Authentication is changing: passwords have become yesterday's access control
In the information age, ensuring that our personal details are private is important. Moreover, ensuring that corporate data is secure and not leaked is also vital. This article will cover steps that you and your organisation can take to help keep your personal and corporate details and data secure and private using the latest in 2FA (two factor authentication).
The information age has put billions of people vulnerable to acts of theft of personal details. One situation would be millions of users using social networking sites such as Facebook, My Space and Twitter to name a few. People use these sites voluntarily and place all sorts of information out there for everyone to see and use as they desire. All of a sudden we have been given the opportunity to connect with an audience that we would have never had access to before. This has its advantages however it has many disadvantages as well. The information just needs to pass through the wrong hands and can easily be used to our detriment.
We (corporations and users alike) just assume that our information is only being accessed by those we wish to see it and therefore fool ourselves into believing that our information is still ours and private. But the question we should be asking ourselves is it really? Is it realistic to believe that it is possible to place oneself in such a public situation and still protects ones information from misuse, many of us would like to believe that this is the case. A few ways we can try to secure our data in these situations is through the use of strong unique passwords, password protect your Wi-Fi networks, activate the remote lock function on your device, turn off the GPS on your device and ensure the security settings available on the social networking sites are set up correctly.
This shows an example of people willingly putting their privacy and data at risk however you control the information you put out there. There are many circumstances you can find yourself in where your data has been placed at risk through reasons out of your control, so how do we try to avoid situations like these.
Everyone has the right to the protection of personal data, every time you open a bank account; join a social networking site or book and online flight you hand over vital information. This information, your name, address, bank details, is meant to be secure and remain private. However what happens when this data falls into the wrong hands. As quickly as security technology is moving forward, just as quickly are people with malicious intent working routes around these security systems? From the information available on the internet studies have shown that it is quite easy to guess or workout passwords.
Two Factor Authentication (2FA)
A Technology which offers more security in situations like these is 2FA or two factor authentication. 2FA is a security beyond passwords. The time of securing your data by password (single factor authentication) is no longer a viable choice; it is no longer rigorous enough to have as the sole security method. 2FA is a much more secure option.
Two factor authentication implies the use of two independent means of evidence to affirm an entity. It is by no means a new concept; it has been used throughout history. An example of 2FA being used for some time is a bank customer using an ATM, the first authentication factor is the physical ATM card that you slide into the ATM and the second is your personal PIN, authentication can only take place if both of these are present. This scenario illustrates the basics of 2FA, the first factor being something physical (something you have) and the second the PIN (something only you know).
You have three ways to authenticate a person, this is based on
- What the person has (something physical)
- What the person knows (something private like a password or pin)
- What the person is (Biometrics)
From this is has been realized that the most secure and practical option for 2FA is using 'what you have' and 'what you know' as the two criteria because Biometrics has its drawbacks and complications (Cost, false recognition and acceptance and false rejection). 2FA is inherently more secure than single authentication; with 2FA even if the password is compromised users are protected because only they would be in possession of the hardware token (ever-changing pin) or the second authentication factor.
2FA and where it is heading
Basic 2FA is quickly being progressed upon. You no longer need to carry a token around with you. There is now authentication where your mobile phone or ID card can be leveraged for 2FA. The latest trends in 2FA include authentication through the mobile, as the mobile becomes global and powerful enterprises can use 2FA more conveniently and effectively. The 2FA market is moving forward, in addition to tokens, SMS or software based options, Adaptive 2FA options are also apparent. 2FA is moving in the direction where it could be offered as a service where it is activated for a specific application and authentication happens in the cloud. Developers are keen to look at building 2FA technology directly into various applications itself, integrating the authentication into the system.
2FA has evolved far beyond its beginnings with hardware tokens and works with a variety of devices today. The use of the technology will continue to grow as people feel the urgency to secure their personal and corporate data alike.
When considering the use of 2FA in your organization all factors should be carefully looked at. No organization or user is the same and the authentication should suit the individual user requirements. For example:
- Regular users may benefit from using a physical token that produces a new one-time passcode every 60 seconds.
- Occasional users or users who require temporary access it may be better to get it via SMS to their mobile.
Steps a company can take to secure their data and keep it private
Data theft is growing more and more with each passing year, organisations are realising that internal leaks of non-public information must be prevented. Steps can be taken to try to keep non-public information private. Following these steps may help in the prevention of data leakage.
- Vulnerable information like confidential information should be identified and prioritized
- The first step to protecting this information is by organizing the information into categories by the degree of value and confidentially the information holds to the company. Type of information to be secured would be:
o Structured Information (Social Security numbers, account numbers, personal identification numbers, credit card numbers)
o Unstructured information (contracts, financial releases and customer correspondence)
- Perform a risk assessment and study the information flow
In order to secure information you need to understand how it flows through the organization. You need to determine the flow of the information and then examine where a potential leak may occur. This can be determined by analysing a few issues:
- Who has access to the data involved
- How is the data created, modified, processed or distributed
- The movement of the data through the network
- Are policies being met
By looking at the flow you are able to locate potential areas of vulnerability and can put preventative measures in place.
- Keep your policies up to date and ensure strict guidelines are adhered to regarding appropriate access, usage and distribution of data within the organization.
- Different information should be governed by appropriate policies. A universal policy should not be used over all the company data but rather categorized data or information should have a unique policy drafted dependent on the type of data being secured. For example customer data, employee records and intellectual property cannot be governed by the same policy but rather each category by its own unique policy as the data is not one in the same. This is where the categorizing of information discussed in step one becomes very useful.
- Once policies are in place it is essential that they are monitored and enforced or they will be of no use.
- Determine who should have access to the data and authenticate accordingly
- Use strong 2FA which can interoperate with a wide variety of products and applications. This way you are able to control who has access and who does not.
- Control the Access to data through monitoring, enforcement and reviewing
- To protect confidential information and company assets it is essential that policies are controlled and adhered too. Control points should be established across the flow of data within the organization which can verify compliance at all times and have the ability to stop unauthorized traffic. Once policies are in place they should not be forgotten but rather reviewed periodically and adjusted if need be, to ensure the systems are always working to the best of their ability. External audits are useful too.
- Encrypt data
- Ensure data is encrypted at all points through the network. Including data in transit as well as data at rest stored in the database.
Your security planning should include
- Access, plan and design
- Authentication (strong 2FA)
- Access control (monitored, audited and logged)
- Encryption (end to end)
Protecting ones data either personal or company is a journey rather than an instant cure. You need to take a systematic approach to identify sensitive data and implement various procedures to help secure the data. Various measures can be used to protect data or assets; they include encryption at various points, i.e. Encrypting data that's flowing as well as encrypting data at rest in storage in the database, and 2FA. Many precautions should be taken to control access and distribution of this data. One must keep an open mind at all times regarding threats to your data. Hackers are not the only threat; firewalls are working to keep hackers outside; however the way technology is moving many businesses rely on letting the right people inside trusting they will have the best intent; however this just increases the vulnerability of sensitive data. A combination of various procedures discussed, is most likely a more effective solution to secure ones data than any one of the methods alone.