This podcast is a portion of SearchSecurity.com's Identity and Access Management Security School lesson, The new school of enterprise authentication. Visit the lesson and school pages for additional learning resources, or visit our Security School Course Catalog to begin other lessons.
Authentication technologies have made great strides as of late, and the timing couldn't be better: privilege creep, insider abuse and numerous other issues are causing enterprises to turn to innovative techniques to solve emerging problems. In this podcast, Mark Diodati of Burton Group will count down his top five leading edge authentication technologies, including authentication as a service, personal portable security devices, and the credit card OTP form factor.
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact [email protected].
Billy: Hello, and welcome to this special SearchSecurity.com security school podcast. Brought to you by Aladdin Knowledge Systems. I'm Billy Hurley, and it's great to have you with us. Today we're going to count down the top five technologies on the leading edge of authentication. Joining us on the line is Mark Diodati, a senior analyst for Burton Group Identity and Privacy Strategies. He has more than 18 years of experience in the development and deployment in information security technologies. Thanks for being here Mark.
Mark: Oh, my pleasure, Billy.
Authentication technology #5: Facial recognition software
Billy: Now before we get started I want to mention that this podcast is part of our identity and access management school. Okay, Mark, let's start the countdown. Technology number five: facial recognition software. Are we really there yet?
Mark: Well, it's early days for sure, and of all the five that we're going to talk about today I would characterize this one as leading edge, and it does overcome some of the personal objections to biometrics that people have with iris scans, or retina scans, or fingerprint scans, because it's pretty easy to use. Its application primarily is with authentication to physical access control systems, commonly referred to in the industry as “PACS.” As a result you're talking about users coming into the building and authenticating via facial recognition. It takes a second or maybe a sub-second to do it. Which is a little slow compared to maybe swiping a card. So one of the things is it really has to be borne out by the technology, if it can support a very large organization, because think of people coming into building at the beginning of the day needing to authenticate.
You've got to have separate booths almost for people to approach the facial recognition software and authenticate with their face. It also visited significant infrastructure investment involved not only at the front door but if you've got physical access control systems, for example, controllers, and door panels, and readers, and all that at individual doors then you have to look at replacing all of those as well.
Authentication technology #4: HSPD12 Smart Card
Billy: Okay, continuing on, item number four in our countdown in the top five leading edge authentication technologies: the HSPD12 Smart Card.
Mark: All right, this is the Homeland Security Presidential Directive 12 Smart Card that was mandated by George Bush and this about handing a smart card (personal identity verification card) to every federal employee and contractor. And what makes this leading edge, you may say, "well, we've been talking about smart cards for a long time," and, you know, people make the joke that this is the year of the smart cards. I'll refrain from doing that. But what makes this unique is that this really is the smart card of the future. It's a card that has a single chip for storage and processing. And two interfaces: one for contact, that's the gold chip that we're all used to for smart cards, and contactless, which is RFID style it's PROCS style technology. So what makes this so leading edge is that if can use two interfaces to a single chip, you now have some more advanced authentication capability for physical Y-access control systems. Like certificate based authentication. Like on card biometric matching, for example, the problem with this technology is while it's a sound technological choice for the future; it's largely incompatible with most federal agency's physical access control systems. So the agencies are forced to implement things like multi-protocol door readers, so they have to rip out door readers, but to actually rip out controls with is sort of the head and logic of a physical access control system. Or implement something like a tri-interface card which is like a dual interface card like HPSD12 but it has legacy style physical access controls and location capabilities so the card can be used for, for example, to HID PROCS style physical access control readers, and also HSPD12 fits 201 federal information processing standards, 201 which is the standards that describe the HSPD12 card.
Authentication technology #3: Authentication as a Service
Billy: Moving on with the countdown of the top five technologies on the leading edge of authentication. Item number three: Authentication as a Service.
Mark: Yes, this is the one with the number one choice that we'll talk about this is the most recent addition to pantheon of the authentication choices. Companies like Arcot, Covisint, Ping Identity, Simplified and TriCipher have all introduced products this year that do this. It's authentication services that exist out on the cloud so it's not hosted onsite at all. It is purchased by enterprise and the enterprise employees do use it. It's just that the service itself is out on the cloud. It's like an Oreo cookie from an architectural perspective. The bottom layer is all the different authentication mechanisms that might be accepted into the service and that could be one type password device that an employee would use or password. It could be integrated Windows authentication or credentials so that's the bottom layer of the authentication that would be accepted.
The middle layer is what we could call a security token service. So, its job is to take the authentication and flip it over to a token type that can be accepted and that's the top layer. So the top layer of this token type is what can we log users into now? They've authenticated to the service, what can we log them into? This top layer, the interruptible token service layer is about okay we'll log them into Salesforce.com, federated applications including things like Google applications. Even applications, web applications that require username and password. So the user authenticates to the server on the cloud, and then they get access to all of these external and potentially internal applications. There's has been a high degree of interest in this particularly with small/medium business.
