In other words, your organization's information security policy should drive the protection of your data. The technology that you choose, as well as its implementation, will then follow. Technology itself should not drive policy. Your policy should have a clearly defined data-classification standard. Generic marketing data that can't be tied back to individual customers is at a much lower risk than customer information with account numbers and Social Security numbers.
Data can be classified into high, medium or low risk. It can be stratified even further, if necessary, depending on your business requirements, the competitive environment or other confidentiality needs. The regulatory environment in your industry may also be a factor. For financial institutions, the Federal Financial Institutions Examination Council (FFIEC) is one oversight body charged with enforcing banking regulations. In health care institutions, the Health Insurance Portability and Accountability Act (HIPAA) governs protection of patient data.
Once your data has been inventoried and classified, then you can dig into the technical details of specific products. Now that you know what you have, you can figure out how to protect it.
At the bare minimum, no matter the size of your organization or the risk level of its data, you want a system that's compatible with your current IT environment and architecture. If you're a Windows shop, Active Directory should fit neatly into your environment. If you're a Linux or Unix shop, LDAP might be another alternative. Both of these directory services integrate with most authentication products, but check beforehand so that you don't get caught in a bind.
There are a few other questions you need to ask yourself. Do you have remote users? This is something else to consider from a hardware standpoint. If users need access from laptops or BlackBerrys, you'll need compatible authentication products. Does the product scale? If your organization is growing, you'll want a system that can grow with you.
You can now tie the risk level to the technology. That will determine whether a simple user ID and password system is sufficient, or whether you need multifactor authentication.
There are three factors in authentication: something you know, such as a user ID and password, something you have, like a token or a card, and something you are, meaning a physical characteristic like a fingerprint or a voice pattern. Tokens and cards include onetime password (OTP) tokens and smart cards. Biometric devices measure physical characteristics.
If the risk level is low -- for example, if you need to protect generic marketing data -- a single-factor authentication system might be enough. If your customers are performing high-value money transfers online, or if users need access to sensitive customer information, two-factor authentication might be in order.
And, last but not least, the cost of products will determine whether they fit into your budget. OTP systems require tokens that generate constantly changing PIN numbers. The numbers change every 30 to 60 seconds and require special software and hardware to synch the PINs to your authentication servers. Smart cards require special readers. Biometric devices require even more specialized hardware.
In summary, risk level drives product choice, which in turn needs to be compatible with your systems at an acceptable price.
This was first published in February 2007