Search This Blog

Wednesday, February 6, 2008

Strategic Security: Get a Handle on Authentication

It's a common dilemma: You host multiple Web-accessible applications,
for both internal customers and external users. A few of your developers
are keeping up on the last programming trends and security models, while
some of your highest-seniority employees are stuck in programming models
outdated a decade ago. You've got a hodgepodge of access and
authentication methods, along with a lot of client-server interaction,
and a little bit of Web services and SOA, as well as Citrix or Terminal
Services thrown in. There are even a few people still dialing in on phone
lines to access dumb terminal-based applications. Truth be told, if
someone asked what you thought of the situation, you'd reply it's a deck
of cards just waiting to be pushed over by the right inquisitive hacker.
You've got to get control of your applications and authentication models,
so where do you start and what do you do? There are six broad areas that
you'll need to address: education, strategy, standardization, policies,
remediation, and retirement. Education: educate people about the various
authentication components. Essentially, you want to explain identity,
authentication, authorization, and access control (and accounting/auditing),
or simply AAA, as parts of a systematic process, each of which can be
accomplished using various methods. And you want to push for more maturity
on each of those concepts. If single users end up with multiple identities,
you need an identity management system (or maybe federated identities,
if multiple companies are involved). You want to move authentication from
passwords to something more sophisticated, such as two-factor
authentication. You want to move access control from Discretionary Access
Controls (DAC) to client-server impersonation and eventually Role-Based
Access Control (RBAC). Finally, the data you protect must be categorized
according to sensitivity and protected accordingly...

No comments: