Delfigo Security - Strong Authentication

I wholeheartedly agree with Fran Rosch's comment that the industry must move to stronger authentication technologies. There is no doubt in anyone's mind that simple User ID and Password (including strong passwords) offer very little to no security when it comes to protecting digital assets. 

The complexity and frequency of cyber threats today call for companies to consider a new breed of strong authentication - one that strives to validate the user and not just the device. One-time-passwords (OTP) delivered through unique (individually assigned) tokens have been around for a while. Fran argues correctly that infrastructure costs limited the wide spread use of such token based OTP. The infrastructure costs may have been addressed with a Cloud based offering of OTP, but what about the usability of such token based OTP? People lose or forget physical devices. People damage physical devices. I speak from personal experience having learned from my own internal customer base. 

Why not rely of technology that requires no tokens what so ever? No Plastic tokens, USB drives, SMS-enabled devices or software running on mobile devices. A strong authentication solution that is more than two-factor and delivers true multifactor authentication with zero distribution and end user management costs is what enterprises should look for when having to scale solutions globally and across a large user base.

Bharat Nair is Vice President of Business Development at Delfigo Security, www.delfigosecurity.com, Boston, MA. He can be reached at This e-mail address is being protected from spambots. You need JavaScript enabled to view it or by phone at 1.617.248.6501. You can now follow Delfigo Security news and articles on twitter (@delfigo).

---

A recent RSA survey, Tight Budgets Harm IT Security, once again reaffirms that the biggest complaint IT security executives have is having less money to handle increasing threats. When Delfigo started out just over a year ago we knew from years of experience managing IT departments that cost, both fixed and operating, were the top concerns for identity and access management. That was a key element that drove early decisions to develop a solution that utilized open standards, easily integrated with existing technologies and back-end systems, and most importantly is simple to use and does not require end users to change their access routines or behaviors. There are no tokens or software downloads required. One of our key objectives was  to eliminate the very things that create the majority of integration and management challenges, and drive up the total cost of ownership of the second factor or strong authentication solutions in the market today.

---

Twitter is in the news again - this time their internal documents stored on Google Apps that were hacked.

Questions about cloud security and the feasibility of storing critical information in Web-based services are being raised in the wake of a hacking incident involving Twitter and Google Apps.  

Twitter management was swift to jump into action with internal policy changes. With the popularity of Twitter on the uptick, security practices, policies, and procedures must be front of mind for the management team.

Companies such as Twitter, Google, and Facebook are immensely popular, with membership in the tens millions. Strong passwords are simply no longer adequate to secure data and identity. I am sure these companies are concerned and challenged with how to best contain this increasing menace. However, it would be cost prohibitive for these companies, whose business model is based on free use adoption, to start sending out tokens or force each member to install digital certificates in their browsers for second factor authentication. In addition, even if they were willing to set up token-based second factor authentication for members willing to pay a premium to protect online accounts, they would be confronted with significant integration, distribution and ongoing management challenges that would constantly impose a burden upon organizational resources.

Another primary concern is user convenience. Clearly these social media sites would not be enjoying the same level of popularity if members were subject to cumbersome processes to secure online access. Therefore, balancing the need for strong authentication with user convenience is of utmost importance for these companies as well. But this seemingly insurmountable challenge is not without a solution. Delfigo Security's business model and product architecture is predicated on addressing these very challenges - it provides implicit multifactor authentication without inconveniencing end users. There is no need for end users to change their current use patterns to have the assurance their account and profile information is secure on these sites. And our DSGateway platform is easily deployed, configured, and managed. It is a true zero footprint solution and requires no client downloads or tokens.

I agree with analyst Dan Blum of the Burton Group when he said, "I wouldn't store sensitive documents in a cloud-based service unless I had a lot of confidence in the specific service," Blum says. "I'd hold them to the same standards that you hold for your own internal applications. If you expect your internal applications to be accessed only through two-factor authentication then the cloud should be at least as secure as that."

Any regular user of these social media sites should be concerned as well. Delfigo would like to make Twitter and other social media companies an offer. We will provide our strong authentication solution free of per user (member) fees for up to one year . If you want to assure that your information is safe you should hope they take us up on this offer."

Bharat Nair is Vice President of Business Development at Delfigo Security, This e-mail address is being protected from spambots. You need JavaScript enabled to view it , Boston, MA. He can be reached at http://www.delfigosecurity.com or by phone at 1.617.248.6501. You can now follow Delfigo Security news and articles on twitter (@delfigo).

---

Intelligent authentication is the future of data security. It is the next step in the ongoing effort to authenticate or confirm users accessing and executing transactions with protected information assets, by providing real-time risk assessment and event driven security response during each user session.

