UNIVERSITÉ DU QUEBÉC À MONTRÉAL INTEGRATING A USABLE SECURITY PROTOCOL FOR USER AUTHENTICATION INTO THE REQUIREMENTS AND DESIGN PROCESS

Size: px
Start display at page:

Download "UNIVERSITÉ DU QUEBÉC À MONTRÉAL INTEGRATING A USABLE SECURITY PROTOCOL FOR USER AUTHENTICATION INTO THE REQUIREMENTS AND DESIGN PROCESS"

Transcription

1 UNIVERSITÉ DU QUEBÉC À MONTRÉAL INTEGRATING A USABLE SECURITY PROTOCOL FOR USER AUTHENTICATION INTO THE REQUIREMENTS AND DESIGN PROCESS DISSERTATION PRESENTED AS PARTIAL FULFILLMENT OF THE DOCTORATE IN COGNITIVE COMPUTlNG BY CHRISTINA BRAZ SEPTEMBER 201 1

2 UNIVERSITÉ DU QUÉBEC À MONTRÉAL Service des bibliothèques Avertissement La diffusion de cette thèse se fait dans le respect des droits de son auteur, qui a signé le formulaire Autorisation de reproduire et de diffuser un travail de recherche de cycles supérieurs (SDU-522 Rév ). Cette autorisation stipule que «conformément à l'article 11 du Règlement no 8 des études de cycles supérieurs, (l'auteur) concède à "Université du Québec à Montréal une licence non exclusive d'utilisation et de publication de la totalité ou d'une partie importante de (son) travail de recherche pour des fins pédagogiques et non commerciales. Plus précisément, (l'auteur) autorise l'université du Québec à Montréal à reproduire, diffuser, prêter, distribuer ou vendre des copies de (son) travail de recherche à des fins non commerciales sur quelque support que ce soit, y compris l'internet. Cette licence et cette autorisation n'entraînent pas une renonciation de (la) part (de l'auteur) à (ses) droits moraux ni à (ses) droits de propriété intellectuelle. Sauf entente contraire, (l'auteur) conserve la liberté de diffuser et de commercialiser ou non ce travail dont (il) possède un exemplaire.

3 lt1'jiversité DU QUÉBEC À MONTRÉAL L'INTÉGRATION D'UN PROTOCOLE DE SÉCURITÉ ET D'UTILISABILITÉ POUR L'AUTHENTIFICATION DES UTILISATEURS/TRICES DANS LA PHASE D'ANALYSE DES BESOINS ET DE CONCEPTION THÈSE PRÉSENTÉE COMME EXIGENCE PARTIELLE DU DOCTORAT EN INFOR1vfATIQUE COGNITIVE PAR CHRISTINA BRAZ SEPTEMBRE 20Il

4 ACKNOWLEDGMENTS A doctoral thesis is not a work of a single person; every thesis is inevitably the outcome of many interactions between the author, the author's advisors, peers, colleagues, friends, and family. My thanks to my thesis advisors Prof. Dr. Pierre Poirier and Prof. Dr. Ahmed Seffah for whom 1 have a profound admiration. They have worked with me for years to produce this research work. They have shared with me their time, resources, and judgment. They have guided me and helped me improve several sections of my thesis with regards of errors in thinking, purpose and presentation. Finally, 1 would like to express my thanks, appreciation and gratitude to my family who have sustained me on this colossal project.

5 TABLE OF CONTENTS ACKNOWLEDGMENTS TABLE OF CONTENTS LIST OF FIGURES LIST OF TABLES ABSTRACT RÉSUMÉ CHAPTER 1 INTRODUCTION Creating Systems that are Both Secure and Usable 1 J.2 Justification for the Research The Challenging Issues - Why Authentication? Strong Authentication Il Authentication Methods - Vulnerabilities Still Remain 14 J.3 Research Objectives Assumptions and Hypotheses Human Computer Interaction Security (HCISec) Conferences in Usable Security Types ofusers Thesis Roadmap 23 CHAPTER II REVlEW OF THE STATE OF THE ART Introduction User Authentication The context of Authentication in Computer Security Elements of User Authentication Architectural Design Patterns in Authentication Authentication Factors User Authentication Methods Passwords and PINs Authentication Tokens Non-Contact Tokens One-Time Passwords (OTP) C-R Authentication Contact Tokens Digest Access Authentication Out-Of-Band Authentication (OOBA) 53 ii iii viii x XI XII

