Security Focus Starts Inside

It is the insiders (i.e. your company’s employees) and not the outside hackers that represent the greatest threat to your information assets. And, their unauthorized access to supposedly protected data can surprisingly be accidental as much as it can be intentional. This reveals that most organizations have not taken sufficient measures to prevent insider access and attacks and ensure that internal security, particularly access control, is adequately addressed.

Strengthening authentication and making passwords stronger should be paramount when implementing an authentication, password management or identity management system. However, security is often secondary to usability among the project’s goals. The focus of password management is on improving the user experience and reducing the number of passwords as well as centralizing passwords to ease the IT staff’s burden of managing multiple, disparate accounts. But, by placing less emphasis on the security aspects of authentication, organizations place their assets at risk. Yes, productivity is improved for end-users and IT staffers to the point of achieving a respectable ROI. Nevertheless, with the rise in data theft, particularly during the economic downturn, if even the most robust authentication solution has inadequate security features, it cannot deliver enough ROI to cover the potential cost of a successful hacking event.

Companies can easily and cost-effectively strengthen authentication and passwords while protecting access to sensitive data. Here are some possible approaches:

  • Incorporate password security functionality such as password strength validation, password expiration intervals, password frequency limits, and strike-out limits by person, group and hierarchy
  • Integrate the Kerberos authentication protocol with Active Directory authentication to mutually authenticate the user and the server to which they are attempting access — and without transmitting passwords.
  • Require users to respond to a set of pre-configured challenge questions, as well as enter their username and password. Multiple challenge question/response functionality is easy to set-up and allows quick access.
  • Implement real-time monitoring and alert functionality to obtain knowledge on user login activity.

Benefits can include:

  • Ensuring passwords and access-related features meet compliance requirements
  • Enabling secure access to applications and databases
  • Enforcing password policies
  • Ensuring passwords and access-related features meet compliance requirements
  • Achieiving greater oversight of user login and authentication behavior
  • Increasing the overall efficiency of authentication and password management
  • Maintaining security overall

For more ideas, as well as to learn more about the above, contact Mark Cochran, a PistolStar authentication expert.

Greetings from Lotusphere

Happy New Year! We have been quiet the past couple weeks because we have been gearing up for Lotusphere 2009, which begins today in Orlando, FL at the Walt Disney World Swan and Dolphin Resort. PistolStar is exhibiting at booth # 433 — if you’re at Lotusphere, please stop by and say hello. We’re showcasing the latest versions of our authentication and password security software solutions, which integrate Microsoft Active Directory and Kerberos, enable ID-less Lotus Notes access and provide support for IBM WebSphere and Microsoft SharePoint as well as Lotus Domino. Our press announcement released today includes all the details.

Next-Gen Solution: SSO via Kerberos and Smart Cards

There are alternatives to using passwords for authentication and one is smart cards. Since the Kerberos authentication protocol does not use passwords, smart card logins to Microsoft Windows via Active Directory can leverage Kerberos to achieve single sign-on. Because it is not sending passwords over the network, Kerberos provides an additional layer of security.

End-users can achieve single sign-on to their applications after logging in with their smart cards to Microsoft Windows. They would just insert their smart card into the card reader to log into their Windows desktop, then Windows would prompt them for their pin, which is used to authenticate them against Active Directory. When the end-user launches their applications, Kerberos authentication would interface with an Active Directory domain controller (acting as a KDC/Key Distribution Center) to obtain an encrypted service ticket for the server they wish to access.

As a result, end-users would no longer need to remember or be prompted for their applications’ passwords; all they would need to authenticate is their smart card and pin. If a smart card is lost, it would be replaced in one step. If a pin is forgotten, it could be retrieved through self-service pin recovery functionality that might employ a set of challenge questions and answers. In effect, the headache of manually replacing or recovering passwords would be eliminated.

Using smart card authentication with Kerberos benefits organizations because they would be able to put an end to the use of passwords as well as forgotten password scenarios. They would also have stronger authentication from using Kerberos and the added protection it provides by mutually authenticating the end-user and server they are accessing.

Kerberos Authentication Protocol: An Added Layer of Security

When Kerberos authentication is employed, there are no passwords sent over the network and the user and server are mutually authenticated, preventing server attacks and malicious programs that try to impersonate the server to get the user’s private information.

Originally developed at and used by the Massachusetts Institute of Technology (MIT), Kerberos has become the foundation for authentication in Windows operating systems since Microsoft implemented it as the default authentication mechanism in Windows 2000. Kerberos requires connectivity to a central Key Distribution Center (KDC), which, in Windows, is any Microsoft Active Directory domain controller. Users authenticate to the KDC, requesting encrypted service tickets for the specific service they wish to use (e.g. Web servers). Only the service and the KDC can decrypt the service ticket to get the user’s authentication information. The service trusts the credentials in the service ticket because it knows the ticket could only be created by the KDC and thus recognizes the user must have been authenticated by the KDC in order to receive the ticket.

Ideal for achieving single sign-on, Kerberos authentication enables users on Windows 2000, XP and Vista to just logon to a Windows domain at the start of their workday, as it provides further integration with Windows and Active Directory. Therefore, when the user wants to access a server for which they use Kerberos authentication, their browser retrieves the service ticket from the KDC and sends it to the server automatically.

(PistolStar is a founding sponsor of the MIT Kerberos Consortium)