High Assurance Credentialing
Moving to higher ground within the commercial enterprise space
BRy Gerald Hubbard
ecent cyberattacks highlight the need to know who you are interacting with in email and online activi- ties, and who you grant access to your networks and physical facilities. Technology exists and is validated with large scale deployments that can reduce risk of
cyberattacks and unauthorized breaches. The use of biometrics in user authentication is becoming more common and enables the posi- tive identification of individuals prior to giving access rights or con- veying trust in communications.
Commercial organizations can leverage this technology, proven and supported by rigorous standards, to move beyond “flash passes” for building access or simple user names and passwords for network access.
The End of “User Name
and Password” Identification
Data breaches can be detrimental—and extremely costly—to any enterprise organization. Such breaches commonly occur when the identity of an employee, executive or partner/vendor is compromised. Attackers may use phishing approaches to get an initial user’s cre- dentials, at which point they have a foothold to begin working inter- nally to breach their ultimate target—for example, databases, email accounts or cryptographic keys. Once an attacker has an in, they can plant malware on enterprise devices or even use the organization’s own admin tools against them to operate under the radar of IT’s cy- ber security solutions.
The rising prevalence of outsourcing, bring-your-own-device (BYOD) and remote access has made it even more difficult for enter- prises to protect their networks. According to the 2016 “Data Risk in the Third-Party Ecosystem” survey conducted by the Ponemon Institute1, 49 percent of organizations surveyed have experienced a data breach caused by a third party vendor that resulted in the mis- use of sensitive or confidential information (an additional 16 percent were unsure if they have), and 34 percent have experienced a data
68
0917 | SECURITY TODAY
breach caused by a cyberattack that resulted in the misuse of sensitive or confidential information (an additional 30 percent were unsure if they have). Only 41 percent of respondents felt their vendors’ data safeguards and security policies and procedures are sufficient to re- spond effectively to a data breach.
The standard “user name and password” approach to credential- ing is no longer sufficient to protect against the threat of unauthor- ized access and, ultimately, damaging breaches. High assurance cre- dentials incorporating multi-factor-authentication (MFA) methods are the best way to decrease risk and improve trust in an organiza- tion’s ability to secure critical infrastructure.
The Emergence of Biometric Modalities
Strong MFA solutions require verification of a combination of iden- tifiers. For two-factor validation, a physical token (keycard, USB dongle) is typically combined with a PIN to allow access. A third factor can be added using biometric identifiers (facial recognition, fingerprints, etc.) to elevate the security level of assurance for even greater access control.
Commercial Identification Verification (CIV) can be provided at this level of security using smart cards that combine identifiers such as a photo ID with MFA for physical and logical access, secure digital signature recognition for non-repudiation, and a secure audit trail of enterprise activities. Secure document, transaction and data flow can be assured with session key encryption utilizing a CIV that meets FIPS201 and OMB11-11 specifications. Many vendors now support standardized products for new deployments and for transitioning legacy systems to support high assurance credential usage.
Capturing Biometric Data
Biometric live capture enrollment is an emerging technological ap- proach used in both commercial and government settings to collect and analyze some of these types of identifiers and bind them to a spe-
BIOMETRICS/IDENTIFICATION
Kumpol Chuansakul/Shutterstock.com