6 Risk-Based Authentieation (REA) Public Key Authentieation Eneryption Digital Signatures No Usability Features ofpki Single Sign-On (SSO) Kerberos Biometries Fingerprint Recognition Optieal Recognition Facial Recognition Voice/Speaker Recognition Signature Recognition Keystroke Recognition Under-Skin RFlD Chip - AuthenLink Biometries Trade-Offs - Usable Seeurity To Whom Authentieation ls Targeted? Comparative Analysis of User Authentieation Methods The GOMS Model Engineering Models for Usable Interface Design GOMS: A Method for Cognitive Task Analysis How to Develop a GOMS Model? Natural GOMS Language (NGOMSL) Cognitive Complexity Theory NGOMSL Steps Development Proeess Learning Time Predictions Execution time predictions NGOMSL Methodology NGOMSL Limitations Usability and Usable Seeurity Usability Inspection Methods l General usability principles ("heuristics") for User Interface Design Cognitive Walkthrough GOMS Model Additional Usability Evaluation Methods Usable Security Principles and Guidelines Computer Security Design Principles Design Guidelines For Security Management Systems Guidelines and Strategies For Secure Interaction Design Design Principles and Patterns for Aligning Security and Usability Criteria for Security Software to Be Usable Additional Criteria for Security Software to Be Usable General Security Usability Principles 125 IV

7 v CHAPTER III THE USABLE SECURITY PROTOCOL Introduction The Usable Security Protocol Methodology Introduction The Usable Security Protocol Architecture and Methodology Step 1: Define the mission and conceptual design objective Step 2: Identify the most representative user authentication methods categories Step 3: Develop the NGOMSL Model (Natural Goals, Methods, Selection Language) Standard Primitive External Operators Standard Primitive Mental Operators Analyst-Defined Mental Operators Total Execution Time and Total Learning Time A Time Level Analysis of the NGOMSL Step 4: Develop the Authcntication Risk Assessment Matrix Step 5: Generate the usable security principles Step 6: Formulate the Usable Security Symmetry (USS) Step 7: Demonstrate the Usable Security Symmetry (USS) The Usable Security Protocol Methodology Reuse 211 CHAPTERIV THE COGNITIVE SCIENCE AXIS Introduction Cognitive Ergonomies Methods The Cognitive Approach Gathering information Information processing Process Modeling Simulation Main Cognitive Areas offocus Relating to User Authentication Perception Memory Encoding Storage Sensory Memory Working Memory (or Short-Term Memory) Long-Term Memory (LTM) Information Retrieval Recall Recognition 234

8 VI Password Memorability Issues Password Policies Varying Systems Mental Models The Cognitive Model of User Authentication (CMUA) Why to Use a Cognitive Architecture? GLEAN3 Cognitive Architecture SOAR Cognitive Architecture CMUA Cognitive Architecture CM UA Components CMUA Processing Cycle 253 CHAPTER V THE COMPUTER SCIENCE AXIS Introduction Security as a Usability Characteristic Usability Factors and Usability Criteria Mapping 261 5J.l User Authentication Use Cases 265 5J.2 Demonstrating the USS using a Multifunction Teller Machine The Usable Security Symmetry (USS) Inspection Method Definition Usable Security Protocol (USP) Sub-Methodology Usable Security Symmetry (USS) Inspection Method Severity Ratings Usability Severity Ratings Usability Severity Ratings and Recommendations for MTM Security Severity Ratings Security Severity Ratings and Recommendations for MTM Applicability ofuss in the AMDLC The Demonstrational Approach Demonstration ofone-time-password (OTP) Wireless Network Hardware Token with OTP Functionality Personalldentification Number (PIN) Tokencode How the OTP Demonstration Works? System Requirements Demonstration Steps One-Time-Password (OTP) Usability Testing Objectives of the OTP Usability Testing Testing Tools Testing session Testing Methods - Participant Tasks 388

