SlideShare une entreprise Scribd logo

User Auth Best Practices: Put Control Where It Belongs

SafeNet
SafeNet

The document outlines best practices for user authentication based on recent high-profile security breaches. It recommends implementing a layered authentication approach that matches the solution to business needs and risk levels, and includes technologies like one-time passwords and certificate-based authentication. Strong password policies and key management practices are also advised to securely store authentication data. Context-based authentication can complement other methods as part of a comprehensive security framework.

Technologie
1  sur  5
Télécharger pour lire hors ligne
Authentication Best Practices: Put Control Where It Belongs WHITEPAPER A significant number of high profile security breaches have occurred recently, bringing the Benefits of a Fully organizations affected to the front pages of the business press. These events have had Trusted Authentication a negative impact on the public image of these companies, and may also have a harmful Environment: effect on their business. These incidents have caused the CIOs of many companies to re- • Enables customers to create evaluate their info-security strategy in general, while also placing specific focus on their user their own token data, and authentication and transaction security requirements. retain control of security data and policies These breaches are a reminder that any company may become the target of an attack for its • Offers additional layers of customer, financial, and other confidential data, as well as its intellectual property assets. In protection through encryption response to these threats, a comprehensive, layered approach to security and authentication of token data, and the ability is essential to protecting an organization’s vital and sensitive information and systems. This to store and manage keys in paper suggests a set of best practices for user authentication. hardware • Addresses varying user risk The Gatekeeper for a Robust Info-Security Solution levels and user requirements Security solutions need to be managed in a layered approach that combines encryption, with authentication choice access policies, key management, content security, and, of course, authentication, just like such as: certificate-based authentication, OTP, mobile any other component in the datacenter. These layers need to be integrated into a flexible authentication, and secure framework that allows the organization to adapt to the risks it faces. Each of these items can access to SaaS applications be broken down further in order to develop best practices when evaluating, deploying, and • Improved management and maintaining such items within the information protection lifecycle (ILP). visibility, with centralized and An authentication solution that ensures the identities of users and computing devices simplified administration, that access the non-public areas of an organization’s network is the first step in building a deployment, and manageability secure and robust information protection system. Lack of proper authentication mechanisms • Industry proven, using can cause a chain effect that will hamper an organization’s ability to protect information standards-based algorithms; throughout its lifecycle. no proprietary technology Recent breaches have highlighted vulnerabilities in the deployment of authentication solutions. Deploying an authentication solution in a robust way will ensure that the identities of users in the system are validated upon entry and thus create the first layer in a multi- layered info-security architecture. Authentication Best Practices: Put Control Where It Belongs Whitepaper 1
User Authentication Best Practices In the aftermath of recent breaches, organizations are closely examining their authentication solutions. To best understand the risks they are facing, organizations are advised to analyze a range of factors relating to IT policy, regulations and compliance, employee behavior, and data storage. Once organizations have a risk model in place and are more aware of their vulnerabilities, they are in a better position to minimize the risk of a breach, and to develop an authentication strategy suited to their needs. This strategy needs to be defined according to their business and their users, who will be required to authenticate for access to the system. Taking these factors into consideration, the CIO can define a layered approach to authentication that includes the core authentication system, the lifecycle of authentication components, and complementary solutions. As companies re-evaluate their strategies to mitigate their info-security risks, they should look closely at best practice recommendations as follows: Core Authentication System Match Your Authentication Solution to Your Business, Users, and Risk A flexible approach that enables an organization to implement different authentication methods based on different risk levels may ensure a robust system that can be efficiently and cost-effectively deployed. Technologies for multi-factor authentication include: • One-time Passwords (OTP): OTP technology is based on a shared secret or seed that is stored on the authentication device and the authentication backend. This method ensures authentication by generating a one-time passcode based on the token’s secret. • Certificate-based Authentication (CBA): This method ensures authentication using a public and private encryption key that is unique to the authentication device and the person who possesses it. CBA tokens can also be used to digitally sign transactions and to ensure non-repudiation. • Context-based Authentication: Context-based authentication uses contextual information to ascertain whether a user’s identity is authentic or not, and is recommended as a complement to other strong authentication technologies. In order to develop a robust authentication solution, organizations should consider their business, users, and risk, and select a solution that provides them with the flexibility to adapt as needed. For example, if organizations are interested in implementing additional security solutions that rely on PKI technology, such as full-disk encryption, network logon, and digital signatures, or are thinking about adding such solutions in the future, they should consider CBA, as it enables these applications. Strengthen OTP Solutions with a User Shared Secret For OTP authentication, an additional layer of security can be implemented by adding a PIN of 4 to 8 digits to the one-time password that is created by the token. The OTP PIN is “something only you know” – a fundamental precept for two-factor authentication. This ensures that even if the token-based authentication mechanism is breached, the hacker still needs to know the user’s PIN in order to access the system. Prefer Solutions that Adhere to Standards-based Security and Certifications Products that are built upon standards-based crypto-algorithms and authentication protocols are preferred. Unlike proprietary algorithms, standards-based algorithms have gone through public scrutiny by industry and security experts that reduces the chance of any inherent weaknesses or vulnerabilities. Moreover, they enjoy broad industry support. The use of products that have undergone validation by an accredited third party, such as FIPS (Federal Information Processing Standard) or Common Criteria certification, ensures that they conform to the industry standard. Authentication Best Practices: Put Control Where It Belongs Whitepaper 2
