Beyond QWERTY: What is the best authentication method?

Organizations today are an increasingly complex IT environment. Besides maintaining the supporting IT infrastructure they face new challenges, such as the Cloud and incorporating hybrid solutions. Add in the security issues of home working and contractor access and it is clear why the ‘password problem’ is pretty difficult to solve. Rik Peters investigates in this fascinating blog.

Our last blog discussed why passwords are not enough to preserve data and system integrity.

If you need further proof, check out this list of the most popular passwords of last year. You can probably guess that ‘123456’ and ‘password’ figure pretty high up the list – first and second respectively – but there are plenty of blatantly obvious and equally hackable alternatives.

The list for 2014 and 2013 has exactly the same suggestions in identical positions. Clearly organizations cannot rely on their people to maintain IT security. So – what are the alternatives? This blog attempts to establish the best authentication method.

The key word is ‘attempts’. In an ideal world, I would just give you the definitive answer. Everyone’s data would be safe, the hackers would be foiled and everything would be rosy. But life isn’t like that and there really is no such thing as “the best authentication method”. Certainly not as a catch-all solution that works for everyone.

IAS 3

Case-specific authentication

The right authentication method differs for each use case, organization, user and even geographical location. To illustrate the problem of trying to apply a general rule to a diverse spread of user scenarios, I have created some generic use cases and offer some insight in what kind of authentication method would fit. But before we get to the hypothetical, let’s look at the reality.

Organizations today are an increasingly complex IT environment. Besides maintaining the supporting IT infrastructure they face new challenges, such as the Cloud and incorporating hybrid solutions. Add in the security issues of home working and contractor access and it is clear why the ‘password problem’ is pretty difficult to solve. Many authentication solutions only solve a specific part of the puzzle, as these scenarios illustrate.

  • We use remote access solutions like RSA and Vasco for remote access. We authenticate using hard or soft tokens to access the corporate VPN environment.
  • We are using on-premise solutions, including HID Smartcards or DigitalPersona biometrics to solve the password problem for employees.
  • We use Cloud solutions such as DUO and Symantec to help solve the federated authentication issue for protecting Cloud-based applications, including Salesforce and MS Office 365. These tend to use SMS or phone based authentication methods.

For some users it is perfectly normal to carry different tokens for their Cloud applications and VPN access and a smartcard for their corporate desktops – and to need strong authentication in three different systems.

Multiple passwords, more problems

These organizations can all maintain multiple solutions to solve the same password problem. This means a lot of work, cost and frustration for administrators and users alike; users need multiple authentication devices for the various environments while admins must maintain users in different systems.

So, back to our original question. What authentication fits best in which situation? Let’s try to define some use cases and match them with the three different authentication solutions.

  1. Remote access
  2. Desktop access
  3. Cloud access

So what authentication methods provide the best fit? Let’s start with the first.

Remote access
Users of corporate or home workstations need access to the company VPN. The best authentication method would not require software to be installed on the host workstation or connected to the workstation. So this would be a smartphone, tokens or email model.

Desktop access
Authentication through a controlled environment on a company workstation. The organization controls what software runs on the devices and specifies the use of specific hardware, typically cards, biometrics, smartphones and hardtokens. Organizations with a BYOD policy typically share the same authentication practices as those using remote access.

Cloud access
Users tend to work on any device when accessing Cloud-based applications. These can be desktop, laptop, tablet or smartphone. Authentication methods requiring drivers or pre-installed software are a no-go here. Smartphones, tokens or email are fine.

So, while authentication methods vary between use cases, they are very alike for remote and Cloud-based access. Why are these methods not used in desktop access? Simply ease of use. Users find typing in an extra One-Time-Password every time they unlock their desktop too time-consuming. A fingerprint or smartcard is easier and faster.

IAS blog 2

Multiple challenges, single solution

So we need different software solutions for each use case, right? Not any more. The Micro Focus Advanced Authentication solution supports authentication methods for every use case. Users register their authentication devices through a single enrolment portal and administrators manage all the users and methods in a single admin interface. Certain groups, such as administrative users, should and can use stronger authentication than others.

So a multi-level problem really can have one solution. Clearly, IT environments are only going to become more complex and none of us know what the next innovation will bring. What is clear, though, is that any organization hiding their sensitive business data behind QWERTY may not be around to see it.

Insider Threat: A New Perspective

How can IT security managers reduce the risk of the insider threat? Simon Puleo makes an interesting case in this great new blog.

Did you ever think that the person sitting next to you could be considered an insider threat to your organization?  It is hard to believe the malicious activity could be so close to home, however when you consider that hackers use social profiles to target users with elevated privilege to systems or data it raises an eyebrow.   According to a 2015 Black Hat Survey 45% of hackers say that privileged account credentials are their most coveted target.   Hackers are looking to take advantage of the insider and exploiting those privileges because these insiders have access to the most sensitive and lucrative data.  Secondarily, the insider or person you have coffee with maybe involved in espionage (spying), data destruction and data theft.

