Here we focus on Authentication capabilities as a critical Security Operations responsibility for three main reasons:
· First, no Identity (subject or object, person or non-person) can be trusted without some level of Authentication. All Access Control decisions rely directly upon whether a subject’s identity is trusted.
· Second, despite a range of advanced solutions available today, many users and organizations remain notoriously bad at implementing/enforcing Authentication controls (e.g., strong, unique passwords).
· And third, compromised credentials remain one of the most serious challenges to maintaining information security (confidentiality and integrity) and mitigating risk.
If Authentication is such a lynchpin to the job of Security Operations (protecting the organization), then Authentication Management capabilities warrant significant attention.
Of course, the most familiar challenge to implementing strong Authentication techniques and technologies remains User Convenience. The more complex Authentication becomes, the more resistance Users have.
Single-factor Authentication (SFA) approaches (i.e., strong passwords, PINs, a combination of both) are easier to manage, and more convenient for Users, but have repeatedly proven to be insufficient to protect against even low-skilled attackers. More advanced Authentication protocols, such as Kerberos, have helped to enable Single Sign On (SSO) while defending against commodity challenges such as eavesdropping and replay attacks. But most of those still inherently rely on using a single factor for the initial, local User authentication.
Multi-factor Authentication (MFA) mechanisms such as Public Key Infrastructure (PKI) are certainly a stronger approach to Authentication, but demand significantly more management overhead. The same has proven true for most biometric MFA solutions, where registration is burdensome and stolen credentials (yes) cannot simply be re-provisioned. However, MFA has grown increasingly more feasible in recent years as newer solutions prove to be more manageable by taking advantage of things that Users, such as remote customers, already “have” (e.g., cell phones, fingerprinted devices, etc.) or “are” (e.g., location). Registration of these credentials is still tedious, but doesn’t typically require the cost and physical provisioning of special equipment such as smart cards or tokens.
Regardless of the Authentication mechanisms selected, from passwords and user tokens to digital certificates, Authentication is the root of all Access Control decisions, and Security Operations teams must deal with the non-trivial administrative task of granting and revoking credentials, for the ever growing number of subjects in their environment, on a daily basis. Requiring access to credentialing capabilities that can deal with a diverse set of credentials for the full range of person and non-person entities in their environment.