But large businesses also see the value of this capability because it relieves some of the burden of the authentications that they have to manage. The one problem that varies across the different vendor products is provisioning capability, which means how users are defined to the authentication as a service cloud, and some have provisioning capabilities, some don't. So, you may have additional administrative burden defining users to the authentication as a service system so that they can begin to use this capability of being able to authenticate once to access many external applications.
Billy: Is there a greater risk when authentication is provided by an outsider?
Mark: I think that's a fair question. You certainly have to look at what controls are in place for authenticating and you need to understand not only how the authentication as a service provider is doing the authentication, but also what's happening on the other side, which is what applications do that the users have access to. So, for example, if you're using federation, that's great, that's secure. If you need to use user name and password, so the user comes in, authenticates maybe with a one-time password device to the authentication as a service, and then they're going to try to access websites that are protected by passwords, well now you're storing passwords. You have to determine whether those passwords are going in the clear from the authentication as a service provider and so-on. You definitely have to look and understand the internal controls that will be in place with the authentication as a service to see if they meet your needs internally.
Authentication technology #2: Card shaped one-time password devices
Billy: Okay Mark, we're getting close to the top of the list. Item number two on our countdown of the top five leading edge IAM tools. Card shaped one-time password devices. Mark, how has this improved upon problems with OTPs?
Mark: Well, OTPs remain the most prevalent strong authentication mechanism within the enterprise, there's no doubt about that. And there are reasons why that's the case. One is that the devices are truly portable; I don't need client software. There are instances where I might use a software based one-time password device, but that isn't the majority of the case. So they're portable, they're easily managed administratively. The systems that do that are relatively mature and organizations are familiar with one time password devices, so from a management perspective they're relatively easy to manage. That would be relative to other things like biometrics or smart cards. Finally, they're well understood by users. They have high usability. Users understand pretty well. This idea of replacing a static password with this password and perhaps a PIN that comes of their password device.
Where these things fall down is in the consumer space because here you're not talking about a single employee/employer relationship where a user will typically have one one-time password device if you're an employee you don't carry many of them. What these credit card sized devices do is they look like a credit card, they bend like a credit card, and they have the bank the users account number and so-on on them. You can print on them but they also have a battery and a liquid crystal display. So they function as a one-time password device. So they're portable, first of all, which makes them very easy to use. Most users carry a bank card anyways. Second, it mitigates the token necklace problem that would be prevalent in a consumer space. For example, if I bank with one or two places and then I have my investments somewhere else and so you're looking at a possibility of carrying multiple one-time password devices.
Well these card style one-time password devices you can carry them because they can fit in your wallet. It's not a big deal at all. Some concerns: they're still unproven on a very large scale. Specifically around battery life and durability. Are they going to survive a Minnesota winter when someone, you know, uses one as an ice scrapper? You know, for example. The other one is that the prices are still relatively high although it continues to come down. And as that price comes down it's going to start looking like the price of shipping these things becomes more expensive than the devices themselves. And then you'll start to see many more of these devices deployed. The major vendor in this space is a company called Innovative Card Technologies; they've also made some acquisitions. But they're the largest vendor in this space.
Authentication technology #1: Personal portable security devices
Billy: Okay, here we are, we've reached the top of the list. The number one technology on the leading edge of authentication is personal portable security devices.
Mark: Yes, the PPSD and it's a USB style smart card. You may say to yourself, "Well I've seen or heard about those before." Well this is relatively new technology in that the smart card chip controls access to the USB flash memory. It overcomes one of the problems and objections with smart cards with a lack of space for storing stuff. You know, maybe you have a 128k or 256k smart card. That'll store certificates and maybe a few SSL credentials, but not much more. It also overcomes the security concerns people have with USB thumb drives because unless you put in the right PIN there's no way you're going to access what's on that flash drive with PPSD. It just won't happen. And also, because there's a smart card present there, you have an ability to do native filed encryption on the device. So it's highly tamper resistant.
So it overcomes the space objections of smart cards and the security objections of USB devices. What's exciting about these things is that it's also an authenticator so you can put smart cards on it and do whatever you would ever do with smart cards and certificates. And the large storage space affords you some really interesting opportunities. For example, you can actually store a whole desktop on this. You can store a hardened web browser on it or complete single sign on application. Not just the credentials but the application.
And again, things like file encryption. So, users are already carrying these devices anyway. I don't know about you Billy, but I've got three or four of them lying here right on my desk. They're already used to carrying these devices; they need them to move things around. One thing I can say about the PPSD as well is that you can set up a public and a private area so you can set up an area of a four gigabyte PPSD maybe a gig of it is public, and that's freely readable just like it would be any other USB thumb drive. So you can pass around PowerPoint presentations or whatever else without having to worry about authenticating to it and the remaining three gigabyte, let's say, would be private. Some issues here: the price is still relatively high. So for organizations, and we get lots of requests for information about this where they're saying, "well, I'm sick of paying X amount of dollars for a one-time password device. While renewals are coming up next year, let's start looking at things like smart cards for physical and logical conversions or these PPSD devices." The prices are still relatively high. You're looking at about a hundred bucks or so for one of them. But I would expect that price to continue to drop down. And the three primary vendors in this space are Gemalto, which has got a step up on most of the other smart card organizations because they've worked so much with Microsoft and have embedded some cryptographic components within the core operating system. But there's also MXI and the thing that MXI does that's interesting is they actually have a biometric fingerprint reader on the device. There's a company called Privaris. Their interesting thing is that they can mix and match multiple proximity technologies; contactless technologies to physical access control systems as well.
