Are you worried that your current IT projects are overly complicated, haven’t been tested sufficiently or may impact existing applications in a way that you have not considered?
Today’s complex technology infrastructure encompasses not only hardware, software, networking and data, but also BYOD … and it’s a sure thing that tomorrow will bring more changes. The escalating number of business applications utilized daily causes increased demand on help desks. And cyber threats are amplified in number, potential impact and creativity – not to mention that they are coming in at feverish rate. The only certainty is more change. So how do we keep up?
The best approach seems to be the same way it works in nature -- to adapt and evolve … but unlike nature, edits must happen in near real-time. Learn more about how to strengthen login authentication protocols, by reviewing the information below.
The Changing Circumstances
“Houston, we have a problem …” Indeed we do, with dynamically changing circumstances needing your constant attention. Don’t sit back; force yourself to take an immediate proactive stance. Acting to correct issues will improve your odds of reducing risk and avoiding the worst-case scenario: a breach.
Where do you start? Get organized. Identify and divide your technology infrastructure into quadrants, as shown in the diagram. Each quadrant includes multiple topics worthy of further exploration. But once identified and mapped out, you won’t feel as overwhelmed and can begin to improve on the high priority areas in a methodical fashion.
PortalGuard has identified four quadrants, which have a common theme around authentication. We all spend a good part of our work-life repeatedly proving to “the system” who we are and that we are authorized. The need to tighten up security through authentication means creating stronger policies, reducing threats, increasing usability and providing the correct access. You will recognize in some form or another these high-level areas: Compliance, Threats, Needs and Access.
Let’s drill down a bit deeper:
Compliance is the action of adhering to rules and standards that have been created by governing powers. These powers can come from the federal government (such as enacting a new law) or defined by a parent company or organization leadership.
Establishment of standards brings consistency and control to your organization. Compliance provides evidence that all necessary and reasonable actions were taken to prevent an incident.
Threats are vulnerabilities enabled through misuse within your infrastructure. The main purpose of threats is to cause harm. Proactively creating and following best practices for authentication ensures procedures are in place to avoid threats, so your end-users are not at risk.
Complaints (or needs) from end-users are issues that they deem unsatisfactory or unacceptable. Complaints are usually urgent because they are blocking the user’s ability to proceed with their job. Empower your end-users with self-service capabilities.
Finally, access provides internal and external users with appropriate and correct access to company business apps and data. Accurate access ensures that internal and (especially) external users have the proper authority. Many breaches result from 3rd party vendors having unauthorized access to your internal infrastructure.
The Point of View
Assessing each of the authentication quadrants from the IT perspective reinforces the importance of all views and the need to address authentication for all roles: The Executive-level view, Administrator’s view and the end-user's view. Each role sees the quadrants from an entirely different perspective.
Following are the roles and their view of your company’s authentication situation:
Chief Information Officer (CIO)
The Chief Information Officer concerns him or herself with corporate regulation, user adoption, best practices and authorized access. These are some goals and concerns a CIO handles for their organization:
- I need to satisfy corporate regulatory compliances and policies to satisfy audit requirements
- I’m concerned with increasing user adoption and acceptance
- It’s important for my company to follow best practices to be proactive, not reactive
- I want to give external users access, while maintaining usability and security
The System Administrator is concerned with the integrity of the corporate directory, reducing support calls, being alerted to meaningful events and deploying proper user access.
- I’m concerned with integration to the corporate directory
- I feel empowering users will reduce the amount of support
- I want to be alerted to meaningful events
- I’m worried that deploying planned changes on current projects may create performance issues or unforeseen complexities
The end-user wants to avoid having their access is blocked, which causes decreased productivity and increased frustration.
- We need 24x7 access around the clock to be productive
- We like self-service capabilities
- We feel less confusion and improved usability because of the unified policies
- We want insulation from threats & attacks
Best practices, at a minimum, suggest a regular interval for expiring passwords and minimum standards to ensure a decent password quality. Immediate feedback to users regarding password quality and offering the ability to change a password easily using various methods will empower the user and reduce help desk calls. Password expiration after 180 days will reduce risk in the event that your password becomes known to unauthorized users.
An effective starting point to combat against attacks is strengthening authentication, but it lies heavily with your company’s commitment to making two-factor authentication mandatory across your organization.
Many organizations need the flexibility to deploy 2FA differently for each department. Each department may have specific requirements or restrictions -- for example, not being able to use a personal mobile phone or lacking sufficient mobile reception. In these cases, choose a vendor that offers the flexibility you need for your departments, especially if there are tight budgets.
Educating your users about phishing is another major step to deter misguided users from being fooled. Every day we are bombarded by sophisticated phishing attempts. Educate your users by showing them what phishing attempts look like and how to identify them. Installing an authentication solution will aid in identifying phishing attempts, but never every occurrence. Therein lies the problem because it only takes one employee’s action to infect your environment.
Start implementing appropriate authentication procedures today, to strengthen your security.
For more information or to discuss your organization’s needs, please feel free to reach out.