Consider All Access Points Organizations need to ensure that access to all sensitive information is authenticated, whether the information resides on premise or in the cloud. Organizations should implement the same security mechanisms for cloud resources as they would for remote access to the corporate network. In addition, organizations should deploy security mechanisms to ensure that users accessing network resources from their mobile consumer devices (e.g., tablets, smart phones) are securely authenticated. Implement Effective Password Management Policies In all instances where passwords are required, such as to ensure the authenticity of the user or when setting passwords for CBA tokens, SafeNet recommends the following password management practices: • Organizations should not allow the use of default passwords. • Organizations should enforce passwords that are based on a mix of uppercase and lowercase letters, and numbers. • Password length should be at least 8 characters. • Organizations should not allow passwords that are the same as the user’s name. • Organizations should enforce password replacement on a regular basis. The length of time between password replacements should be based on risk profile but should be done at least once every three months. Robust OTP Authentication Deployment Complement Authentication Solution with Robust Key Management One-Time Password authentication systems are based on a shared secret, usually referred to as the OTP seed (or token seed value). This seed is used to generate the one-time passcode. The OTP seed is stored on both the token and the authentication management system. The effectiveness of the OTP authentication mechanism relies on the secrecy of the OTP seed, as well as the cryptographic strength of the algorithm employed to generate the one-time password. If one of these elements is compromised, the strength of the entire authentication solution is weakened. In most cases, the authentication system vendor programs the seeds into the token and provides the token information to the customer. When the token is assigned to a user, the link is established between the user and the authenticator. These assigned token seeds, associated with user authentication profiles, are used by the authentication manager to control user access to information. Key management helps to prevent insider theft and malware by storing the security data in an encrypted file system or database. Since all authentication systems are comprised of some type of secret information, protection of the secret data is paramount. Therefore, it is recommended to encrypt the database, for example, of an OTP authentication system that stores the tokens’ seeds, and the information that links seeds to tokens and users in an encrypted database. Managing the encryption keys that unlock this data has become critical to a comprehensive security approach. To achieve robust key management, customers can store encryption keys in a hardware security module (HSM). Control Security Data On-Premise Organizations that perceive their risk profile as high may create another layer of security by programming the token seeds in their datacenter. Field-programmable tokens give organizations the ability to generate the token security data and securely program it on their premise. For organizations perceived to be particularly at risk, relying on the security of a vendor is another variable not under their control, regardless of the security measures taken Authentication Best Practices: Put Control Where It Belongs Whitepaper 3
by the vendor. This recommendation is mostly suited to sectors where security concerns are much more salient, such as financial services, healthcare, and government. Complementary Solutions Use Pre-boot Authentication to Protect a Mobile Workforce and Portable Devices For critical components of the system, organizations should examine the need for pre-boot authentication. This ensures that only selected employees can boot the system and perform administrator-based operations. For users that store sensitive information on mobile devices and laptops, full disk encryption with pre-boot authentication (certificate-based) helps to ensure that the data on a lost or stolen device will not be exposed. Develop Auditing and Forensic Capabilities Audit trails and forensics can facilitate early detection if an organization’s system has been breached. Audit trails are effective since they provide information about successful and unsuccessful authentication attempts to the system. The most obvious indicator of an attack is a sharp increase in the number of failed login attempts and account lockout, but this is usually the work of a clumsy, unsophisticated hacker. Generally, lockout policies limit this type of attack. More skilled hackers will patiently try a very low-volume series of login attempts or will resort to social engineering methods such as calling the help desk to request a reset of the PIN/password. Without effective audit tools, this type of attack might go unnoticed. Context-based Authentication Complements a Layered Approach Context-based authentication uses contextual information to ascertain whether a user’s identity is authentic or not. Based on risk profiles, organizations may limit access to specific systems or content items based on a user’s criteria, including whether the user is authenticating from the local or remote network, whether the user is accessing information from a corporate computer, or whether the access time appears reasonable (i.e. office hours for that user’s country location based on their computer IP address). Since much of the information used by context-based information is publicly available and therefore easily accessible to hackers, it is recommended to use this method to complement other stronger authentication methods or as a first level of authentication in a multi-layered approach. Versatile Authentication for a Comprehensive Security Framework SafeNet, recognizing the growing complexity of maintaining security controls in this diverse landscape, offers organizations integrated product suites for ensuring authorized access and managing all multi-factor authentication operations for employees who need to securely access on-premise and cloud-based applications, and for customers and partners who do business online. SafeNet’s award-winning solutions provide an extensible, comprehensive foundation for securing an organization’s strong authentication and transaction verification needs. SafeNet’s Fully Trusted Authentication Environment Based on recent events, SafeNet is the first to offer an authentication framework that provides enterprises with unprecedented security, flexibility, and control over their authentication environment. The framework includes: • Field-programmable tokens: Allows customers to generate the token security data and program on-premise. SafeNet is one of the only vendors to enable on-site token programming for OTP tokens. CBA tokens are automatically reprogrammable. • Offers additional layers of protection: Encrypt token data and store/manage keys with an HSM Authentication Best Practices: Put Control Where It Belongs Whitepaper 4
• Improves management and visibility: Centralized and simplified administration, deployment, and manageability • Industry proven: Standards-based algorithms; no proprietary technology SafeNet’s Family of Authentication Solutions for Secure Remote, Local, and Cloud Access SafeNet’s enterprise solutions enable organizations to meet security needs and plan for contingencies without having to change their underlying infrastructure. Offering flexible management platforms, the broadest range of strong authentication methodologies and form factors, and transaction verification capabilities, as well as identity federation and single sign- on, SafeNet solutions create a future-ready security foundation that allows organizations to adopt a modular, forward-looking identity management strategy, ensuring that their security needs are met as new threats, devices, and user needs evolve. Secure Remote Cloud Applications Local Network Access Secure Remote Access to Network Applications SafeNet authentication solutions are all managed by a single authentication platform, which enables: • Secure remote access for employees and partners • Transaction security for online banking • Embedded cloud support for secure access to SaaS applications • Secure access to corporate resources from mobile devices • A single authentication server for centralized and simplified management • A fully trusted authentication environment for customer control over their own data To learn more about SafeNet’s complete portfolio of authentication solutions, visit our website at www.safenet-inc.com/authentication. SafeNet Management Transaction CBA Verification OTP OOB About SafeNet Founded in 1983, SafeNet is a global leader in information security. SafeNet protects its customers’ most valuable assets, including identities, transactions, communications, data, and software licensing, throughout the data lifecycle. More than 25,000 customers across both commercial enterprises and government agencies, and in over 100 countries, trust their information security needs to SafeNet. Contact Us: For all office locations and contact information, please visit www.safenet-inc.com Follow Us: www.safenet-inc.com/connected ©2011 SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet. All other product names are trademarks of their respective owners. WP (EN)-04.07.11 Authentication Best Practices: Put Control Where It Belongs Whitepaper 5

