Implementing an Authentication Solution:
One Size Does Not Fit All

What Makes Sense For Your Environment, Your Business?
When you stack up authentication solutions, it becomes apparent that the “one size fits all” approach falls short. You need to implement a solution that makes sense for your environment and for your business.

It goes without saying that the authentication solution that works best for one organization is not necessarily going to be the best for another. Every enterprise has unique requirements based on its size, the number and location of its facilities, and the number and variety of applications used --- not to mention the type of business it is and the industry in which it resides.

Each enterprise also has a different set of user groups. While one organization could have the majority of its users in one location, another could have users based around the globe and working in remote as well as corporate locations. Partners and customers as well as employees could have access to systems and applications and require different authentication controls.

What Are the Business Drivers?
Another consideration is the organization’s business drivers. Is security of utmost concern, or usability? For some companies, there is greater emphasis on relieving the users’ password management burden as much as possible in order to maintain or increase productivity. Other companies, particularly those required to be compliant with government and/or industry regulations, are more concerned with maintaining or boosting security.

Depending on what all these factors are, an organization may want to strengthen authentication by requiring that specific users respond to pre-set challenge questions in addition to entering their username and password, or an organization may find that smart cards would be more expedient than passwords.

The Consequences of the Wrong Solution
Without the right authentication solution, an organization could see user frustration and, consequently, diminished productivity. The IT staff could be burdened with more work and therefore use more resources instead of less to address authentication issues. Most importantly, security could be compromised, giving unauthorized users an opportunity to access sensitive or private data.

Whatever your business may be or your environment may require, you want to make sure the authentication solution you implement is one that fits.

For more information on "Tailored Authentication," call Mark at 603.547.1212

Note: The above article was excerpted from a post dated March 10, 2009 in the PistolStar Security Blog.

Generally, companies want to enable simplified access but not at the expense of security. When a highly secure authentication solution is implemented, users often have to sacrifice convenience. Is there a solution that addresses both security and usability?

With PistolStar’s Password Power, organizations can enable authentication redirection --- use of the Microsoft Active Directory password to access diverse applications, such as Lotus Notes and Domino, IBM WebSphere, Microsoft SharePoint, SAP and Oracle. By using a centralized directory as the point of authentication, Password Power centralizes password management, allowing administrators to manage one password store and apply Active Directory password policies such as password expiration.

Also with Password Power, Active Directory authentication can be performed using the highly secure Kerberos authentication protocol. With Kerberos, passwords are not transmitted over the network and the user and server are mutually authenticated.

For more information on Password Power, go to our Website.

Access Control: More Critical in Today's High Risk Environments

Access control is a critical requirement for protecting customer and financial data. With an authentication solution that has the ability to monitor user activity, organizations can achieve greater access control and have a vital tool for gaining knowledge on where security risks may lie. Auditing may be considered a sub-set of security, but we cannot overstate its value for the larger enterprise that oversees tens of thousands of users at multiple levels and with access rights of varying degrees.

There are frequent opportunities available in the large organizations for people to try to gain unauthorized access to networks and databases. Numerous user authentication actions, such as using expired and weak passwords, making password changes, and striking out, could signal a security risk. Some of these events may require immediate attention if the security of the enterprise could be compromised.

So, how can administrators stay on top of the complex range of user password events, as well as maintain audit trails and obtain real-time notification when issues arise?

In 2009, PistolStar will roll out its Authentication Security Alerts Plug-In as part of the Password Power 8 framework. Authentication Security Alerts will automatically trigger an alert that is sent to the IT administrator whenever one of over 20 different password and login events occurs.

Alerts will be sent via SMTP to a specified email address or a mail-in database and contain the username, domain, IP address and a time stamp. The mail-in database allows the flexibility of categorizing, sorting and triggering Agents. With email, the Alert can go directly to a PDA, allowing for true real-time threat notification.

The Authentication Security Alerts Plug-In will be a diagnostic as well as an auditing tool, as it can be used to isolate and track the activities of individual users. This feature will be of interest to those administrators who want to control the amount of data that Authentication Security Alerts can potentially produce.

While any IT solutions buyer would naturally shop around before making a purchase, there are factors beyond feature sets that need to be considered before submitting that order for a new authentication solution.

For example:

• Have you identified all the passwords (applications) that are used and need to be supported in your organization?
• Are there any government or industry regulations to which your organization needs to comply?
• Do you have a large population of remote users?
• Do you have users other than employees (i.e. partners and customers) to whom you provide access to specific networks and applications?
• Are user password events occurring in your organization that are raising concerns regarding security and the inability to monitor user actions?
• Do you have a high-risk environment and require a higher level of security?