9 VII Data Results Findings Summary One-Time-Password (OTP) Usability Issues - Discussion 390 CHAPTER VI CONCLUSIONS AND FUTURE WORK Summary of the Research Work Scientific Contributions Practical Observations on the Impact of USS in Corporate and Academie Environments 400 6A Limitations Future Work and Recommendations The Future of User Authentication.407 REFERENCES APPENDIX A COMPARATIVE ANALYSIS OF USER AUTHENTICATION METHOOS.425 A.I Introduction 425 APPENDIX B DATA GATHERING.452 B.] Introduction 452 APPENDIX C CHECKLlST DEVELOPMENT C.l Introduction APPENDIX 0 USABLE SECURITY PROTOCOL (USP) REUSE METHODOLOGY Introduction Design Artifacts for Reuse Usable Security Symmetry (USS) Inspection Method Quick Setup.464 APPENDIX E THE GOMS FAMILY: WHICH TECHNIQUE TO USE?.466 E.l NGOMSL versus CPM-GOMS, KLM, and CMN-GOMS.466 E.2 GOMS Models Comparative Analysis.467 E.3 Why GOMS Model When Compared With Other CTAs?.473 E.3.1 Characterizing the User's Tasks.474 E.3.I.l Locus ofcontrol.475 E Goal-Directness 475 E Skill Dimension of Tasks 475 E Sequential Versus Parallel Activity.476 EA Why GOMS? 476 EA.l During Design - GOMS Analysis Guiding the Design.478

10 LIST OF FIGURES 1.1 Usability and Security trade-off: A coounon solution based on a compromise Artifacts with which users might interact with: An authentication token, a wireless device, and a Web interface 1.3 Percentages of key types of incident 9 la Levels of security AutoFill Code improving usability in user authentication User authentication in an ideal organization's security framework The Authentication Marketplace 31 2A The elements of the authentication process Direct Authentication when a client and service share a trust relationship Broker Authentication RSA SecurlD 700 hardware authenticator with One-Time Password (OTP) The password authentication process RSA SecurlD Token for BlackBerry SafeWord RemoteAccess RSA SecurID for iphones DigiPass Go Authentication via OTP CAPTCHA: Tel1ing Humans and Computers Apart Automatically SiteKey helps prevent unauthorized access to lisers' accollnts RSA SecurlD 800 with One-Time Password Magnetic stripe token VeriSign Secure StorageToken Digest Access Authentication's window login in Firefox SafePass Mobile The RSA Engine 56 6

11 IX 2.22 A network authentication method: Kerberos Biometrie authentication process Eikon To Go fingerprint reader Fingerprint recognition scheme BioEnable Facelt Argus: facial recognition system from Llldentity This is a voiceprint for the passphrase: "My voice is my password" Dynamic signature verification from Cyber SIGN Balancing security and usability The GOMS Model Method for selecting a word The optimal number ofusability evaluators: benefits versus costs The USP architecture and methodology USP Input, Process, Output Hard-coded password Java code snippet Reusability Pyramid (Gautam & al 2007) Worksystem and a domain The three-stage processing model of memory Classification ofmemory Mental Models A basic cognitive architecture The GLEAN3 cognitive architecture The SOAR (State Operator And Result) architecture The CMUA cognitive architecture \ Authentication Method Development Life Cycle Security as a usability characteristic Tokencode: a six-digit number 381

12 LIST OF TABLES 1.1 Percentages of key types of incident Guide to Understanding Identification and Authentication in Trusted Systems 2.2 Do the 8 golden rules of user interface design apply to security systems? The "six password broken rules", and their corresponding usability and security mismatches 2.4 Summarized comparative analysis of user authentication methods Total Execution Time by task scenario Execution time by task scenario, authentication method type, and method for goal 3.3 Authentication Risk-Assessment Matrix Username and Password Guessing ' Usability Factors and Usability Criteria Mapping for a MTM User authentication use cases Usable Security Symmetry inspection method - data visualization Usable Security Symmetry checklist Example of a usability problem and its severity rate Example of a security problem and its usability criterion and severity rate