How does this lend to a new perspective?  Most of the time when I discuss cyber criminals they fall into these broad categories:

  • Organized Crime -Much like Al Capone ran an organized crime syndicate with the purpose of profiting from smuggled alcohol.  The twenty first century organized crime profits from stolen and smuggled credit cards, holding systems hostage and stolen IP.  Extortion, fraud and theft are their calling cards.
  • Hactivists – Those exploiting the internet and stealing secrets for social causes, think of Anonymous.
  • Nation State – Secret groups in governments all over the worlds designed to spy, steal government and private intellectual property.
  • The Black Hat – The renegade hacker or individuals who hack for fun or simply to spread chaos.

Insider Threat

But, the insider could be you or me, it is anyone with access to systems or data.  The insider is the careless user who shares a password or leaves their computer unlocked.  The insider is the unknowing pawn to the criminal hacker installing malware and viruses as the result of a social engineering or spear-fishing attack.  The insider is the person who uses their access for malicious activities, perhaps they are part of an organized crime ring, a disgruntled employee or mentally unstable person.  Regardless, the goal of the cyber-criminal whether on or off premise is to obtain the ‘keys to the kingdom’ that is access to files, systems and data.

Up until recently the most proactive measures to stop the insider were education campaigns targeted at good security practices, security policy and anti-virus tools.  These measures are not enough and traditional solutions like IDS, IPS and firewalls are focused on the perimeter, not on the insider who is a user and consumer of data. So what approach can we take from an IT perspective to be proactive from the insider threat?

Enforce the concept of ‘least privilege’, in simpler terms, ensure that users, and especially privileged users, have access to only the files and systems that they need to effectively do their jobs.  The receptionist needs a different set of access to systems than the accountant.  This could go as far as only giving them access during the right times as well.  Consider, does a receptionist need access to the directory after business hours?

IAS 3

Manage access to systems and files in a way that ensures the identity of every user.  How can we ensure the right users are accessing systems and how can we prove who they say they are? Is a user name and password enough assurance for access to transactional data? Multi-factor authentication is the best way using something that a user knows like a password, something they have like a token and something about them physically like a fingerprint or facial scan.  This may sound futuristic but when information is valuable more organizations are turning to multiple types of verification.

And finally we need to monitor what users are doing in real-time to ensure they aren’t accidently or maliciously changing and/or deleting data.  When suspicious behavior is found, tools are needed to quickly find out who is performing an activity, and what is happening, so that security teams can quickly take action to minimize damage from potential threats.  When especially high risk user activity is detected, access to sensitive systems can be automatically revoked.

How can you reduce the risk of the insider threat?  Start with ‘least privilege’, restrict access to sensitive data to only those with need.  Develop controls and policies to ensure users have the right privileges, challenge users when accessing sensitive data and monitor malicious behavior, lead with an Identity-Powered Security approach.  To learn more about the insider and privileged users download the flashpoint paper Privileged Users: Managing Hidden Risk in Your Organization

DevOps Adoption – A Problem SHAREd…

After another hugely positive SHARE event, Derek Britton from Micro Focus reflects on one of the hottest topics in enterprise IT today: DevOps.

Great Minds…

The digital era is forcing organizations to meet customer demand faster than ever. Delivering better IT faster is at the heart of the DevOps promise. At this month’s SHARE event in San Antonio, Texas, the mainframe community took its responsibilities for DevOps very seriously. Technical tracks on DevOps and application development, test and delivery were high in number. Additionally the SHARE EXECUforum breakout featured a panel discussion on DevOps, featuring industry commentators. I was lucky enough to participate on the panel, which also included

  • Jeff Henry, Vice President of Product Management at CA Technologies, responsible for driving cross platform business solutions
  • David Rizzo, Director of Product Development, responsible for leading the development of Compuware products
  • Rosalind Radcliffe, Distinguished Engineer within IBM, and Chief Architect for DevOps for Enterprise Systems
SHARE EXECUforum DevOps panel
SHARE EXECUforum DevOps panel

Official excerpts from the SHARE EXECUform discussion on DevOps are the property of the SHARE organization (and available to their members). What became clear during the discussion is that many of the topics aligned with Micro Focus’ thinking on the topic. Here are my personal takeaways from an illuminating discussion.

Why DevOps and why now?

The panel agreed on why now is the right time for DevOps to prevail. IT in 2016, and the commercial world it serves, has changed almost beyond recognition from even 10 years ago. Through greater consumerization – demand from vocal and fickle customers has increased to become a torrent of requirements. Meanwhile, the method of supply has also proliferated beyond comparison, in a BYO anything, always on, always available market. Almost inevitably, the volume and variety of information available and expected is growing and growing, as the pace of change continues to accelerate.

Supplying those information services faster and faster is a necessary outcome of the evolution of the digital economy. DevOps promises to help deliver IT faster by removing barriers to delivery and collaboration, by being smarter across the delivery cycle.

