Deploying a robust authentication system becomes the first step, it forms the backbone of any security strategy. But, with plenty of solutions available in the market, it is important that organisations choose a solution that takes into account their technological and security needs, ease of integration and interoperability, as well as future readiness.
By Rana Gupta
Given the recent rise in data breaches, security is at the top of the agenda of every organisation. According to the Breach Level Index (BLI) by SafeNet, now acquired by Gemalto, over one billion data records were compromised in 2014, translating into a 49% increase in data breaches from the previous year. This has led to seven in ten organisations adjusting their security strategy, as per the 2015 Data Security Confidence Index by Gemalto.
Hackers are constantly looking for innovative ways to steal sensitive data, making username and password simply inadequate to deter breaches. Identity theft is one of the most common forms of data breaches. According to the BLI report, 54% of all data breaches in 2014 were related to identity thefts. With so much data and credibility at stake, it is important that enterprises adopt strong authentication and security solutions to validate user identities and devices that access the network from anywhere and at any time.
They must deploy a comprehensive layered approach to protect their sensitive information and systems from abuse and frauds. This can be achieved by combining sound IT and access policies with a combinations of advanced technologies such as strong authentication, encryption and effective key management. Identifying their vulnerabilities, evaluating loopholes and understanding their security needs, can help them develop a strategy that works best for them.
Deploying a robust authentication system becomes the first step, it forms the backbone of any security strategy. But, with plenty of solutions available in the market, it is important that organisations choose a solution that takes into account their technological and security needs, ease of integration and interoperability, as well as future readiness. They cannot control when and how the threats will appear, but with sound policies and best practices, organisations can be better prepared to face the evolving challenges.
Select an authentication solution that suits you the best
Organizations are becoming more complex and a one solution simply does not fit all. On one hand, we have different employees with different risk profiles, based on their roles in the organization. On the other hand, we have thousands of employees, partners and contractors logging on the networks from around the world using a myriad of devices, accessing resources stored on premises, virtual locations or clouds. Organizations face significant challenges in protecting data from unauthorized access that result from trends and newer technologies like cloud computing, bring your own device, and work from home. They can address these threats with simple and cost effective solutions such as:
Multi-Factor Authentication (MFA):Implement MFA for strong user access and authentication. With MFA, the user provides two or more independent means of identification for authentication – something that the user has such a userID and password; something the user possesses such as a One Time Password (OTP) generated from his hardware, software or mobile token; and something the user is such as a biometric finger print. Since only the authorized people have the right combination, validating employees with MFA offers better security as compared to traditional password. OTP’s overcome the shortcomings of using a static password. They are an effective security measure that enables employees to log into a network or access data, for a single session, using a uniquely generated password. For additional protection, more forms of identification such as biometric fingerprint, can be required.
Certificate-based authentication (CBA): CBA offers a higher-level of authentication by using two different channels of authentication. It is most effective for users in an organization who have access to sensitive information. Leveraging the public key infrastructure technology, it uses private and public encryption keys unique to the user and an authentication device enabling them to digitally sign transactions, documents and even emails, protecting the user.
Context-based authentication: is a cost effective approach to access control. It uses pre-defined and pre-decided rules set by the IT administrator, to authenticate a user. Through risk-appropriate questions and authentication, the users are prompted to review and approve the details of every action using compatible readers with secure keypads, or special tokens. This increases awareness for the actions and validates their act of will before the action is approved. It uses multiple context based parameters such as the geographic location of the user, IP address being used, a reasonable access time, and even the type of device used to access the network to validate actions, therefore optimizing security.
Consider all access points: Today, 24×7 work environments, and a globalized workforce are a norm. Employees and business partners access to data from different parts of the world. This data may reside in remote locations, cloud, or even on the office premises and access requests might even come from virtual offices that are set up in homes, or public places such as coffee shops, malls, and airports. With so much data at stake, organizations need to ensure that they implement strong authentication systems to safeguard their assets from multiple access points.
Organizations can also complement their security framework by adding security measures such as the following:
Use pre-boot authentication to protect a mobile workforce and portable devices: Organisations face newer and different security threats with an increasingly mobile workforce and trends like bring your own device. In such a situation the risk of data being compromised by lost or stolen devices increases multi-fold. Pre-boot authentication becomes essential, since it allows only authorized personnel to boot a system and perform administrator-based operations.
Develop auditing and forensic capabilities: Given the increasing number of security attacks, it is imperative for every organization to set policies that allow for routine checks to detect breaches. Audit trails and forensics can play an instrumental role in doing so. These can help in recognizing breaches early, or even collate information on successful or unsuccessful attempts to access an organizations network. With effective tools in place, organizations will be able to detect, nullify and pre-empt simple or sophisticated attacks made by hackers.
Security should be a continuous process
As hackers become more sophisticated, having a holistic view towards security is important. An organisation’s security should be a continuous process that is best developed by evaluating risks and implementing solutions that address them on a regular basis. Using a robust, easy to integrate, trustworthy, yet user convenient solution is an absolute must. Ultimately, enforcing them at every level from top management and privileges users to common employees, can be a sensible way to protect organizations from external and internal cyber threats.
The author is Vice-President, APAC Sales, Identity & Data Protection, Gemalto. Views are personal.