One of the notable aspects of virtualization is the presence of heterogeneous networks with diversified devices, platforms, and OSes. Desktops and laptops have been accompanied by and sometimes replaced with tablets and smartphones. In addition, a variety of devices such as Chromebooks, Raspberry Pi, and wearables came into the network. The Internet of Things has […]
The post Here’s Everything You Should Know About Two-Factor Authentication appeared first on Parallels Blog.
By Andi Mann, Vice President, Strategic Solutions at CA
Cloud computing, mobility, and the Internet of Things are leading us towards a more technology-driven world. In my last blog, I wrote about how the Internet of Things will change our everyday lives, but with these new technologies comes new risks to the organization.
To understand how recent trends are shifting security, let’s revisit the golden age of hacking movies from the ‘80s and ‘90s. A recent post by Alexis Madrigal of The Atlantic sums up this era of Hollywood hackers by saying that “the mainframe was unhackable unless [the hackers] were in the room, in which case, it was simple.” That’s not far off from how IT security was structured in those years. Enterprises secured data by keeping everything inside a corporate firewall and only granting accessed to employees within the perimeter. Typically, the perimeter extended as far as the walls of the building.
When the cloud emerged on the scene, every IT professional said that it was too risky and introduced too many points of vulnerability. They weren’t wrong, but the advantages of the cloud, such as increased productivity, collaboration, and innovation, weren’t about to be ignored by the business. If the IT department just said no to cloud, the business could go elsewhere for their IT services – after all, the cloud doesn’t care who signs the checks. In fact, a recent survey revealed that in 60% of organizations, the business occasionally “circumvents IT and purchases technology on their own to support a project,” a practice commonly referred to as rogue IT, and another recent study found a direct correlation between rogue IT and data loss. This is obviously something that the IT department can’t ignore.
Identity is the New Perimeter
The proliferation of cloud connected devices and users accessing data from outside the firewall demands a shift in the way we secure data. Security is no longer about locking down the perimeter – it’s about understanding who is accessing the information and the data they’re allowed to access. IT needs to implement an identity-centric approach to secure data, but according to a recent Ponemon study, only 29% of organizations are confident that they can authenticate users in the cloud. At first glance, that appears to be a shockingly low number, but if you think about it, how do you verify identity? Usernames and passwords, while still the norm, are not sufficient to prove identity and sure, you can identify a device connected to the network, but can you verify the identity of the person using the device?
In a recent @CloudCommons tweetchat on cloud security, the issue of proving the identity of cloud users kept cropping up:
Today’s hackers don’t need to break into your data center to steal your data. They just need an access point and your username and password. That’s why identity and access management is such a critical component of IT security. New technologies are emerging to meet the security challenge, such as strong authentication software that analyzes risk and looks for irregularities when a user tries to access data. If a user tries to access data from a new device, the strong authentication software will recognize that it’s a new device and extra authentication flows kick in that require the user to further verify their identity.
What IT should be doing now to secure identity
To take advantage of cloud computing, mobility, and the Internet of Things in a secure way, the IT department needs to implement these types of new and innovative technologies that focus on verifying identity. In addition to implementing new technologies, the IT department needs to enact a broader cloud and mobile device strategy that puts the right policies and procedures in place and focuses on educating employees to minimize risk. Those in charge of IT security must also establish a trust framework that enforces how you identify, secure and authenticate new employees and devices.
Cloud computing, mobile devices, and the Internet of Things can’t be ignored by IT and the sooner a trust framework and a cloud security strategy is established, the sooner your organization can take advantage of new and innovative technologies, allowing the business to reap the benefits of cloud, mobile, and the Internet of Things, while keeping the data safe and sound. And to me, that sounds like a blockbuster for IT.
Andi Mann is vice president of Strategic Solutions at CA Technologies. With over 25 years’ experience across four continents, Andi has deep expertise of enterprise software on cloud, mainframe, midrange, server and desktop systems. Andi has worked within IT for global corporations, with software vendors, and as a leading industry analyst. He has been published in the New York Times, USA Today, Forbes, CIO, Wall Street Journal, and more, and has presented worldwide on virtualization, cloud, automation, and IT management. Andi is a co-author of the popular handbook, ‘Visible Ops – Private Cloud’, and the IT leader’s guide to business innovation, ‘The Innovative CIO’. He blogs at https://pleasediscuss.com/andimann and tweets as @AndiMann.