Recommandé

Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuideAlienVault
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditingPiyush Jain
 
Understanding security operation.pptx
Understanding security operation.pptxUnderstanding security operation.pptx
Understanding security operation.pptxPiyush Jain
 
Vulnerability assessment and penetration testing service.
Vulnerability assessment and penetration testing service.Vulnerability assessment and penetration testing service.
Vulnerability assessment and penetration testing service.Mindtree Ltd.
 
Privileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safePrivileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safeJens Albrecht
 
Teknisen tietoturvan minimivaatimukset
Teknisen tietoturvan minimivaatimuksetTeknisen tietoturvan minimivaatimukset
Teknisen tietoturvan minimivaatimuksetTeemu Tiainen
 
Security Testing In The Secured World
Security Testing In The Secured WorldSecurity Testing In The Secured World
Security Testing In The Secured WorldJennifer Mary
 

Recommandé

Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuideAlienVault
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditingPiyush Jain
 
Understanding security operation.pptx
Understanding security operation.pptxUnderstanding security operation.pptx
Understanding security operation.pptxPiyush Jain
 
Vulnerability assessment and penetration testing service.
Vulnerability assessment and penetration testing service.Vulnerability assessment and penetration testing service.
Vulnerability assessment and penetration testing service.Mindtree Ltd.
 
Privileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safePrivileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safeJens Albrecht
 
Teknisen tietoturvan minimivaatimukset
Teknisen tietoturvan minimivaatimuksetTeknisen tietoturvan minimivaatimukset
Teknisen tietoturvan minimivaatimuksetTeemu Tiainen
 
Security Testing In The Secured World
Security Testing In The Secured WorldSecurity Testing In The Secured World
Security Testing In The Secured WorldJennifer Mary
 
System of security controls
System of security controlsSystem of security controls
System of security controlsS.E. CTS CERT-GOV-MD
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldArun Prabhakar
 
Cis controls v8_guide (1)
Cis controls v8_guide (1)Cis controls v8_guide (1)
Cis controls v8_guide (1)MHumaamAl
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...at MicroFocus Italy ❖✔
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operationsPiyush Jain
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Ben Rothke
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Priyanka Aash
 
Solvit identity is the new perimeter
Solvit identity is the new perimeterSolvit identity is the new perimeter
Solvit identity is the new perimeterS.E. CTS CERT-GOV-MD
 
Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture, Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture, MITDaveMillaar
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Ben Rothke
 
Identifying Code Risks in Software M&A
Identifying Code Risks in Software M&AIdentifying Code Risks in Software M&A
Identifying Code Risks in Software M&AMatt Tortora
 
Managing Compliance
Managing ComplianceManaging Compliance
Managing ComplianceSecPod Technologies
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...IBM Security
 
Content Aware SIEM™ defined
Content Aware SIEM™ definedContent Aware SIEM™ defined
Content Aware SIEM™ definedEnterprise Technology Management (ETM)
 
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityA Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityTripwire
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...UBM_Design_Central
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
WHY SOC Services needed?
WHY SOC Services needed?WHY SOC Services needed?
WHY SOC Services needed?manoharparakh
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attacknewbie2019
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1Mohammad Ashfaqur Rahman
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxwkyra78
 
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Core Security
 

Contenu connexe

Tendances

Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldArun Prabhakar
 
Cis controls v8_guide (1)
Cis controls v8_guide (1)Cis controls v8_guide (1)
Cis controls v8_guide (1)MHumaamAl
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...at MicroFocus Italy ❖✔
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operationsPiyush Jain
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Ben Rothke
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Priyanka Aash
 
Solvit identity is the new perimeter
Solvit identity is the new perimeterSolvit identity is the new perimeter
Solvit identity is the new perimeterS.E. CTS CERT-GOV-MD
 
Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture, Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture, MITDaveMillaar
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Ben Rothke
 
Identifying Code Risks in Software M&A
Identifying Code Risks in Software M&AIdentifying Code Risks in Software M&A
Identifying Code Risks in Software M&AMatt Tortora
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...IBM Security
 
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityA Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityTripwire
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...UBM_Design_Central
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
WHY SOC Services needed?
WHY SOC Services needed?WHY SOC Services needed?
WHY SOC Services needed?manoharparakh
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attacknewbie2019
 

Tendances (20)

System of security controls
System of security controlsSystem of security controls
System of security controls
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps World
 
Cis controls v8_guide (1)
Cis controls v8_guide (1)Cis controls v8_guide (1)
Cis controls v8_guide (1)
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operations
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture
 
Solvit identity is the new perimeter
Solvit identity is the new perimeterSolvit identity is the new perimeter
Solvit identity is the new perimeter
 
Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture, Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture,
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
 
Identifying Code Risks in Software M&A
Identifying Code Risks in Software M&AIdentifying Code Risks in Software M&A
Identifying Code Risks in Software M&A
 
Managing Compliance
Managing ComplianceManaging Compliance
Managing Compliance
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
 
Content Aware SIEM™ defined
Content Aware SIEM™ definedContent Aware SIEM™ defined
Content Aware SIEM™ defined
 
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityA Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
 
WHY SOC Services needed?
WHY SOC Services needed?WHY SOC Services needed?
WHY SOC Services needed?
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attack
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1
 

Similaire à User Auth Best Practices: Put Control Where It Belongs

Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxwkyra78
 
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Core Security
 
Identity and access management
Identity and access managementIdentity and access management
Identity and access managementPiyush Jain
 
“Verify and never trust”: The Zero Trust Model of information security
“Verify and never trust”: The Zero Trust Model of information security“Verify and never trust”: The Zero Trust Model of information security
“Verify and never trust”: The Zero Trust Model of information securityAhmed Banafa
 
I Series User Management
I Series User ManagementI Series User Management
I Series User ManagementSJeffrey23
 
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...Entrust Datacard
 
How Zero Trust Changes Identity & Access
How Zero Trust Changes Identity & AccessHow Zero Trust Changes Identity & Access
How Zero Trust Changes Identity & AccessIvan Dwyer
 
What is zero trust model of information security?
What is zero trust model of information security?What is zero trust model of information security?
What is zero trust model of information security?Ahmed Banafa
 
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 sucesuminas
 
How to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValueHow to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValueRapidValue
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern
 
Meletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information securityMeletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information securityMeletis Belsis MPhil/MRes/BSc
 
Why IAM is the Need of the Hour
Why IAM is the Need of the HourWhy IAM is the Need of the Hour
Why IAM is the Need of the HourTechdemocracy
 
BeyondCorp - Google Security for Everyone Else
BeyondCorp - Google Security for Everyone ElseBeyondCorp - Google Security for Everyone Else
BeyondCorp - Google Security for Everyone ElseIvan Dwyer
 