A Cultural Conundrum

Changing an organization to work in a different way is anything but easy, but that’s what DevOps entails. The cultural ramifications of DevOps adoption was the foundation of the panel discussion. Considerations included –

Business sponsorship: popular though it might be, DevOps is usually an IT initiative. It needs the business to acknowledge and accept the initiative as one that has business merit; which in turn requires the desired outcome to be quantified and approved. As I stated during the panel discussion, “IT is under pressure from the business to explain the value of DevOps”

Proof of value: Businesses are reticent to undergo huge internal change without demonstrable proof. Selecting an appropriate project or activity that illustrates the value of DevOps is worthwhile if not imperative.

Infrastructure: Determining the key areas of change is also fundamental. Job functions, underlying technology usage, workflow and collaboration, even entire departments, are subject to possible major upheaval longer term. Failing to plan those aspects carefully will only impact longer term adoption.

(For more Cultural aspects – read my recent blog)

Technology Questions

Plans for cultural adoption will fall on stony ground, however, without resolution of key important technological considerations, a couple of which were discussed by the panel:

Unifying Development – with different teams working in different ways in different tools, inviting them to work together is futile without unifying how they work.

Streamlining Testing – As IBM’s Rosalind Radcliffe states “It doesn’t help to … improve the productivity of the development team if there isn’t an environment for them to develop and run their … tests”. Resolving testing bottlenecks is a major consideration.

DevOps on show

It wasn’t just conversation on offer to SHARE delegates, however; delegates had a chance to watch demonstrations of powerful IDE and testing technology at the heart of the DevOps proposition. During one of the technical sessions, the IDE Shootout, Micro Focus joined other vendors in showing the power at IT’s fingertips today as they explore ways to leverage DevOps to help eradicate enterprise delivery bottlenecks. Technical expert Bob Schoppert led the charge in showcasing how Micro Focus’ contemporary mainframe modernization technology can make a significant difference in unifying the development process, increasing development efficiency and breaking through problems in testing capacity and bandwidth.

Efficient, unified mainframe application development from Micro Focus
Efficient, unified mainframe application development from Micro Focus

Conclusion

DevOps is going main-stream and smart organizations are looking to adopt it as a modern approach to address the challenges of the digital economy. Using a careful cultural approach and smart, contemporary technology will offer a route towards successful implementation. If you want to join the discussion – learn more about our DevOps perspective, and expect more of the same at the next SHARE event: see you in Atlanta!

#MFSummit2016: product roadmaps and Tube maps

In the digital economy, our customers are contending with unprecedented user demand and an explosion of information to supply. We’re helping them build, operate and secure core IT services by building bridges between what works today and what is needed tomorrow. Here’s a personal reflection of my time at #MFSummit2016 in London.

To reach Prince Philip House, the venue for the inaugural Micro Focus customer conference, I had the choice of six different Tube lines. No wonder frequent users talk about the ‘complexity, cost and confusion’ of the London Underground.

Those problems end for most commuters when they get to work. For many of our customers, that is when they begin. As I explained in my keynote speech, innovation is both the culprit and the solution.

Recent disruptive technologies, including web, Cloud and mobile, are increasing opportunity and complexity in equal measure. Streamlining a process or delivering a new IT service, expanding core platforms, embracing new application technology, overhauling user interfaces, implementing new security controls … they all improve the customer experience while confusing the picture for the organisations.

Harry Beck knew how to express complicated systems in an attractive, linear way. So we drew inspiration from his finest work to map the scale of the complexity, cost and confusion facing our customers.

Tube

Platform alteration?

But these are only the known knowns. Like the London Underground, new lines are inevitable. So our first post-merger, cross-portfolio conference was a good opportunity to assess the challenges and set out our strategy to scale them. It was, after all, a summit.

Much of today’s business innovation is driven by consumer demand for the rapidly-evolving supply of information. These days we are all IT consumers with heightened expectations around access to refined information wherever we are, from our preferred device.

Meeting that demand adds to the complexity of already convoluted processes and the creation of confusing, disparate, heterogeneous systems. The cost is a given. These elements makes delivering effective innovation increasingly difficult just as demand is increasing.

But it can be done. Micro Focus enables its customers to innovate faster with lower risk by enabling them to embrace new technology while building on what already works, in essence bridging the old and the new.

So what does that mean for our customers? Put simply, we have assembled a portfolio focused on three primary capabilities; to build, operate and secure business-critical systems of applications and infrastructure.

MFsolutions

Our promise to customers is that they can innovate faster with lower risk. That means building the applications that meet the needs of the business today and tomorrow, operating data centers and business services with the best balance of cost, speed and risk and securing their data against the latest threats.

In summary

In his pre-conference blog, Andy King’s promise to delegates is that a visit to #MFSummit2016 would put them in a better position to navigate the challenges of business and IT change. The message seems to have resonated.

“As an application modernization consultant, I fully agree with the Micro Focus “bridging the old and the new” vision. Their Build technology is especially impressive and helps us deliver greater value, more quickly, to our customers”, Mike Madden, Director, Legacy IT.

RollsRoyce