SafeNet, Inc. today announced the immediate availability of SafeNet Authentication Service, a new cloud-based authentication service. The cloud authentication solution was designed and engineered specifically for the service provider environment and allows service providers to rapidly introduce authentication-as-a-service to their enterprise customers. By doing so, it enables service providers to increase their average revenue per user (ARPU), significantly reduce the cost and complexity associated with offering and implementing strong authentication, and strengthen their security and compliance posture.
SafeNet Authentication Service extends the company’s portfolio of two-factor authentication solutions, providing enterprise and government organizations with choice and flexibility to best customize their authentication solutions to meet current and future security needs.
SafeNet Authentication Service’s automated, customizable cloud platform can reduce authentication-related operational costs through the elimination of manual tasks associated with the provisioning, administration, billing, and management of users and tokens. Service providers can manage their customers from a multi-tier, multi-tenant platform that is vendor-agnostic and will work with an organization’s existing token technology, enabling a quick migration to a centralized cloud environment with minimal disruption to end users. In addition, the service can be white-label branded and completely customizable to the service provider’s needs, enhancing the service brand and overall awareness. In addition, the platform is highly scalable, which enables service providers to accommodate a growing number of customers added to the service without requiring costly infrastructure upgrades.
Strong authentication has also become a major challenge for today’s “extended enterprise,” in which remote employees, partners, customers, and other third parties require access to an organization’s systems, applications, and data. With no infrastructure required, enterprises can quickly turn to service providers for SafeNet Authentication Service to simplify the implementation of strong authentication in this environment—providing “security without borders” from a fully automated, high-assurance, trusted cloud environment.
In addition, SafeNet Authentication Service enables service providers to free up their customer’s IT staff to focus on higher-value activities. By doing so, this automation facilitates real-time policy application to ensure regulatory compliance and improved business efficiency.
According to Chris Morales of the 451 Research Group, “The consumerization of IT, the adoption of mobile computing and SaaS applications, and the incipient growth of desktop virtualization places identity front and center of emerging security and management concerns. As identity assumes more centrality for IT (in terms of both industry and organizational function) in coming to terms with these trends, securing the integrity of the identity assertion, characterizing it in terms of risk assessment, and supplementing (or supplanting) user name and password comprise the initial set of security hurdles. Also, as enterprises and organizations assess the requirements for authentication against the cost and flexibility of the options available from incumbent vendors, authentication-as-a-service, and new form factors or channels such as smartphone tokens and one-time passwords delivered as an SMS have gained in appeal.”
SafeNet Authentication Service reflects the combined offering resulting from SafeNet’s acquisition of Cryptocard in March 2012. This new service combines SafeNet’s market-leading authentication solutions with Cryptocard’s innovative, scalable, and flexible platform.
The use of two-factor authentication has been around for years, but the recent addition of this security feature in cloud services from Google and Dropbox has drawn widespread attention. The Dropbox offering came just two months after a well-publicized security breach at their online file sharing service.
Exactly What Is Two-Factor Authentication?
Of course, most online applications require a user name and password in order to log on. Much has been written about the importance of managing your passwords carefully. However, simple password protection only goes so far.
Two-factor authentication involves not only the use of something the user knows such as a password, but also something that only the user has. An intruder can no longer gain access to the system simply by illicitly obtaining your password.
Authentication Tools
Yahoo! Mail and Facebook are also introducing two-factor authentication using smart phones. However, their methodology only prompts the user to enter the security code if a security breach is suspected or a new device is used.
So What’s Next?
Cloud security is a hot topic and two-factor authentication is one way to mitigate users’ well founded concerns. As a result, development and adoption of two-factor authentication systems is proceeding at a rapid pace and should be available for most cloud applications within just a few short years.
The shift from token based authentication to SMS based authentication is also likely to accelerate along with smart phone use.
Two-factor and even three-factor authentication using biometrics will become more popular. Finger print readers are already quite common on laptop computers. Use of facial recognition, voice recognition, hand geometry, retina scans, etc. will become more common as the technology develops and the price drops. The obvious advantage of these biometric systems is that the physical device cannot be stolen or otherwise used by a third party to gain access to the system.
As with any security system, two-factor authentication is not 100% secure. Even token systems have been hacked and there is no doubt that there will be breaches in SMS authentication tools as well. However, two-factor authentication still provides the best way to stay safe in the cloud and it’s advisable to use it whenever possible.
This post is by Rackspace blogger Thomas Parent. Rackspace Hosting is a service leader in cloud computing, and a founder of OpenStack, an open source cloud operating system. The San Antonio-based company provides Fanatical Support to its customers and partners, across a portfolio of IT services, including Managed Hosting and Cloud Computing.