Move beyond weak mainframe passwords with advanced multifactor authentication

Flexibility is the key when it comes to multifactor authentication and you can also use these same methods to authorize access to your host systems as well. You can set up different authentication requirements for different types of users and manage everything from a central console. David Fletcher provides more insight in his blog….

More and more companies are moving to multifactor authentication. Almost everyone agrees that multifactor authentication is the best way to provide the strongest level of authentication (who you are). This technology is taking hold in many industries, and for the most part it’s working pretty well. Now ask yourself “How can I use multifactor authentication to authorize access to my host systems?”

thumb

Complex and Expensive?

Wow—things just got really complicated and expensive. Think about who is accessing your host systems today. Employees all over the world with different devices and different access needs. Business partners who need access but don’t have your same systems and devices. What about customers who are actually updating their own data via web services on your host systems? The level of complexity that comes with implementing multifactor authentication for enterprise applications is hard enough. Now throw in the mainframe and it’s enough to keep anyone from moving in that direction.

But what if there was a flexible and manageable way to use multifactor authentication for host applications? Because Micro Focus is the expert in securing and managing access to your host systems, we have developed new capabilities to make implementing and managing multifactor authentication flexible and affordable. You can even use the same products for implementing multifactor authentication for your enterprise applications and authorizing access to your host systems.

Affordable and Flexible:

The key to making multifactor authentication affordable and flexible is having a system that supports many different ways of authenticating. Such a system could support whatever methods of authentication are right for your users and your budget.

There are many different ways that a user can be authenticated. You can take advantage of the fact that most (if not all) employees or partners have a cell phone. No need for costly devices to increase security to your systems. What if you could let a partner choose between answering three security questions or using a fingerprint for authenticating or a combination of questions and cell phone?

Flexibility is the key when it comes to multifactor authentication. Now you can also use these same methods to authorize access to your host systems as well. You can set up different authentication requirements for different types of users and manage everything from a central console.

Micro Focus® Advanced Authentication, combined with Host Access Management and Security Server (MSS) and one or more of our terminal emulation clients, provide up to 14 different methods of authentication to authorize access to host systems. As new technologies emerge, you can count on Micro Focus to stay ahead of the game so that when you are ready to make a move, we are too.

To learn more about enabling multifactor authentication to authorize access to your host systems, contact your Micro Focus sales representative today.

Originally published here

Alles Wolke 7 oder doch eher Wolkenbruch? – Cloud Computing ist Realität, hybride Lösungen sind die Konsequenz

Cloud Computing rückt 2016 in Fokus vieler deutscher mittelständischer Unternehmen. Verständlich denn, getragen von der digitalen Transformation sorgt Cloud Computing für die Optimierung der Kapitalbasis, indem sich ausgewählte IT-Kosten von einem Investitions- hin zu einem Betriebskostenmodell verlagern. Doch wie sieht es mit Sicherheitsrisiken und der Durchsetzung von Compliance dabei aus? Sind die Daten in der Cloud wirklich sicher und wo liegen sie und wer kontrolliert sie? Christoph Stoica erläutert im neuen Blogbeitrag, welche Aspekte aus der IT-Security Sicht beachtet werden sollten.

Wenn man einen Blick in den aktuellen Cloud Monitor 2015 der Bitkom wirft, dann ist es keine Frage mehr : Cloud Computing ist jetzt auch bei den deutschen mittelständischen Unternehmen angekommen und die Anpassung geht mit großen Schritten voran.  Einer der maßgeblichen Treiber für die gestiegene Akzeptanz der Cloud in Deutschland ist die digitale Transformation.  Auf Basis von neuen Technologien und Applikationen werden Produkte, Services und Prozesse umgestaltet, so dass sich Unternehmen nach und nach zu einer vollständig vernetzten digitalen Organisation wandeln. Wer jetzt denkt, dies alles sei Zukunftsmusik und gehöre nicht auf die Agenda der  TOP-Prioritäten, dem sei gesagt : weit gefehlt!