Arx brochure - Intellect Design
Arx brochure - Intellect DesignArx brochure - Intellect Design
Arx brochure - Intellect DesignRajat Jain
 

Similaire à User Auth Best Practices: Put Control Where It Belongs (20)

Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
 
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
 
Identity and access management
Identity and access managementIdentity and access management
Identity and access management
 
“Verify and never trust”: The Zero Trust Model of information security
“Verify and never trust”: The Zero Trust Model of information security“Verify and never trust”: The Zero Trust Model of information security
“Verify and never trust”: The Zero Trust Model of information security
 
I Series User Management
I Series User ManagementI Series User Management
I Series User Management
 
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
 
CCSK.pptx
CCSK.pptxCCSK.pptx
CCSK.pptx
 
BEST CYBER SECURITY PRACTICES
BEST CYBER SECURITY PRACTICESBEST CYBER SECURITY PRACTICES
BEST CYBER SECURITY PRACTICES
 
How Zero Trust Changes Identity & Access
How Zero Trust Changes Identity & AccessHow Zero Trust Changes Identity & Access
How Zero Trust Changes Identity & Access
 
What is zero trust model of information security?
What is zero trust model of information security?What is zero trust model of information security?
What is zero trust model of information security?
 
Silicon Valley IDSA Meetup October 2018
Silicon Valley IDSA Meetup October 2018 Silicon Valley IDSA Meetup October 2018
Silicon Valley IDSA Meetup October 2018
 
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
 
How to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValueHow to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValue
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdf
 
Meletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information securityMeletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information security
 
Information Security
Information SecurityInformation Security
Information Security
 
Why IAM is the Need of the Hour
Why IAM is the Need of the HourWhy IAM is the Need of the Hour
Why IAM is the Need of the Hour
 
BeyondCorp - Google Security for Everyone Else
BeyondCorp - Google Security for Everyone ElseBeyondCorp - Google Security for Everyone Else
BeyondCorp - Google Security for Everyone Else
 
Cyber Security # Lec 5
Cyber Security # Lec 5Cyber Security # Lec 5
Cyber Security # Lec 5
 
Arx brochure - Intellect Design
Arx brochure - Intellect DesignArx brochure - Intellect Design
Arx brochure - Intellect Design
 

Plus de SafeNet

eIDAS Reference Guide
eIDAS Reference GuideeIDAS Reference Guide
eIDAS Reference GuideSafeNet
 
Whose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the CloudWhose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the CloudSafeNet
 
Whose Cloud Is It Anyway: Exploring Data Security Ownership and Control
Whose Cloud Is It Anyway: Exploring Data Security Ownership and ControlWhose Cloud Is It Anyway: Exploring Data Security Ownership and Control
Whose Cloud Is It Anyway: Exploring Data Security Ownership and ControlSafeNet
 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldSafeNet
 
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and MobilityNot Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and MobilitySafeNet
 
ProtectV - Data Security for the Cloud
ProtectV - Data Security for the CloudProtectV - Data Security for the Cloud
ProtectV - Data Security for the CloudSafeNet
 
Cloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business Model
Cloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business ModelCloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business Model
Cloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business ModelSafeNet
 
SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...
SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...
SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...SafeNet
 
A Single Strong Authentication Platform for Cloud and On-Premise Applications
A Single Strong Authentication Platform for Cloud and On-Premise ApplicationsA Single Strong Authentication Platform for Cloud and On-Premise Applications
A Single Strong Authentication Platform for Cloud and On-Premise ApplicationsSafeNet
 
Securing Digital Identities and Transactions in the Cloud Security Guide
Securing Digital Identities and Transactions in the Cloud Security GuideSecuring Digital Identities and Transactions in the Cloud Security Guide
Securing Digital Identities and Transactions in the Cloud Security GuideSafeNet
 
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...SafeNet
 
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...SafeNet
 
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...SafeNet
 
Hardware Security Modules: Critical to Information Risk Management
Hardware Security Modules: Critical to Information Risk ManagementHardware Security Modules: Critical to Information Risk Management
Hardware Security Modules: Critical to Information Risk ManagementSafeNet
 
Strong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling BusinessStrong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling BusinessSafeNet
 
Building Trust into eInvoicing: Key Requirements and Strategies
Building Trust into eInvoicing: Key Requirements and StrategiesBuilding Trust into eInvoicing: Key Requirements and Strategies
Building Trust into eInvoicing: Key Requirements and StrategiesSafeNet
 
A Question of Trust: How Service Providers Can Attract More Customers by Deli...
A Question of Trust: How Service Providers Can Attract More Customers by Deli...A Question of Trust: How Service Providers Can Attract More Customers by Deli...
A Question of Trust: How Service Providers Can Attract More Customers by Deli...SafeNet
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetSafeNet
 
