Strong Authentication: Enabling Efficiency and Maximizing ... - Gemalto

Download PDF
0 downloads 135 Views 2MB Size Report
Comment
breached because someone's identity and access privileges are compromised. More likely, several people. How can enterpri
Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment IIIIII Best Practices

w ww.g ema lt o.com

IIIIII Table of Contents

Strong Authentication and Cybercrime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Best Practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Ease of Implementation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Summing Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment IIIIII Best Practices

As enterprises move aggressively to make all records and processes electronic—leveraging new infrastructure technology to enable efficiency and provide anytime, anywhere remote access for remote workers—the need for strong authentication is greater than ever. As the global leader in digital security, last year alone, Gemalto shipped more than six billion smart secure devices and supplied a wide range of software and services to hundreds of the world’s largest enterprises and government agencies. Our solutions help banks offer greater protection and convenience to their customers. They ensure billions of transactions every day are securely conducted between the right parties. They protect documents to make them practically impossible to forge. And they let people exchange information and access services without fear of being spied on or hacked. From our extensive knowledge and experience, we have identified best practices for successfully applying strong authentication to enable greater efficiency and maximize security while leveraging your Microsoft environment.

Strong Authentication and Cybercrime In today’s world of cybercrime, this seems like a responsible question: With all of the billions being spent on IT security, how is it that so many large, respected companies get hacked? Why are firewalls, anti-virus, intrusion prevention systems and other common components of today’s infrastructures failing? The simple answer in most cases is information systems are breached because someone’s identity and access privileges are compromised. More likely, several people. How can enterprises and Cloud Service Providers (CSPs) stop criminals from stealing and using identity credentials? CIOs and CISOs can close the security gap with an identitycentric approach that integrates stronger authentication using device-based PKI credentials and one-time password (OTP) authentication processes integrated with existing identity and access systems. Strong authentication or multi-factor authentication complements access security based on something you know (the username and password) with something you have (a certificate carrying personal portable security device) or something you are (a biometric), or both.

3

For higher risk individuals and transactions, greater security is required. So for example, using PKI certificates you can enable digital signature validation of specific high risk actions or high profile users. Here’s an example. A common hacker tactic is to create a new user, or several, with system administrator privileges. To block this attack, let’s say you establish a new security policy for creating system-privileged user accounts: > System admin sessions must be strongly authenticated > To take your security one step further, high risk actions, such as creating privileged accounts, require a digital signature validation that includes a unique challenge/response exchange using PKI certificates outside of the browser session and presentation of a fingerprint biometric to validate the transaction Implicitly this policy means any such action is seen and approved by an individual with a smart card or other external certificate-based credential, and whose identity is bound to the credential by the biometric. A digital signature using a smart card credential provides an “out-of-band” (or second channel) authentication, because the signature is made by the processor and software on the smart card independently from the browser and the PC itself. This identity-centric policy and digital signature technology put a virtually insurmountable barrier in front of the would-be hacker, effectively preventing the successful use of even man-in-the-middle (MITM) attacks. With MITM, a user’s network connection to the server has been compromised such that the hacker’s system is now between the user and the server, enabling the hacker to make fraudulent transactions that are hidden from the user. Requiring a digital signature prevents this by ensuring every high-value transaction will be seen and approved by the user out-of-band from the browser. The use of smart card-based PKI credentials to protect against MITM attacks is also recommended by the U.S. National Institute of Standards and Technology (NIST) in its “Electronic Authentication Guideline” (NIST Special Publication 800-63-1, p.77). NIST rates authentication Using strong process assurance levels against specific threats including replay, eavesdropping, phishing and MITM attacks. Smart card PKI credentials authentication solutions are rated at Level 4 (strong, the highest rating) for MITM and the other empowers a business threats. OTP tokens are rated as a level 3 assurance solution, weak against MITM attacks but effective protection against the others.

to maximize these new efficient computing

models while at the same time minimizing risks.

If a hacker gains access to the root of your system, they can do whatever they want. Often this process takes months, with the intruder planting a small seed that expands through networked systems, slowly making changes that are unnoticed until at some point they break through and are able to establish their own user accounts and set privileges. Then they are ready to harvest the data they want to steal. To prevent this from happening, day-to-day you need to be using strong authentication and digital signatures for anyone authorized to make edits to systems, create new users, set privileges and control Microsoft Active Directory or other equivalent identity management services.

Strong Authentication: Best Practices

4

Best Practices Here are seven best practices—the keys to success—on how to enable efficiency, leverage new IT infrastructures and maximize security with an identity-centric strategy based on PKI credentials.

