The Authentication Usability Balancing Act
With mobility and the cloud dominating today's computing landscape, IT needs to examine new methods of ensuring trustworthy access, including risk-based authentication methods that strike a balance between robust security and accessibility.
There's a major paradigm shift underway, with mobility and cloud-based computing transforming the way IT delivers services to end users. More and more employees are coming to work armed with their own personal smart phones and tablets while online customer portals and Web-based supplier hubs are going live to bolster supply chain collaboration and deliver better customer service. Under constant pressure to lower costs, IT groups are furiously moving applications out of the data center and on to the cloud, typically as some sort of Software-as-a-Service.
This new world of IT is putting some serious pressure on traditional security models, elevating risk and calling for new ways of ensuring trustworthy access. Just reading the headlines is a major wake-up call. Earlier this summer, Yahoo! suffered a breach that exposed 450,000 user names and passwords, while social networking giant LinkedIn had an incident where 6.4 million user names and passwords were made public, and even Dropbox, a popular file-sharing service, confirmed it's had problems with hackers trying to gain unauthorized access.
It's not just the online services that are at risk. Back at the corporate enterprise, the tried and true concept of a secure perimeter is being tested thanks to accelerated demand for mobile access and with an increasing number of applications running outside of the data center. As companies cross the chasm to the borderless enterprise, strong authentication is quickly becoming a requisite--not just for a select few users, but for all users across the enterprise. In light of the expanded scope, traditional strong authentication approaches may not deliver an adequate user experience and in fact, may be too cumbersome for widespread adoption.
Traditional strong authentication approaches couple "something you know," a user name and password, with "something you have," a separate physical or cryptographic mechanism such as a hardware token employed as a second factor. Yet despite their relative simplicity, tokens aren't universally practical. Circumstances may be that some people forget or misplace the token, and then it becomes the on-going responsibility of IT to troubleshoot the problem.
There's where risk-based authentication comes in. This alternative technology means there no longer has to be a tradeoff between best-in-class security and usability. With risk-based authentication, the physical token is replaced by a series of technologies that deliver comparable levels of strong authentication, but with a far more friendly and accessible user experience.
Symantec's Validation and Identity Protection (VIP) Service is a case in point. The service, which does accommodate a variety of token-based authentication options, also provides a token-less layer of additional security beyond the traditional user name and password logins.
Here's how it works: Before it authorizes entry into any system, the technology performs a complex identifier on the device, which was derived by examining its unique attributes, from the fingerprint of the operating system and installed browser to other specific hardware configuration parameters. From there, a threat analysis is conducted to determine whether the device has a history of being "unhealthy" or functioning as a potential "bad actor." The threat analysis is fueled by Symantec's own Global Intelligence Network, which provides 24x7 event logging on a worldwide basis to monitor attack activity along with malware intelligence and the identification of vulnerabilities. User behavior is also examined to flag anomalous conditions such as logging in from an unexpected location.
Based on this series of steps and through the combination of passwords, device identification, and risk analysis, Symantec VIP can determine if the device is known and trustworthy or if there are suspicious behaviors and potential threats. If it's the former, access is granted without an additional challenge. If red flags are raised, the system automatically kicks in with an out-of-band authentication process to put another series of checks in place before authorizing access. Considered a best practice in risk-based authentication, the elevated risk scenario would trigger a response—typically, a unique code sent by SMS, email, or voice mail--to validate an identity before granting access.
Heading to the Cloud
Of course, the on-going march to the cloud presents yet another set of challenges around authentication. There are multiple cloud scenarios—public enterprise applications like Salesforce.com, public non-enterprise apps like Dropbox, and even apps hosted on internal, private clouds. All the various cloud scenarios have their own security models, injecting yet another layer of complexity into the mix, and to date, there hasn't been a common way to manage the various environments.
Symantec's O3 offering takes on that challenge, providing a single authentication and control point for all cloud applications and services as well as users, devices, and critical data. O3 functions as an additional layer above the cloud, providing bumper-to-bumper security, including all the strong authentication capabilities of Symantec VIP, in addition to other features such as single sign-on for improved usability, policy-based management to effectively authorize and audit user behavior, and encryption for instances that require escalated data security and compliance.
Regardless of whether your organization's future lies in on-premise implementations or with the cloud—or more than likely, a combination of both—Symantec's VIP and O3 can deliver the strong authentication capabilities that are so essential to meeting today's sophisticated security requirements. Symantec's diverse set of integrated authentication technologies are also highly flexible in that they can be implemented on-premise or as a managed service, for lower total cost of ownership along with the ability to leverage Symantec's expertise and investment in operational excellence.