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...SafeNet
 
SafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet
 

Plus de SafeNet (20)

eIDAS Reference Guide
eIDAS Reference GuideeIDAS Reference Guide
eIDAS Reference Guide
 
Whose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the CloudWhose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the Cloud
 
Whose Cloud Is It Anyway: Exploring Data Security Ownership and Control
Whose Cloud Is It Anyway: Exploring Data Security Ownership and ControlWhose Cloud Is It Anyway: Exploring Data Security Ownership and Control
Whose Cloud Is It Anyway: Exploring Data Security Ownership and Control
 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative World
 
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and MobilityNot Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
 
ProtectV - Data Security for the Cloud
ProtectV - Data Security for the CloudProtectV - Data Security for the Cloud
ProtectV - Data Security for the Cloud
 
Cloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business Model
Cloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business ModelCloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business Model
Cloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business Model
 
SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...
SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...
SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...
 
A Single Strong Authentication Platform for Cloud and On-Premise Applications
A Single Strong Authentication Platform for Cloud and On-Premise ApplicationsA Single Strong Authentication Platform for Cloud and On-Premise Applications
A Single Strong Authentication Platform for Cloud and On-Premise Applications
 
Securing Digital Identities and Transactions in the Cloud Security Guide
Securing Digital Identities and Transactions in the Cloud Security GuideSecuring Digital Identities and Transactions in the Cloud Security Guide
Securing Digital Identities and Transactions in the Cloud Security Guide
 
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...
 
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...
 
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...
 
Hardware Security Modules: Critical to Information Risk Management
Hardware Security Modules: Critical to Information Risk ManagementHardware Security Modules: Critical to Information Risk Management
Hardware Security Modules: Critical to Information Risk Management
 
Strong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling BusinessStrong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling Business
 
Building Trust into eInvoicing: Key Requirements and Strategies
Building Trust into eInvoicing: Key Requirements and StrategiesBuilding Trust into eInvoicing: Key Requirements and Strategies
Building Trust into eInvoicing: Key Requirements and Strategies
 
A Question of Trust: How Service Providers Can Attract More Customers by Deli...
A Question of Trust: How Service Providers Can Attract More Customers by Deli...A Question of Trust: How Service Providers Can Attract More Customers by Deli...
A Question of Trust: How Service Providers Can Attract More Customers by Deli...
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
 
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
 
SafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server Encryption
 

Dernier

Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 

Dernier (20)

Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 

User Auth Best Practices: Put Control Where It Belongs

  • 1. Authentication Best Practices: Put Control Where It Belongs WHITEPAPER A significant number of high profile security breaches have occurred recently, bringing the Benefits of a Fully organizations affected to the front pages of the business press. These events have had Trusted Authentication a negative impact on the public image of these companies, and may also have a harmful Environment: effect on their business. These incidents have caused the CIOs of many companies to re- • Enables customers to create evaluate their info-security strategy in general, while also placing specific focus on their user their own token data, and authentication and transaction security requirements. retain control of security data and policies These breaches are a reminder that any company may become the target of an attack for its • Offers additional layers of customer, financial, and other confidential data, as well as its intellectual property assets. In protection through encryption response to these threats, a comprehensive, layered approach to security and authentication of token data, and the ability is essential to protecting an organization’s vital and sensitive information and systems. This to store and manage keys in paper suggests a set of best practices for user authentication. hardware • Addresses varying user risk The Gatekeeper for a Robust Info-Security Solution levels and user requirements Security solutions need to be managed in a layered approach that combines encryption, with authentication choice access policies, key management, content security, and, of course, authentication, just like such as: certificate-based authentication, OTP, mobile any other component in the datacenter. These layers need to be integrated into a flexible authentication, and secure framework that allows the organization to adapt to the risks it faces. Each of these items can access to SaaS applications be broken down further in order to develop best practices when evaluating, deploying, and • Improved management and maintaining such items within the information protection lifecycle (ILP). visibility, with centralized and An authentication solution that ensures the identities of users and computing devices simplified administration, that access the non-public areas of an organization’s network is the first step in building a deployment, and manageability secure and robust information protection system. Lack of proper authentication mechanisms • Industry proven, using can cause a chain effect that will hamper an organization’s ability to protect information standards-based algorithms; throughout its lifecycle. no proprietary technology Recent breaches have highlighted vulnerabilities in the deployment of authentication solutions. Deploying an authentication solution in a robust way will ensure that the identities of users in the system are validated upon entry and thus create the first layer in a multi- layered info-security architecture. Authentication Best Practices: Put Control Where It Belongs Whitepaper 1
  • 2. User Authentication Best Practices In the aftermath of recent breaches, organizations are closely examining their authentication solutions. To best understand the risks they are facing, organizations are advised to analyze a range of factors relating to IT policy, regulations and compliance, employee behavior, and data storage. Once organizations have a risk model in place and are more aware of their vulnerabilities, they are in a better position to minimize the risk of a breach, and to develop an authentication strategy suited to their needs. This strategy needs to be defined according to their business and their users, who will be required to authenticate for access to the system. Taking these factors into consideration, the CIO can define a layered approach to authentication that includes the core authentication system, the lifecycle of authentication components, and complementary solutions. As companies re-evaluate their strategies to mitigate their info-security risks, they should look closely at best practice recommendations as follows: Core Authentication System Match Your Authentication Solution to Your Business, Users, and Risk A flexible approach that enables an organization to implement different authentication methods based on different risk levels may ensure a robust system that can be efficiently and cost-effectively deployed. Technologies for multi-factor authentication include: • One-time Passwords (OTP): OTP technology is based on a shared secret or seed that is stored on the authentication device and the authentication backend. This method ensures authentication by generating a one-time passcode based on the token’s secret. • Certificate-based Authentication (CBA): This method ensures authentication using a public and private encryption key that is unique to the authentication device and the person who possesses it. CBA tokens can also be used to digitally sign transactions and to ensure non-repudiation. • Context-based Authentication: Context-based authentication uses contextual information to ascertain whether a user’s identity is authentic or not, and is recommended as a complement to other strong authentication technologies. In order to develop a robust authentication solution, organizations should consider their business, users, and risk, and select a solution that provides them with the flexibility to adapt as needed. For example, if organizations are interested in implementing additional security solutions that rely on PKI technology, such as full-disk encryption, network logon, and digital signatures, or are thinking about adding such solutions in the future, they should consider CBA, as it enables these applications. Strengthen OTP Solutions with a User Shared Secret For OTP authentication, an additional layer of security can be implemented by adding a PIN of 4 to 8 digits to the one-time password that is created by the token. The OTP PIN is “something only you know” – a fundamental precept for two-factor authentication. This ensures that even if the token-based authentication mechanism is breached, the hacker still needs to know the user’s PIN in order to access the system. Prefer Solutions that Adhere to Standards-based Security and Certifications Products that are built upon standards-based crypto-algorithms and authentication protocols are preferred. Unlike proprietary algorithms, standards-based algorithms have gone through public scrutiny by industry and security experts that reduces the chance of any inherent weaknesses or vulnerabilities. Moreover, they enjoy broad industry support. The use of products that have undergone validation by an accredited third party, such as FIPS (Federal Information Processing Standard) or Common Criteria certification, ensures that they conform to the industry standard. Authentication Best Practices: Put Control Where It Belongs Whitepaper 2
  • 3. Consider All Access Points Organizations need to ensure that access to all sensitive information is authenticated, whether the information resides on premise or in the cloud. Organizations should implement the same security mechanisms for cloud resources as they would for remote access to the corporate network. In addition, organizations should deploy security mechanisms to ensure that users accessing network resources from their mobile consumer devices (e.g., tablets, smart phones) are securely authenticated. Implement Effective Password Management Policies In all instances where passwords are required, such as to ensure the authenticity of the user or when setting passwords for CBA tokens, SafeNet recommends the following password management practices: • Organizations should not allow the use of default passwords. • Organizations should enforce passwords that are based on a mix of uppercase and lowercase letters, and numbers. • Password length should be at least 8 characters. • Organizations should not allow passwords that are the same as the user’s name. • Organizations should enforce password replacement on a regular basis. The length of time between password replacements should be based on risk profile but should be done at least once every three months. Robust OTP Authentication