Authentication in the networked world is directly tied to your digital identity. For security purposes it has traditionally been the initial interaction between systems and user where you prove you are who you say you are.[1] The user is typically required to provide the system with one or more "authentication factors". In simple terms authentication factors are technical - something you have (id card or security token), personal - something you know (password, phrase or pin number) or human - something you are (fingerprint, retinal scan or other biometric identifier).

First factor authentication is normally username / password. However, this has proven to be of limited value for security. Passwords, even when properly enforced are a security vulnerability, as they can be easily shared, copied or stolen. Second factor authentication was devised to provide stronger authentication given the inherent weakness of single factor authentication. In two factor authentication, the standard login (username/ password) is combined with a second factor, usually in the form of a security token. But implementing many second factor authentication solutions usually requires expensive tokens, smart cards or other devices, and can prove cost prohibitive both in terms of initial distribution and overall management.

"FFIEC (Federal Financial Institutions Examination Council)compliance is conformance to a set of standards for online banking issued in October 2005 by the Federal Financial Institutions Examination Council (FFIEC). The standards require multifactor authentication (MFA) because single-factor authentication (SFA) has proven inadequate against the tactics of increasingly sophisticated hackers, particularly on the Internet. In MFA, more than one form of authentication is implemented to verify the legitimacy of a transaction. In contrast, SFA involves only a user ID and password."

Resources:

• What is FFIEC Compliance?
• FFIEC Website - http://www.ffiec.gov/

---

Payment Card Industry (PCI) Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment.

Is PCI a law? No. It is a worldwide information security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC). Enforcement of compliance is done by  organizations processing transactions (i.e. Visa, Mastercard,   American Express etc.).

PCI DSS Requirements (Wikipedia)

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security

Resources:

• PCI Compliance Guide FAQ
• PCI Security Standards Council 
• PCI DSS Requirements (Wikipedia)

---

According to Technology Review Microsoft and Carnegie Mellon University will present new research at the IEEE Symposium on Security and Privacy to show once again that secret questions used for password backup authentication are easy to guess and provide less than adequate security.

The new research found that:

28 percent of the people who knew and were trusted by the study's participants could guess the correct answers to the participant's secret questions. Even people not trusted by the participant still had a 17 percent chance of guessing the correct answer to a secret question.

We have regularly argued here that passwords alone are very vulnerable, and not sufficient security. We have also believed that this was equally true for demonstrably simple questions, and this study clearly supports our beliefs. Despite all the effort and expense that goes into deploying and managing these complex and expensive identity management solutions, the fact remains that if someone really wants to gain access to your account they very likely will. And in most cases it may not be that difficult. There is clearly a need for a lower cost, less complex solution that provides the strong authentication required to prevent identity theft and reduce fraud.

The well publicized incident involving the breach of Republican VP Candidate Sarah Palin's Yahoo account highlighted this problem late last year. With a little effort any enterprising individual can gather the personal knowledge (e.g. mothers maiden name, high school name, pet name, street name) necessary to make some fairly targeted guesses, and eventually gain control of an account.

---

Over the weekend, MarketWatch reported hackers broke into the State of Virginia's Prescription Monitoring Program (PMP) database and are demanding a $10 million ransom. The nature of this crime is mind-boggling but not a surprise considering the increasing trend in identity theft. It should serve as an eye-opener to ensure adequate authentication and authorization policies are put in place, especially when databases with large volumes of individual data is managed for state wide use.

The Virginia database is intended for state wide doctors and pharmacies to track, and reduce the abuse and illegal sale of painkillers. It is not clear from the article how the hackers accessed the patient records, but it is obvious that a database of this nature should have a strong authentication solution. However, there are many inherent challenges with the distribution and management of hardware based second factor authentication solutions, chief among them integration and cost. It may be that it is just not plausible for the State to implement a second factor solution, such as "distribute" token based second factor authentication for use by the thousands of potential end users needing access.

Forrester Research's recent report on the State of Enterprise IT confirms that cost and complexity are the top barriers to Identity and Access Management. Delfigo Security has made it a point to address these challenges. Our business model focuses on lowering total cost of ownership, and our technology architecture concentrates on eliminating the hassles of integration, distribution and management.

I agree with Gov. Kaine, "it is difficult to foil every criminal that may want to do something against you". There is a need for manageable, cost effective solutions to prevent these types of brazen criminal acts from becoming regular occurrences.

Bharat Nair is Vice President of Business Development at Delfigo Security, www.delfigosecurity.com, Boston, MA. He can be reached at This e-mail address is being protected from spambots. You need JavaScript enabled to view it or by phone at 1.617.248.6501.

---