The proliferation of the use of web-based, SaaS, and mobile apps provides users with access to best-of-breed applications and services, but they also take control away from the IT department. This places extra burdens on organizations looking to ensure that users can access resources as and when they need to, but also in a manner that ensures that security risks are not introduced so that security incidents can be avoided. Organizations need to balance the risk of allowing access to third-party applications and services with the freedom of choice and potential productivity gains they provide users by ensuring that appropriate authentication and access management processes are in place.
Authentication decisions cannot be taken with a one-size-fits-all approach, especially where sensitive information is being accessed from outside of the firewall or where high-value transactions are being made. Rather, decisions should be based on context, which includes a number of possible factors such as who is accessing what, using which device, from what location, and at what time of day.
Organizations are increasingly looking to allow greater user convenience by providing single sign-on (SSO) to applications and services whereby users need to authenticate just once to access all the applications and services that they require for their job. This also can provide greater security since users are not burdened with remembering multiple sets of credentials, with differing requirements in terms of password complexity and expiration cycles. Users often try to get around the burden of remembering them all by using unsafe practices, such as using the same credentials for accessing multiple applications or storing passwords in an insecure location when they are too complex to easily remember.
However, while SSO provides many benefits, one single authentication event is not appropriate in all situations. Some applications and services provide access to highly sensitive information, such as customer information that could cause significant damage to the organization if that information fell into the wrong hands, whereas others do not. Access to sensitive data should be provided on a need-to-know basis, generally based on rights assigned to individuals or groups of persons according to their role.
In some circumstances, this may not be sufficient and it may be appropriate to impose further safeguards. For example, mobile devices can easily be lost or stolen, so mobile device users may be required to provide some form of step-up authentication for accessing sensitive information and data. Other factors to consider can include the location of the user, such as whether they are in the office or a hotel room, or time of day. For example, it may be considered normal for a certain employee to access financial information during office hours, whereas access at midnight on a Saturday could be seen as a red flag.
Where it is deemed that step-up mechanisms are required, these can be based on something the user knows, something that they have or something that is unique to them, such as a fingerprint biometric identifier. Something the user knows can be checked via the use of challenge-response mechanisms, such as asking the user a question that only they can reasonably be expected to know the answer to. This method, however, is losing ground as an authentication mechanism as social media users post vast swathes of information about themselves online, making it easier to garner or guess information that is personal to them.
Something the user has access to traditionally involves the use of a hardware security token that has been provisioned to them, but this introduces an extra element of cost for organizations in terms of distributing and managing those tokens. An alternative that is fast growing in popularity is to use software-based tokens that can be stored on a computing device or provisioned to users as required, such as via an SMS to a mobile device.
A third method that can be used is to base decisions on something unique to the users in terms of a biometric identifier. This has long been considered to be a highly secure method for securely identifying users but, as with hardware tokens, introduces an extra element of cost as users must be provisioned with readers so that their biometric identifier can be captured. However, this is something that looks set to change rapidly as mobile device manufacturers are increasingly fitting fingerprint scanners onto the devices that they offer, reducing the element of cost and providing greater convenience for the user as well.
The ongoing need to stay connected through web-based, SaaS, and mobile apps poses an unique set of challenges to the IT department. Thankfully, methods are continually being developed that will help said challenges diminish exponentially.