Schon jetzt bewegen wir uns mit einer Höchstgeschwindigkeit in eine voll vernetzte Welt.  Immer mehr Menschen verfügen über mobile Endgeräte, hinterlassen digitale Spuren in sozialen Netzwerken, tragen Wearables  die  ihre persönlichen Daten – ob freiwillig oder nicht – senden und für Unternehmen verfügbar machen. Maschinen und Gegenstände sind über  Sensoren und SIM-Karten jederzeit digital ansprechbar, was zu veränderten und erweiterten Wertschöpfungsketten führt.  Die Vielzahl der so gesammelten Daten stellt für Unternehmen  einen  wichtigen Rohstoff dar, der, durch geschickte Analytics Tools richtig genutzt, den entscheidenden Wettbewerbsvorteil verschaffen kann. Es stellt sich also nicht die Frage, ob die digitale Transformation erfolgt, sondern vielmehr wie schnell die Unternehmensführung die entsprechende Weichenstellung in der IT-Infrastruktur vornimmt.

Die digitale Transformation erfordert skalierbare Infrastrukturen – sowohl technisch als auch hinsichtlich der internationalen Reichweite. Cloud Dienste, ob public oder private, mit ihren Merkmalen wie Agilität,  Anpassungsfähigkeit, Flexibilität und  Reaktivität sind hierfür bestens dafür geschaffen. Doch wie sieht es mit den Sicherheitsrisiken und der Durchsetzung von Compliance dabei aus? Sind die Daten in der Cloud sicher? Wo genau liegen meine Daten und wer kontrolliert sie? Auch wenn nach dem kürzlich gefallenen Safe Harbor Urteil „Big Player“ wie Amazon Web Services, Profitbricks, Salesforce und Microsoft nun ihre Rechenzentren in Deutschland oder zumindest an einen EU Standort verlagern, löst das immer noch nicht alle Sicherheitsfragen. Reicht ein Zugriffsmanagement basierend auf einer einfachen Authentifizierung mittels Benutzername und Passwort angesichts der größeren Angriffsfläche noch aus?

dataprotection

Benutzernamen und Passwörter lassen sich heutzutage leicht überlisten, das neue Zaubermittel heißt  Multi-Faktor Authentifizierung. Eine  erweiterte Authentifizierungsmethode unter Nutzung zusätzlicher Faktoren ermöglicht  eine schnelle und präzise Identifikation. Unterschiedliche Benutzer oder Situationen erfordern unterschiedliche Authentifizierungen, die verwendete Methode muss zur  Rolle als auch zum Kontext des Benutzers passen und natürlich der Risikoeinstufung der angeforderten Informationen gerecht werden. Nicht jede Interaktion birgt dasselbe Risiko für ein Unternehmen. Einige Interaktionen stellen eine größere Gefahr dar. Bei einer risikobehafteten Interaktion wird eine strengere Authentifizierung benötigt, die beispielsweise durch eine zusätzliche Information (die nur dem Benutzer bekannt ist), die zusätzliche Verifizierung der Identität über getrennte Kanäle – man spricht von Out of Band – oder andere Elemente gewährleistet wird.

Jedoch kann die Verwendung und Verwaltung solcher mehrstufiger Authentifizierungsverfahren kostspielig und unübersichtlich werden. Micro Focus bietet mit Advanced Authentication eine Lösung zur zentralen Verwaltung aller Authentifizierungsverfahren – ob für Ihre Mitarbeiter, Lieferanten oder Geräte.

Christoph

 

 

 

 

Christoph Stoica

Regional General Manager DACH

Micro Focus

Beyond QWERTY: What is the best authentication method?

Organizations today are an increasingly complex IT environment. Besides maintaining the supporting IT infrastructure they face new challenges, such as the Cloud and incorporating hybrid solutions. Add in the security issues of home working and contractor access and it is clear why the ‘password problem’ is pretty difficult to solve. Rik Peters investigates in this fascinating blog.