Deployment Complement Authentication Solution with Robust Key Management One-Time Password authentication systems are based on a shared secret, usually referred to as the OTP seed (or token seed value). This seed is used to generate the one-time passcode. The OTP seed is stored on both the token and the authentication management system. The effectiveness of the OTP authentication mechanism relies on the secrecy of the OTP seed, as well as the cryptographic strength of the algorithm employed to generate the one-time password. If one of these elements is compromised, the strength of the entire authentication solution is weakened. In most cases, the authentication system vendor programs the seeds into the token and provides the token information to the customer. When the token is assigned to a user, the link is established between the user and the authenticator. These assigned token seeds, associated with user authentication profiles, are used by the authentication manager to control user access to information. Key management helps to prevent insider theft and malware by storing the security data in an encrypted file system or database. Since all authentication systems are comprised of some type of secret information, protection of the secret data is paramount. Therefore, it is recommended to encrypt the database, for example, of an OTP authentication system that stores the tokens’ seeds, and the information that links seeds to tokens and users in an encrypted database. Managing the encryption keys that unlock this data has become critical to a comprehensive security approach. To achieve robust key management, customers can store encryption keys in a hardware security module (HSM). Control Security Data On-Premise Organizations that perceive their risk profile as high may create another layer of security by programming the token seeds in their datacenter. Field-programmable tokens give organizations the ability to generate the token security data and securely program it on their premise. For organizations perceived to be particularly at risk, relying on the security of a vendor is another variable not under their control, regardless of the security measures taken Authentication Best Practices: Put Control Where It Belongs Whitepaper 3
  • 4. by the vendor. This recommendation is mostly suited to sectors where security concerns are much more salient, such as financial services, healthcare, and government. Complementary Solutions Use Pre-boot Authentication to Protect a Mobile Workforce and Portable Devices For critical components of the system, organizations should examine the need for pre-boot authentication. This ensures that only selected employees can boot the system and perform administrator-based operations. For users that store sensitive information on mobile devices and laptops, full disk encryption with pre-boot authentication (certificate-based) helps to ensure that the data on a lost or stolen device will not be exposed. Develop Auditing and Forensic Capabilities Audit trails and forensics can facilitate early detection if an organization’s system has been breached. Audit trails are effective since they provide information about successful and unsuccessful authentication attempts to the system. The most obvious indicator of an attack is a sharp increase in the number of failed login attempts and account lockout, but this is usually the work of a clumsy, unsophisticated hacker. Generally, lockout policies limit this type of attack. More skilled hackers will patiently try a very low-volume series of login attempts or will resort to social engineering methods such as calling the help desk to request a reset of the PIN/password. Without effective audit tools, this type of attack might go unnoticed. Context-based Authentication Complements a Layered Approach Context-based authentication uses contextual information to ascertain whether a user’s identity is authentic or not. Based on risk profiles, organizations may limit access to specific systems or content items based on a user’s criteria, including whether the user is authenticating from the local or remote network, whether the user is accessing information from a corporate computer, or whether the access time appears reasonable (i.e. office hours for that user’s country location based on their computer IP address). Since much of the information used by context-based information is publicly available and therefore easily accessible to hackers, it is recommended to use this method to complement other stronger authentication methods or as a first level of authentication in a multi-layered approach. Versatile Authentication for a Comprehensive Security Framework SafeNet, recognizing the growing complexity of maintaining security controls in this diverse landscape, offers organizations integrated product suites for ensuring authorized access and managing all multi-factor authentication operations for employees who need to securely access on-premise and cloud-based applications, and for customers and partners who do business online. SafeNet’s award-winning solutions provide an extensible, comprehensive foundation for securing an organization’s strong authentication and transaction verification needs. SafeNet’s Fully Trusted Authentication Environment Based on recent events, SafeNet is the first to offer an authentication framework that provides enterprises with unprecedented security, flexibility, and control over their authentication environment. The framework includes: • Field-programmable tokens: Allows customers to generate the token security data and program on-premise. SafeNet is one of the only vendors to enable on-site token programming for OTP tokens. CBA tokens are automatically reprogrammable. • Offers additional layers of protection: Encrypt token data and store/manage keys with an HSM Authentication Best Practices: Put Control Where It Belongs Whitepaper 4
  • 5. • Improves management and visibility: Centralized and simplified administration, deployment, and manageability • Industry proven: Standards-based algorithms; no proprietary technology SafeNet’s Family of Authentication Solutions for Secure Remote, Local, and Cloud Access SafeNet’s enterprise solutions enable organizations to meet security needs and plan for contingencies without having to change their underlying infrastructure. Offering flexible management platforms, the broadest range of strong authentication methodologies and form factors, and transaction verification capabilities, as well as identity federation and single sign- on, SafeNet solutions create a future-ready security foundation that allows organizations to adopt a modular, forward-looking identity management strategy, ensuring that their security needs are met as new threats, devices, and user needs evolve. Secure Remote Cloud Applications Local Network Access Secure Remote Access to Network Applications SafeNet authentication solutions are all managed by a single authentication platform, which enables: • Secure remote access for employees and partners • Transaction security for online banking • Embedded cloud support for secure access to SaaS applications • Secure access to corporate resources from mobile devices • A single authentication server for centralized and simplified management • A fully trusted authentication environment for customer control over their own data To learn more about SafeNet’s complete portfolio of authentication solutions, visit our website at www.safenet-inc.com/authentication. SafeNet Management Transaction CBA Verification OTP OOB About SafeNet Founded in 1983, SafeNet is a global leader in information security. SafeNet protects its customers’ most valuable assets, including identities, transactions, communications, data, and software licensing, throughout the data lifecycle. More than 25,000 customers across both commercial enterprises and government agencies, and in over 100 countries, trust their information security needs to SafeNet. Contact Us: For all office locations and contact information, please visit www.safenet-inc.com Follow Us: www.safenet-inc.com/connected ©2011 SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet. All other product names are trademarks of their respective owners. WP (EN)-04.07.11 Authentication Best Practices: Put Control Where It Belongs Whitepaper 5