13 ABSTRACT Security and usability are both essentiaj in user authentication processes. One of the biggest challenges facing heterogeneous organizations is providing access control systems, to logical as we]] as physical resources, that are both secure and usable. To achieve this, it is initially necessary to implement three indispensable components such as Identification (Who does this user claims 10 be?), Authentication (ls this user infact who s/he claims to he?), and Authorization (Is this user authorized to have the resource or service that s/he is requesling?). Inquiry particularly on user authentication is vital. Without authentication, a computer system often has no foundation for establishing if access should be granted or not. So far, there has been very little research on usabje security of user authentication methods although a considerable body of research work has been made for computer security mechanisms in general other than authentication methods. Therefore a usable security protocol is needed for user authentication. My thesis is that there is an intrinsic conflict between creating systems that are secure and systems that are usable. But usability and security can be made synergistic by providing requirements and design tools with specific usable security principles earlier in the requirements and design phase. ln certain situations it is -possible to concurrently increase usability and security by revisiting design decisions that were made in the pasto ln other situations it is possible to align security and usability by changing the regulatory environment in which the computers operate. To these ends, this thesis's main goal is not to address usability and security after the product (authentication method) has been manufactured, but to make security a natural outcome of the requirements and design phase of the authentication method development life cycle. Keywords: user authentication, usability, computer security, access control.

14 RÉSUMÉ L'utilisabilité et la sécurité sont des éléments cruciaux dans le processus d'authentification des utilisateurs. L'un des défis majeurs auquel font face les organisations aujourd'hui est d'offrir des systèmes d'accès aux ressources logiques (par exemple, une application informatique) et physiques (par exemple, un bâtiment) qui soient à la fois sécurisées et utilisables. Afin d'atteindre ces objectifs, il faut d'abord mettre en œuvre les trois composantes indispensables que sont l'identification (c.-à-d., définir [' identité d'un uti! isateur), l'authenti fication (c.-à-d., vérifier l'identité d'un uti 1isateur) et l'autorisation (c.-à-d., accorder des droits d'accès à un utilisateur). Plus particulièrement, la recherche en authentification de l'utilisateur est essentielle. Sans authentification, par exemple, des systèmes informatiques ne sont pas capables de vérifier si un utilisateur demandant l'accès à une ressource possède les droits de le faire. Bien que plusieurs travaux de recherche aient porté sur divers mécanismes de sécurité, très peu de recherches jusqu'à présent ont porté sur l'utilisabilité et la sécurité des méthodes d'authentification des utilisateurs,. Pour cette raison, il nous paraît nécessaire de développer un protocole d'utilisabilité et de sécurité pour concevoir les méthodes d'authentification des utilisateurs. La thèse centrale de ce travail de recherche soutient qu'il y a un conflit intrinsèque entre la création de systèmes qui soient sécurisés et celle de systèmes qui soient facile d'utilisation. Cependant, ]'utilisabilité et la sécurité peuvent être construites de manière synergique en uti lisant des outi ls d'analyse et de conception qu i incluent des principes d'utilisabilité et de sécurité dès l'étape d'analyse et de Conception de la méthode d'authentification. Dans certaines situations il est possible d'améliorer simultanément l'utilisabilité et la sécurité en revisitant les décisions de conception prises dans le passé. Dans d'autres cas, il est plus avantageux d'aligner l'utilisabilité et la sécurité en changeant l'environnement régulateur dans lequel les ordinateurs opèrent. Pour cette raison, cette thèse a comme objectif principal non pas d'adresser l'utilisabilité et la sécurité postérieurement à la fabrication du produit final, mais de faire de la sécurité un résultat naturel de l'étape d'analyse et de Conception du cycle de vie de la méthode d'authentification. Mots-clé: authentification de ['utilisateur, utilisabilité, sécurité informatique, contrôle d'accès.