Our last blog discussed why passwords are not enough to preserve data and system integrity.

If you need further proof, check out this list of the most popular passwords of last year. You can probably guess that ‘123456’ and ‘password’ figure pretty high up the list – first and second respectively – but there are plenty of blatantly obvious and equally hackable alternatives.

The list for 2014 and 2013 has exactly the same suggestions in identical positions. Clearly organizations cannot rely on their people to maintain IT security. So – what are the alternatives? This blog attempts to establish the best authentication method.

The key word is ‘attempts’. In an ideal world, I would just give you the definitive answer. Everyone’s data would be safe, the hackers would be foiled and everything would be rosy. But life isn’t like that and there really is no such thing as “the best authentication method”. Certainly not as a catch-all solution that works for everyone.

IAS 3

Case-specific authentication

The right authentication method differs for each use case, organization, user and even geographical location. To illustrate the problem of trying to apply a general rule to a diverse spread of user scenarios, I have created some generic use cases and offer some insight in what kind of authentication method would fit. But before we get to the hypothetical, let’s look at the reality.

Organizations today are an increasingly complex IT environment. Besides maintaining the supporting IT infrastructure they face new challenges, such as the Cloud and incorporating hybrid solutions. Add in the security issues of home working and contractor access and it is clear why the ‘password problem’ is pretty difficult to solve. Many authentication solutions only solve a specific part of the puzzle, as these scenarios illustrate.

  • We use remote access solutions like RSA and Vasco for remote access. We authenticate using hard or soft tokens to access the corporate VPN environment.
  • We are using on-premise solutions, including HID Smartcards or DigitalPersona biometrics to solve the password problem for employees.
  • We use Cloud solutions such as DUO and Symantec to help solve the federated authentication issue for protecting Cloud-based applications, including Salesforce and MS Office 365. These tend to use SMS or phone based authentication methods.

For some users it is perfectly normal to carry different tokens for their Cloud applications and VPN access and a smartcard for their corporate desktops – and to need strong authentication in three different systems.

Multiple passwords, more problems

These organizations can all maintain multiple solutions to solve the same password problem. This means a lot of work, cost and frustration for administrators and users alike; users need multiple authentication devices for the various environments while admins must maintain users in different systems.

So, back to our original question. What authentication fits best in which situation? Let’s try to define some use cases and match them with the three different authentication solutions.

  1. Remote access
  2. Desktop access
  3. Cloud access

So what authentication methods provide the best fit? Let’s start with the first.

Remote access
Users of corporate or home workstations need access to the company VPN. The best authentication method would not require software to be installed on the host workstation or connected to the workstation. So this would be a smartphone, tokens or email model.

Desktop access
Authentication through a controlled environment on a company workstation. The organization controls what software runs on the devices and specifies the use of specific hardware, typically cards, biometrics, smartphones and hardtokens. Organizations with a BYOD policy typically share the same authentication practices as those using remote access.

Cloud access
Users tend to work on any device when accessing Cloud-based applications. These can be desktop, laptop, tablet or smartphone. Authentication methods requiring drivers or pre-installed software are a no-go here. Smartphones, tokens or email are fine.

So, while authentication methods vary between use cases, they are very alike for remote and Cloud-based access. Why are these methods not used in desktop access? Simply ease of use. Users find typing in an extra One-Time-Password every time they unlock their desktop too time-consuming. A fingerprint or smartcard is easier and faster.

IAS blog 2

Multiple challenges, single solution

So we need different software solutions for each use case, right? Not any more. The Micro Focus Advanced Authentication solution supports authentication methods for every use case. Users register their authentication devices through a single enrolment portal and administrators manage all the users and methods in a single admin interface. Certain groups, such as administrative users, should and can use stronger authentication than others.

So a multi-level problem really can have one solution. Clearly, IT environments are only going to become more complex and none of us know what the next innovation will bring. What is clear, though, is that any organization hiding their sensitive business data behind QWERTY may not be around to see it.