Upcoming Events

Cloud Connect
Santa Clara
Feb 13-16, 2012

Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.

Register Now!

F E A T U R E

Control the Keys to the Kingdom

September 2, 2002
By Mike Fratto

>> continued from previous page

A Risk-Based Policy

	Issue TOC
	Print full article
	Print this page
	Download as PDF
	E-Mail this URL
	Flame the author

	In this article
	Introduction
	It's All About Risk
	A Risk-Based Policy
	Executive Summary
	Cost Factor Gotchas
	Make Your Case
	Online Only: Password Woes? Look to the User
	Epoll Results

An authentication policy codifies the acceptable forms of authentication depending on multiple factors, including user, resources, location and time of day. Graded authentication means that, depending on who the user is and what he or she is trying to access, you may require a variety of authentication factors to prove identity. Passwords may be sufficient for users to check e-mail, either remotely or locally, but before an administrator can make changes to your infrastructure you might want stronger proof, like RSA Security's SecurID or Secure Computing Corp.'s SafeWord token.

If you want to implement graded authentication, you must enforce a uniform policy. That's because the ability to apply an authentication policy across multiple systems is critical, and uniformity simplifies management because the policy will have few or no exceptions. Your policy should be kept in mind during product purchasing and custom development. If your base policy requires that passwords be longer than eight characters and contain uppercase and lowercase letters, punctuation and numbers, the products you purchase or build must meet those requirements.

Recommended Reading

• Network Working Group: Request for Comments: 3127--Authentication, Authorization and Accounting: Protocol Evaluation

• IEEE Computer Society AAA Protocols: Authentication, Authorization, and Accounting for the Internet

If You Build It...

Clearly, you need to protect your authentication systems from attack and sabotage. That may be obvious, but the consequences of overlooking the obvious are frequently catastrophic. When you build an authentication policy, you need to take into account both your data and your people.

Under the first category is the value of the resource users will be accessing. This is determined by the monetary loss, or exposure to loss, if the data were accessed by unauthorized individuals. The greater the value of the asset--and the higher the likelihood of a successful attack through impersonation--the stronger the authentication you should require.

You also need to assess the people factor: Who needs to access what information, and when do they need it? Identify groups, or roles, that share common authentication requirements. There shouldn't be any individual who has totally unique authentication requirements. Each group should have two or more users, so there is no single point of failure. Once users are assigned to groups, you can begin to build an authentication policy based on who accesses what.

...They Will Ignore It

Building an authentication policy is one thing. Implementing, managing and enforcing it is a different matter.

Authentication-Management System Vendors At a Glance

Click here to enlarge

Many organizations simply settle for the authentication included with their operating systems and applications. In some cases, authentication can be consolidated through meta-directories, single sign-on software or applications that can leverage existing user directories. However, many times heavy lifting is required to integrate products with user directories.

Passwords are the favored mechanism for authentication because they are cheap, familiar and available. However, minimum password complexity enforcement varies widely across applications. Support for stronger authentication is available using tokens or biometrics, or a combination of methods.

But you know and we know that stronger is better and that investments in security will reap benefits. For example, enforced strong authentication provides a foundation for building access-control systems for internal and external users. However, you can't argue for better authentication by discussing ROI. The return is not monetary, only if you stop a theft. What you get with strong authentication and authentication management, such as that provided by the specialized tools we tested (see "PremiereAccess Heads a Pedestrian Pack"), is the assurance that users at all levels are being properly authenticated. Only then will the likelihood of malicious users impersonating others to gain unauthorized access to resources be reduced.

Mike Fratto is a senior technology editor based in Network Computing's Syracuse University Real-World Labs®; he covers all security-related topics. Prior to joining this magazine, Mike worked as an independent consultant in central New York. Send your comments on this article to him at mfratto@nwc.com.