Tip

Cheat sheet: Access management solutions and their pros and cons

There are a number of different access management solutions available to security and IT managers these days, and the list keeps growing. The following is a cheat sheet of the most common solutions with a brief description, and their risks and pros and cons to help you choose the solution that is right for your organization.

Access management solutionRisksPros and cons
User IDs and PasswordsIf not properly managed or protected, user IDs and passwords can be easily stolen and provide easy access to your network or systems.

Risk Level: HIGH

Pros:
  • Easy to implement and commonly used for both network and system access.
  • Users are most familiar with user ID and password systems than any other authentication system.

Cons:
  • Passwords can be guessed if based on common words or names.
  • User IDs and passwords can be easily stolen with freely available hacking tools, or by Trojans and keystroke loggers.
Key Fobs and One Time Password (OTP) tokensIf the value on the OTP token is stolen after a user ID and password are stolen, as in a Man-In-The-Middle (MITM) attack, system access could be compromised.

Risk Level: MEDIUM

Pros:

    Requires Free Membership to View

  • Easy to use system requiring only a small token displaying a changing PIN or password.
  • Provides an extra layer of security to a user ID and password. Like a user ID and password, can be used for both network and system access.
Cons:
  • Can require significant development effort and require additional hardware to implement.
  • Proliferation of tokens for multiple systems can be a problem.
  • Susceptible to MITM attacks.
  • If the user ID and password are compromised and then the token stolen, a malicious user has full access to the system.
Smart CardsThe possibility of tampering with the card's chip to get user information or login credentials.

Risk Level: LOW

Pros:
  • Smart Cards are portable and easy to integrate into a two-factor authentication system. They can be used for either network or system access.
  • They can safely hold and store lots of data, including encryption keys and other user authentication information.
Cons:
  • Still not widely used because of the effort and cost to install readers on user's desktops.
  • There are tools that can sift data and authentication credentials from stolen Smart Cards.
BiometricsIn the case of fingerprint scanners, the possibility of copying the user's fingerprint. There's also the possibility of replaying the stored digital data representing the biometric reading.

Risk Level: LOW

Pros:
  • One of the strongest access management technologies - it's nearly impossible to steal someone's iris scan, face pattern or fingerprint.
  • Best used as the second factor in a two-factor system to augment a user ID/password or Smart Card system.
  • Best used for physical access to a system, but use is increasing as a stand alone authentication system for network or system access.
Cons:
  • Requires significant hardware cost to implement.
  • The technology still isn't foolproof and is subject to false readings.
Digital Certificates (DC)DCs stored on a user's desktop can be stolen or spoofed.

Risk Level: MEDIUM

Pros:
  • Behind the scenes system that is passive and invisible to the user.
  • Requires no action on the user's part.
Cons:
  • The distribution and implementation of DCs can be costly and require the set up of an internal PKI system.
VPNsThough secure, the connection can also be an encrypted tunnel for malware if the PC connecting to the corporate network isn't secure.

Risk Level: LOW

Pros:
  • Provides a highly secure and encrypted private tunnel for connecting to the corporate network through the Internet.
  • Proven technology with a choice of vendors offering reliable implementations.
Cons:
  • Can just as easily be a secure connection for malware from an infected PC connecting from outside the network.
  • If not configured properly for laptop users, a stolen laptop can be used for network access.
SSLCredentials can sometimes be stolen in a MITM attack using a proxy server.

Risk Level: LOW

Pros:
  • Proven technology with strong 128-bit encryption for transactions from Web sites.
Cons:
  • On rare occasions, SSL has had vulnerabilities that hackers can take advantage of.
  • Only encrypts the transmission itself and not the data flowing through the SSL tunnel, allowing malware, as well, to be sent "securely" to the Web application server.
Two-Factor AuthenticationThe rare possibility that both of the two authentication methods are cracked simultaneously.

Risk Level: LOW

Pros:
  • Provides an extra layer of protection by requiring two types of authentication. For example, user ID and password, and OTP token. If one is breached, the other is still intact and provides protection.
Cons:
  • Requires additional software or hardware to set up two different authentication systems working in tandem.
Single Sign On (SSO)If the user ID and password to the SSO system are stolen, multiple systems accessed by the SSO system could be compromised.

Risk Level: MEDIUM

Pros:
  • Easy-to-use system that requires only one password to access multiple systems, replacing separate passwords for each system.
Cons:
  • If compromised, the attacker has the keys to the entire castle.
  • Requires costly software and hardware installations and upgrades.
  • Since it basically uses a single user ID and password, it has the same potential to be hacked as a user ID and password.

About the author
Joel Dubin, CISSP, is an independent computer security consultant based in Chicago. He is an expert on Web and application security and the author of The Little Black Book of Computer Security available on Amazon.

This was first published in January 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.