Billy: Mark, how much customization does an organization have regarding the user experience? In other words, could a company change security options based on its policy? And is that easy to do?
Mark: Well, it's definitely not easy to do. I think these are good questions. We talk to companies and when they're trying to figure out an authentication strategy there's really three things that you need to look at. The first thing you need to look at is your identity insurance level that's required. This is not so much an intellectual concept as people would think. It's almost like information classification where you go, "Well, HR. We require high identity insurance. A password won't be sufficient," or, you know, if you're actually going to administer information of consumers and change their transactions then you need higher identity insurance than if you access the employee portal. So that first level is figuring out what your information classification is or your identity insurance levels are. And then from there, you can derive what authentication mechanisms are required. This is the second part.
So you start looking at things like passwords won't be sufficient. OTPs might be okay. Smart cards would certainly do the trick with certificates. And then that third area is you need to take a look at all of your applications here in your environment that you want to use the stronger identification methods with and you have to figure out what works with them.
So, for example, biometrics might not work with everything. Certificate based smart card will work with most of your stuff, maybe not all of it. And then OTPs will work with as much or maybe more than typical certificate style smart card stuff just because the technology's been around a long time. One thing we found is that organizations have to mix and match these things; there's not one single authentication mechanism that will work well with their user constituencies and the applications have their required as well. So, from a policy perspective you kind of look at all of those things and you figure out what it is to do.
Looking at some use cases, we see organizations that move from one-time password devices to smart cards. One of the common things they might do, for example, is they will, rather than buy hardware based one-time password devices, they'll actually pick up a software based one-time password device that will be used in conjunction with the smart card to overcome to provide broader application ubiquity coverage. So if I can't use a certificate and OTPs have always worked with this application, well, we won't buy a more expensive hardware one; we'll use the software one.
Billy: Mark, as we wrap things up, generally speaking, what types of companies should consider experimenting with these leading edge authentication methods? Are there particular verticals that would benefit from certain technologies?
Mark: Sure, with the facial recognition stuff, the sweet spot tends to be high tech manufacturing where you've got some concerns of the physical security of the things you're making. But maybe your user population doesn't typically access the workstation or they're kind of moving around a lot. Facial recognition might be an area to take a look at. Again, it's really early times with that one. HSPD12 is obviously a federal government initiative, but the commercial industry is watching very closely because there were some smart decisions made about the technology for HSPD12 smart cards, now the enterprises are looking at the government to figure out how they're making these work with existing PACS systems, are they changing systems, what approaches have worked best.
With authentication as a service, the vendors are targeting small to medium business that maybe don't want to own the technology, but clearly we're aware of some very large organizations that are looking to deploy this as well because there are benefits for pretty much everybody if you've got external applications out there like Salesforce or Google Apps. Or maybe even some internal applications. With the card shaped one-time password devices that clearly is domain of the financial institutions and investment houses where they're looking to improve the security of what they're trying to do. Also look at the compliance mandates, for example, from the FFIEC (Federal Financial Institutions Examination Council), which we expect some additional guidance on.
So clearly financial institutions will be looking into that, however, some enterprises, if they've got the interest, could use this technology as well. You could certainly print a picture on it and while the existing cards today don't have physical access control capabilities built in, it certainly isn't a leap to see that they could be built to do that. With the personal portable security device, you're looking at certain industry verticals. For example, financial services that have got a little extra money to spend, maybe have a paperwork reduction mandate so they can do some digital signing which posts on the certificate based stuff. Maybe they have high data breech protection needs and are concerned about data being exposed or lost and they have a highly mobile user population. Well, personal portable security device would overcome some of those objections because if I leave it in the pocket of the airline seat that data isn't recoverable. There's no way to access it unless you have the PIN or the recovery key, which would be something that an administrator would have.
Billy: Mark Diodati of Burton Group. Thanks for joining us.
Mark: Thanks, Billy.
Billy: Thanks also to our sponsor: Aladdin Knowledge Systems. You can also listen to more of our podcasts by visiting our podcast page at SearchSecurity.com/podcast. I'm Billy Hurley. Thanks for joining us. Have a great day.
About the Speaker
Mark Diodati is currently the Conference Chair, Cloud Identity Summit and Technical Director, Office of the CTO, for Ping Identity.
Learn more about the benefits of multifactor authentication in the enterprise and the 11 questions to ask before purchasing an MFA product.
Then, find out why security experts believe multifactor authentication is critical to cloud security.