In this podcast on authentication methods, information security expert Russ Rogers helps you through pre-project and project considerations when implementing authentication solutions for your customers. In this podcast, Russ takes a deeper look at a couple of frequently asked questions and discusses common authentication methods, as well as multifactor authentication. Download this podcast and take it with you on the go, or listen to it at your desk. You can also read the full transcript below.
Elaine: Welcome to the SearchSecurityChannel.com podcast. This is Elaine Hom, Associate Features Editor. Today's podcast is a supplement to our FAQ guide on authentication. Joining me is Information Security expert and author, Russ Rogers.
Thanks for joining us today, Russ.
Russ: Thanks for having me, Elaine. It's a pleasure to be here.
Elaine: Today, we'll be discussing a couple of questions from the FAQ guide, but a little more in-depth than on the site. Russ, can you tell us why it's important to know the customer's current authentication methods?
Russ: Well, there are actually a couple of reasons why knowing what the customer is currently using is so important. Primarily, we want to understand what the customer is currently utilizing, so we can better understand their internal business processes. I think too many providers go into the customer organization with a single-minded goal to upgrade their system to the latest and greatest authentication solution. And in the best of circumstances, that would be great. But the truth of the matter is that most organizations have ingrained and embedded processes that the rest of the organization depends on, basically, on a day-to-day operational basis without understanding what's currently in place and how that impacts daily operations. We really can't ever be sure or certain how the new recommended solution upgrade will impact the customer.
Secondly, what is the customer used to regarding authentication? Is it is a Microsoft Active Directory Solution, deployed in a heavy Windows environment? Or maybe the customer is heavy on the UNIX side of the house and is using an identity management system, or an LDAP system. Understanding this environment will help the provider make recommendations that better fit into the current authentication methods used within that organization. So the closer the new solution is to the legacy system, the less impact the upgrade will have on the customer's organization.
Elaine: Great. Can you also tell us what multifactor authentication is and how it could possibly help a customer?
Russ: Well, multifactor authentication provides means for organizations to utilize multiple means for identifying an individual and authenticating their access to network and corporate information resources.
For example, in its simplest form, the network may require a user to enter just their username and a password, and maybe a random key value that's been generated by a token of some sort, and that would be in order for them to authenticate to the network. This could include solutions like the Crypto Cards or SecurID tokens which are some of the most popular.
In slightly more complex solutions, the system may require a username, password, and a proximity to authenticate to a workstation. Biometric identification scans, such as retinal scans, fingerprint scans, facial recognition, and even palm scans could also be used.
But with all these in mind, it's important to understand that the solution chosen should fit the organization and the information being protected. You know, it's not really considered efficient to utilize a full-out biometric solution on an operational network that deals strictly with information considered non-sensitive. It also wouldn't make a lot of sense to use strictly clear-text authentication mechanisms, like just a username and password, in an environment where the organization is dealing with classified or extremely sensitive customer information on a daily basis.
So multifactor authentication is important but there are levels of complexity and protection that need to be considered in the context of the customer's environment.
Elaine: And that's about all we have time for today. Thanks for joining us, Russ.
Russ: Thank you for having me, Elaine. I appreciate the opportunity to speak with your listeners.
This has been Elaine Hom of SearchSecurityChannel.com and thanks for joining us.
About the Author
Russ Rogers (CISSP, CISM, IAM, IEM, HonScD) is a globally renowned information security expert, speaker, and author. He is the author of Nessus Network Auditing, 2nd Edition as well as a co-author of Stealing the Network: How to Own a Continent, Network Security Evaluation Using the NSA IEM. Russ has worked with the United States Air Force (USAF), National Security Agency (NSA), and the Defense Information Systems Agency (DISA). Russ is currently a penetration tester and Red Team Member for Eagle Research Group.
Learn about the 11 questions to ask before buying an MFA solution and read this comparison of multifactor authentication methods.
Read our expert reviews of the latest multifactor authentication methods: br> Symantec’s Validation and ID Protection (VIP) Service
Vasco’s IDENTIKEY Server v3.6
SecureAuth IdP v8.0
CA Strong Authentication
SafeNet Authentication Service
EMC RSA Authentication Manager and SecurID
Dig Deeper on Identity Management Technology and Strategy