Authentication Adaptability: Survival is Key
Filed under: Authentication Trends, General Information, PortalGuard, Uncategorized, compliance
“It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is the most adaptable to change.” – Charles Darwin
As Charles Darwin has put it so eloquently, facing change by adapting to it is how you survive. This can easily be translated over to authentication and the principles behind strengthening authentication to adapt to changing circumstances.
The idea is that change is inevitable and businesses will be weeded out by their ability to adapt. With authentication and security this is an ongoing challenge facing businesses in the form of regulatory compliance, authentication trends and ever increasing attacks.
Although this is primarily experienced across most industries it is an ever pressing issue on the financial, insurance and healthcare industries. These industries are heavily regulated and thus subject to constant compliance requirements. Also they are huge carriers of personal information and data making them huge targets for evolving attacks and identity theft.
Some of the more prevalent attacks include:
- Phishing
- Malware
- Keystroke Loggers
- Session Mismanagement
- Fraudulent Droid apps
- Chat-in-the-Middle
- Spoofing
- Vishing
- Smishing
- And many more…
An adaptation example, in the financial industry, has been the popularity and increasing use of online banking. Although it is extremely convenient for the end-users, the question is how will the financial industry adapt their authentication to protect users’ extremely sensitive data out on the internet?
In order to adapt financial institutions follow the FFIEC guidelines, implement multi-factor authentication and stronger authentication such as one-time passwords. The financial industry is required to have a high level of data protection and therefore is leading the way in authentication and security. By reviewing vulnerable industries it is a great way to understand where to set the bar for your required level of data protection.
Issues in Compliance for Instant Messaging
Compliance is always a large concern, especially with attacks and data breaches increasing. It is important to understand the industry and regulatory requirements that need to be enforced within your corporation and security environment. One area that experts are beginning to see as an issue is instant messaging. This is a communication method that is hard to regulate and record, which could pose problems with industries with strict compliance standards.
In a recent article by Dmitry Shapiro, CTO at Akonix Systems, Inc., “Instant Messaging and Compliance Issues: What You need To Know” the issues that are becoming ever present with IM are discussed. The main issue is the sheer volume of users on these IM systems, totaling in the 100s of millions. This is not to mention what IT managers are most afraid of, which are the public IM systems, such as AOL Instant Messenger and Yahoo Messenger.
Although IM is a functional tool for communication there are key areas with which there is a lot of concern for compliance issues:
- Record Retention
- Information Security
- Theft
- Copyright Infringement
These issues are ever rising with the number of users and amounts of information on these systems. With the public IM services, the control a manager could have with an internal system is taken away. Tasks such as auditing, logging, and deleting records are all issues when the manager cannot oversee the whole system, and the web of IMs being created.
Without compliance and monitoring, the one thing that is apparent is that risk will increase. Shapiro says that the main issues to watch for are:
- Organization of records
- Retention of records
- Tamper Proof Records
- Record Retrieval
- Off-Site Copies
And many more…
With such acts as the Sarbanes-Oxley Act, HIPAA, and GLBA the ability to control, monitor, protect, and delete records is essential. These regulations are going to require IT managers to remain compliant and come up with ways to monitor their users IM behaviors. If this is not done, IMs will be a strong source of theft and cybercrime.
Announcing PortalGuard: Stronger authentication and enhanced security and compliance for SharePoint and WebSphere
Filed under: Authentication Security, SharePoint Authentication, WebSphere Portal Authentication
Today, we announced the latest product addition to the PistolStar family — PortalGuard — which provides authentication security, access control and self-service password features for Microsoft SharePoint and IBM WebSphere and WebSphere Portal. Check out the press release.
Access Control: More Critical in Today’s High Risk Environments
Filed under: Authentication Security, Authentication Trends, Data Security
There are too many opportunities available in large organizations for people to try to gain unauthorized access to networks and databases. With the downturn in the economy prompting layoffs, downsizing and consolidation, companies are seeing an increase in the incidence of insider hacking. The insider threat is the hardest to detect, yet it poses the greatest risk to data security and regulatory compliance. Numerous user authentication actions, such as using expired and weak passwords, making password changes, and striking out, could signal a security risk. Some of these events may require immediate attention if the security of the enterprise could be compromised.
Controlling access is a critical requirement for protecting customer and financial data, and even more imperative for safeguarding corporate assets during these difficult times. The news last year that a Countrywide employee with access to sensitive data had been arrested for taking 2 million names and personal information from the mortgage bank and selling them for a profit demonstrates the potential impact of a single insider and the need to have controls and monitoring in place. Clearly, even authorized users can misuse data or handle information in unauthorized ways.
With an authentication solution that has the ability to manage and monitor user login activity, organizations can achieve greater access control and have a vital tool for gaining knowledge on where security risks may lie. Auditing may be considered a sub-set of security, but we cannot overstate its value for the larger enterprise that oversees tens of thousands of users at multiple levels (both internal and external) and with access rights of varying degrees. With access control and auditing capabilities, an organization can significantly reduce the risk of insider hacking events, generate greater security administration efficiencies and reduce auditing and compliance costs. In terms of what it can save in potential costs due to intrusions and unauthorized access to and handling of sensitive data, access control can provide a tremendous return on investment.
Tales of Tailored Authentication
Filed under: Authentication Security, Authentication Trends, Customer Case Studies
We’ve found that over 25% of our customer engagements involve making adaptations to Password Power, our authentication software framework. Many organizations need to implement an authentication system that fits tightly with their environment, meets their specific security and compliance requirements and addresses their unique complexities. We’re focused on getting the word out about our flexibility to deliver a tailored authentication solution for our customers and have the case studies to demonstrate it!
We recently issued a press release on the tailored authentication solution we installed for the German military. This press release was featured on numerous media sites, including Investor’s Business Daily.
The German military needed to enhance security and enable self-service password recovery for its 140,000 users. Full details on this will be in a soon-to-be published case study; however, you can find more information on this customer engagement as well as our other tailored authentication deployments in our newsletter, the Technical Journal for Password Management. Issue Q4 2008 showcases six case studies in tailored authentication, each involving different authentication technologies, such as smart cards and government CAC cards, different platforms, and different issues, such as reducing logins to diverse applications and increasing access control.
Staying on Top of Login Threats with Real-Time Alerts
If you are an administrator in charge of password management and password security for a large enterprise, then you know how important it is to stay on top of a complex range of events ─ from expired passwords and passwords not meeting strength rules to questionable login behaviors and inappropriate password usage.
These various events are occurring constantly when you have hundreds or thousands of individuals (both legitimate and unauthorized) attempting access to your systems. There are just too many opportunities that people can exploit to gain unauthorized access. Numerous user authentication behaviors ─ both maliciously intentional and unwitting ─ could signal as well as trigger a security risk. These events typically need to be addressed and some require immediate attention if the overall security of the enterprise could be compromised.
User authentication events that administrators need to track include the following, among others:
- Whose password expired?
- When was the last login/logoff?
- Passwords used that do not meet strength rules
- How many bad passwords were used during login?
- Who struck out or got locked out?
- Was a guest account used?
- Was an administrator account used?
- Was a deactivated account used?
- Who changed their password?
To stay on top of any potential or real password security issues occurring out there, administrators must audit user activity vigilantly, but also maintain audit trails and, more importantly, require real-time notification of the issues that arise.
A rule-based, event-driven alert system would assist administrators on many levels. They would be able to:
- Discover flaws in their authentication process
- Isolate and track the activities of individual users
- Ensure that systems are working properly
- Demonstrate compliance with government and industry regulations