“Into Africa” – authentication and public safety
SECURITY
| Oct. 4, 2013, 10:12 a.m.
In the fourth article of the series on information security, Eren Ramdhani, solution strategist – security, CA Southern Africa, explores the public safety issues facing Africa’s emerging markets, and the role of authentication.
Africa is no stranger to the risks of terror attacks. Recent events on the continent can be said to highlight the fact that there is still a wide gap between digital security and physical security. It is of paramount importance that safety and security decision makers focus on bridging this divide.
Solutions that will unify physical and logical access in a single platform are now available to organisations that require stronger authentication. Strong authentication tokens that can be used from any access point – inside or outside the network, online or offline – are also entering the market.
In this final article in this series I will recap some of the key points and also discuss the renewed market focus on strong authentication.
Some of the salient points from the previous articles include ensuring that a strong identity and provisioning framework is set up as the foundational component of the information security management system. Once provisioning and user life cycle management are addressed, the next steps should be to focus on an accurate, efficient and up to date authorisation model that will centrally enforce decisions related to enterprise wide granular system access. The output of this exercise will also supplement the creation of data loss prevention policies. It is crucial that any changes to system access levels and associated security policies are maintained frequently, and attested to, by business and system owners.
Identity and Access management (IAM) programmes involving user provisioning, frequently introduce significant business-process changes and rationalisation, across multiple business units and geographies. This can make IAM projects ‘politically’ difficult and expensive which in turn makes senior executive commitment essential. Large-scale IAM programmes – involving tens of thousands of users, multiple business units and spans geographical locations – inevitably concern business processes more than technology. This in turn makes experience and track record a critical success factor. Enterprises with limited IAM project experience should rely on a trusted advisor and partner who has been involved in several IAM projects from initiation to execution. This wealth of experience should also be leveraged for the human element where user adoption is a function of user awareness and consistent change management, reinforcing the merits of the security strategy using easy to understand terminology.
With most organisations now reaching higher levels of security maturity, many are addressing identification, authorisation and advanced authentication mechanisms concurrently. This speaks to the fact that IT is now under immense pressure from business to implement the technologies that have been researched and evaluated as many business stakeholders understand the value of having these capabilities in place.
Employing strong multifactor authentication with at least two or more forms of the same factor proves to be a good option especially where a combination of “something you know” and “something you have” are used as part of two-factor authentication. An example of this could be logging into a portal using a simple password. When the user then attempts to conduct a transaction of higher sensitivity or financial value requiring more security, the user could launch an App on a smartphone to generate a one-time password (OTP) on the actual mobile device by entering a secret pin. In this case the user would be using two forms of something that is known – password and a pin – and also one form of something in their physical possession, being the mobile device itself. With a self-generated OTP, the authentication process is less susceptible to brute force attacks and more importantly SIM swops. With mobile devices offering a level of ubiquity, this type of multifactor authentication strikes a good balance of risk mitigation, productivity and convenience which is seamless and unobtrusive in nature.
Two additional considerations would be to use secure software based certificates and tokens – where cost and distribution of physical tokens are prohibitive – and risk profiled pattern based authentication. With risk based authentication, it is now possible to provide more security, transparently and seamlessly, by fingerprinting a user’s device and even identifying out of pattern behaviour on a given system. An example could be tracking a user’s geo location to quickly recognise zone hopping where changes to a user’s IP and subnet address impossibly places a user on opposite ends of the globe within a few minutes. This is a typical symptom when a user’s account is being hacked. This effectively pairs users to their devices which can then be used to either block a transaction or request a stronger form of authentication when out of pattern behaviour is identified.
Mobility being underpinned by concepts like “bring your own device” and “bring your own identity” brings with it several benefits, however, it also introduces significant challenges. Generally organisations in African countries will adopt and quickly succeed at mobile application development where they are not tied down with integration issues between legacy and multi-platform environments. This will mean that services oriented development methodologies and frameworks that centrally manage and secure web services, plus mobile based application programming interfaces (API’s) – will be the defacto approach.
This will ensure that subscription based and metric measured services promote re-usability, agility and quicker time to market cycles for new innovative products and will align to DevOps initiatives bringing shorter testing cycles which are generally expensive. Service enabling an organisation’s current systems into open, interoperable data exchange formats – by decoupling them into discreet or composite web services – will ensure that execution of cloud; SaaS and mobility initiatives are unified by leveraging the meta-data in the IAM authorisation framework which describes the lower level objects, functions and procedures in business terms. This touch point is often overlooked as the security and service oriented architecture (SOA) teams are frequently in different teams with differing priorities, however, working toward the same common goals. Alignment needs to be driven by senior management.
In closing this series, it is of the utmost importance to mention that the responsibility ultimately lies with the chief information officer to create the platform for collaboration between the various business, infrastructure and development teams to align to a unified tactical and strategic roadmap. Today’s chief security officer is a critical business enablement function as information security initiatives cut across various silos in an organisation and the inhibitive security of yesteryear being perceived as “No”, will in this day and age, make way for the “know”. Identity authenticity will be considered as the new network perimeter which itself is slowly dissolving away with consumerisation warranting access from anywhere at any time, making firewalls way too porous to be considered the primary security measure.
There is already a shift in focus of the CIO, from predominantly dealing with incidents, outages and cost of ownership to focussing on innovation, re-usability, customer experience, service levels and business agility to quickly capture market share by pre-empting customer requirements for innovative products. IT at the speed of business and business at the speed of thought is only possible when deep down visibility into physical, financial and information assets is available including the complex relationships between them. Discovery and visibility is definitely a spin-off from security initiatives that are prioritised, committed to and funded based on risk mitigation. Organisations that foster mature, collaborative information security management practices are already reaping the rewards from a business agility perspective.