1

For a quick start, begin with OTP and migrate rapidly to smart card based PKI certificates > Add-on new apps, such as digital signature and email encryption, over time

2

Integrate OTP tokens and certificate-based credentials into identity and access management systems and mandate their use from the highest levels of the organization > A second authentication factor is only effective if it is used, and it will only be used if it is required. Strong leadership and policies enforced by the executive team will be needed for success

3

Establish a thorough provisioning process that strongly binds credentials to an individual user

4

Prioritize implementation based on risk starting with system administrators and executives > For system administrators, lock down critical weak points such as the ability to create new user accounts with system admin privileges and other common exploits to prevent catastrophic penetration of infrastructure by attackers

5

Remove the second authentication credential from the PC by using personal portable security devices such as a smart card ID badge, or OTP on a token or smart phone. > Create this second line of defense so it is completely independent of the PC, requiring the attacker to compromise two completely separate systems. Even if someone’s PC or login credentials are compromised, they will be useless to attackers without the secondary device

6

Require use of two-factor authentication with all new remote or cloud-based applications > Enable strong authentication solutions that are a front end to single sign-on systems, increasing efficiency for users and security at the same time > This is particularly true for healthcare ePrescription applications for controlled substances, where a certificate and credential can be used to digitally sign an online prescription, proving its validity

7

Develop secure and thorough exception processes and backup access methods for common user situations such as forgotten, lost and stolen credentials > Automate common support tasks such as PIN resets

Following these best practices will significantly reduce your risks of a successful attack on you or your clients. By taking an identity-centric approach to your IT security, you can lock down critical processes and systems and ensure you have complete control over who has access. At the same time, you are creating a business enabler that lets you take full advantage—securely—of the opportunities created by cloud computing, remote workforces and all-digital workflows.

5

Ease of Implementation The good news is that provisioning, deploying and using smart card-based credentials with identity certificates in a Microsoft environment is very straightforward today. All leading IT infrastructure suppliers, including Microsoft, already fully support the use of smart card-based two-factor authentication. In fact, many of these IT leaders already use smart card ID credentials internally themselves.

The Microsoft environment with DirectAccess, Microsoft CA and Active Directory is primed to provide strong authentication. When combined with Gemalto’s IDConfirm 1000, the process seamlessly allows users to log in with a One-Time Password or PKI credential. IDConfirm 1000 can be configured to verify the user name and password in addition to the One-Time Password, or the user name and password will be verified by the Microsoft components. A temporary certificate that expires within minutes is generated to allow the user to log in securely each time.

Strong Authentication: Best Practices

6

If your organization, or your clients, are primarily operating a Microsoft environment, you can be assured your core infrastructure is ready to evolve into identity-centric security. There is no need to install additional middleware; it is as simple as adjusting some settings and enabling software modules to get started. Key Microsoft components that support smart card-based credentials and certificates include: > Forefront Identity Manager (FIM): A simplified framework for managing and provisioning user identities, user accounts and access, password- and certificate-based credentials such as smart cards, and identity-based policies across Windows and heterogeneous environments > Certificate Authority, Active Directory and Active Directory Federated Services (ADFS): Tools for certificate issuance, authentication and access control for credentials and identities > DirectAccess With Gemalto’s Strong Authentication (SA) Solutions and Microsoft DirectAccess, users can access the corporate network by simply logging in using a smart card or using a one-time password (OTP) provided through a token or smart phone > One of the most exciting updates with DirectAccess on Windows 8 and Windows Server 2012 is that your login credentials are cached when you log in and passed through seamlessly to DirectAccess, which eliminates the additional prompts for step-up authentication after login. > Windows desktops and server operating systems: Full support for desktop logins, terminal services and security policy enforcement, as well as self-service provisioning and maintenance with FIM for everyday tasks like PIN resets > Applications including Outlook, SharePoint, Office, Login, digital signature and encryption capabilities > Office 365: Microsoft’s cloud-based apps support the use of smart card-credentials Gemalto offers a wide range of strong authentication solutions ranging from OTP through certificate based (PKI) identity solutions for your Microsoft environment. This gives you the flexibility to deliver the right technology to meet the needs of your business and your users. In addition, with Gemalto solutions you have a clear upgrade migration path. You can start with OTP and when the time is right, move to a more secure PKI solution.

Summing Up — Identity-centric Security Using Strong Authentication is a Best Practice The purpose of this brief was to give you an overview of the best practices for successfully applying strong authentication to enable greater efficiency and maximize security in your Microsoft environment. We hope these ideas can help you start planning new possibilities for an identity-centric security IT strategy to better protect your organization. 7

www.gemalt o.com

© 2012 Gemalto. All rights reserved Gemalto, the Gemalto logo are trademarks and service marks of Gemalto NV and are registered in certain countries. May 2012.

IIIIII The world leader in digital security