| Strong Authentication: Not Just a Buzz Word Maintaining control over who gains access to the networks in your enterprise has become of even greater concern than ever before. Requiring authentication with just memorized passwords can prove to be inadequate in certain circumstances or in industries, such as banking and government, that deal with highly sensitive data.This is where strong authentication comes in. Strong authentication is the use of more than one factor to authenticate and gain access to the enterprise. Organizations imposing strong authentication may require either two-factor or multi-factor authentication. A password can be one of the factors, which may also include a PIN, token, smart card, or a biometric identifier (e.g. a fingerprint or retinal pattern). With strong authentication, organizations eliminate the vulnerabilities of using passwords alone and gain a higher level of assurance their networks are protected from individuals gaining unauthorized access. -An FFIEC guidance on strong authentication in Internet banking
provides enlightenment on the subject that is relevant to all industries.
View the guidance.
|
| 14
Reasons to |
The
Advantage of Authentication Redirection
Over Password Synchronization
| 1. Active Directory can be leveraged for resolving issues related to management of multiple passwords and alleviating the account administration burden of IT staff. 2. Users in Windows environments typically already employ Active 3. Directory for Windows login, thus options for achieving reduced or single sign-on are expanded. 4. Authentication can be redirected to the Active Directory password, allowing users to employ the same password for each login prompt. 5. The password authentication process can be reduced almost entirely to Active Directory operations, further distributing its power. 6. Using Active Directory as the central authentication point for accessing multiple applications removes the user’s need to maintain and use separate passwords for those applications. |
| Problem: Administratively, password synchronization entails tremendous overhead because copies of the password must be maintained in each of the user accounts. Multiple password stores create complexity and inconvenience, particularly every time the password is reset, as the change needs to be made to the password copies in all the different locations. Solution: Kerberos
Authentication Protocol: Originally developed at and used by the Massachusetts Institute of Technology (MIT), Kerberos has become the foundation for authentication in Windows operating systems since Microsoft implemented it as the default authentication mechanism in Windows 2000. Kerberos requires connectivity to a central Key Distribution Center (KDC), which, in Windows, is any Microsoft Active Directory domain controller. End-users authenticate to the KDC, requesting encrypted service tickets for the specific service they wish to use (e.g. Web servers). Only the service and the KDC can decrypt the service ticket to get the end-user’s authentication information. The service trusts the credentials in the service ticket because it knows the ticket could only be created by the KDC and thus recognizes the end-user must have been authenticated by the KDC in order to receive the ticket. Kerberos authentication also enables end-users on Windows 2000, XP and Vista to just logon to a Windows domain at the start of their workday, as it provides further integration with Windows and Active Directory. Therefore, when the end-user wants to access a server for which they use Kerberos authentication, their browser retrieves the service ticket from the KDC and sends it to the server automatically. |
| The
Client-Side |
Streamlining Authentication
for Leading
National Insurance Companies
| Some security solutions are installed and managed client-side, right on the users’ desktops, while others reside on the server. Depending on the size of your company, the resources available for managing product deployments and the needs of your user base, it may be imperative for your team to go with one type of install over another. |
| Information needs to move quickly in the insurance industry, and for that reason, organizations in this sector need to provide their users with the ability to access information easily. Enabling single sign-on is a high priority because it allows users to get to the applications they need to perform their jobs without repeated password prompts or the need to remember multiple passwords. Insurance companies utilize several enterprise applications to facilitate the exchange of information, including Lotus products such as Notes, Domino, Sametime and QuickPlace. As a result, they find there are numerous passwords to be managed — by administrators as well as users — which consumes time and increases the number of password-related calls to the Help Desk. Nonetheless, attempting to achieve single or reduced sign-on to the applications in their organization can pose a challenge for insurance companies, as these applications tend to be dissimilar. Case Studies: Insurance, Banking and Financial, Energy, Pharmaceutical |
Strengthening Authentication to Adapt to Changing Circumstances ™ PistolStar, Inc., http://www.pistolstar.com |
© 1999-2008 PistolStar, Inc. - all rights reserved.