/pattern-based intelligence, which increases security for particularly sensitive transactions. A transaction authentication layer can include Out-Of-Band (OOB) transaction verification, transaction signing for non-repudiation, transaction monitoring, and behavioural analysis. 

The final layer is application security, which protects applications on mobile devices that are used to deliver sensitive information. The application must be architecturally hardened and capable of executing mutual authentication. Adding this layer makes data theft much more complex and costly for hackers.

Effectively implementing these five security layers requires an integrated versatile authentication platform with real-time threat detection capabilities. Used in online banking and ecommerce for some time, threat detection technology is expected to cross over into the corporate sector as a way to provide an additional layer of security for remote access use cases such as VPNs or Virtual Desktops.

Migrating to new capabilities

Migration to NFC-based strong authentication and true converged solutions requires an extensible and adaptable multi-technology smart card and reader platform. For optimal flexibility and interoperability, this platform should be based on open architecture, and enable both legacy credential and new credential technology to be combined on the same card while also supporting NFC-enabled mobile platforms. To meet security requirements, the platform should use contactless high frequency smart card technology that features mutual authentication and cryptographic protection mechanisms with secret keys, and employs a secure messaging protocol that is delivered on a trust-based communication platform within a secure ecosystem of interoperable products. 

With these capabilities, organizations can ensure the highest level of security, convenience, and interoperability on either cards or phones, along with the adaptability to meet tomorrow’s requirements including a combination of both strong authentication for protecting the data and applications in the cloud, and contactless high-frequency smart card capabilities for diverse physical access control applications. 

With proper planning, organizations can solve the strong authentication challenge while extending their solutions to protect everything from the cloud and desktop to the door. These converged solutions reduce deployment and operational costs by enabling organizations to leverage their existing physical access control credential investment to seamlessly add logical access control for network log-on. The result is a fully interoperable, multi-layered security solution across company networks, systems and facilities.