15 CHAPTER 1 INTRODUCTION 1.1 Creating Systems that are 80th Secure and Usable This chapter describes the research objectives and approach, the justification for the research, the economics of strong user authentication, and the main hypothesis of this research. AIl systems demand sorne form of user account. A user is a single entity whose behavior is solely identified within a computer-based system (i.e. Personal Digital Assistant (PDA), workstation, server login, Web sites, etc.). Individual users classically correspond to individual people, but they might also represent particular system services or resources. Most accounts are protected by an easy keyboard password that even a novice hacker can crack in less than 10 minutes. Once inside, hackers use the attacked account for a diversity of nefarious activities, such as launching distributed denial of service (DOS) attacks, distorting Web sites, stealing billing and credit card information or making counterfeit purchases. A new report from Penn (2008) Forrester Research shows that security spending is on the rise in sorne enterprises. The Cambridge, Massachusetts-based research firm interviewed practically 1,000 firms for its State of Enterprise IT Security: report and found that the security segment of lnformation Technology (IT) budgets is expected to increase 12.6 percent in 2009, up from 7.2 percent in 2007 and Il.7 percent in As a matter of fact even during difficult economic conditions, IT security remains an essential portion of business operations as enterprises try to preserve their current environment as well as plans for the implementation of novel initiatives. Security is getting a bigger portion of the IT pie, with the focus less on reactive vulnerability defenses and more on looking at what is required to protect businesses. The focus now is more on protecting the data itself which means information security.

16 2 Distribution of budget for new security initiatives, information security, has increased from 17.7 percent in 2008 to 18.5 percent in There has been a major shift from what was the broadly recognized state of security just a few years ago. Protecting the organization's information assets is the top concern facing security programs: data security (90 percent) is most frequently mentioned as a vital concern for IT security organizations, followed by application security (86 percent), and business continuity/disaster recovery (84 percent). Data security as weil tops the list of business objectives for security, with 89 percent mentioning protection of corporate data and 87 percent mentioning protection of persona! data as essential business objectives. Most of this 2008 spending on information security countermeasures has purchased confidentiality and integrity solutions: products like firewal1s to protect the information perimeter of an enterprise (or encryption), Virtual Private Networks (VPNs)!, and anti-virus and intrusion detection to safeguard the actual information. Spending on user authentication products to safely identify users has foljowed in the security market. Inefficient user authentication marginalizes perimeter security and access controls, showing vulnerabilities in the confidentiality and integrity areas. The growing trend toward identity theft, or employing stolen names, birthdays and identification numbers to perpetrate fraud, would meet firm resistance if strong authentication practices were universally employed. Privacy violations take place as weil due to compromised user authentication. Authentication is behind confidentiality and integrity because exactly identifying huge numbers of users has proven a costly and overwhelming task. The central research question of this thesis is the foljowing: How is it possible to ensure usability of user authentication without compromising security and vice-versa? Security and usability are both essential 111 the authentication process. 1t is broadly held that security and usability are two opposing goals in system design 1 A YPN is a network that uses a public telecommunication infrastructure, such as the Internet. to provide remote offices or individual users wilh secure access 10 their organizalion's network.

17 3 (Cranor and Garfinkel, 2005; J0sang et 01.,2007; Nielsen, 2000) but there are several cases in which security and usability can be synergistically enhanced by reviewing the usable security approach. In addition, the human portion of computer security is effortlessly exploited and continually overlooked. Companies spend millions of dollars on firewalls, encryption and secure access devices, but most of the time they forget to address issues related to the weakest link in the security chain: the human being. In considering the extent that users are important in the authentication process, a company's goal is to select an Authentication Method (AM) that is suitable to the risk involved and as easy to use as possible. Applying too Iowa level of security might compromise the integrity of the company's process. But applying too high a level for a low-risk process means the process will be too hard and will confront low adoption rates. As stated by Penn (2()O~), the key criteria when assessing such solutions are ease of use, portabil ity, cost, security, manageabili ty, and cross-channel utility. My thesis is that there is an intrinsic conflict between creating systems that are secure and systems that are usable. But usability and security can be made synergistic by providing requirements and design tools with specifie usability and security principles earlier in the requirements and design phase. In certain situations it is possible to concurrently increase usability and security by revisiting design decisions that were made in the past. ln other situations it is possible to align security and usability by changing the regulatory environment in which the computers operate. To these ends, this thesis's goal is not to address usability and security after the product (authentication method) has been manufactured, but to make security a natural outcome of the requirements and design phase of the authentication method development life cycle.

18 4 1.2 Justification for the Research Security and usability are both essential in user authentication processes. One of the biggest challenges facing heterogeneous organizations is providing access control systems, to logical as weil as physical resources, that are both secure and usable. To achieve this, it is initially necessary to implement three indispensable components such as Identification (Who does this user daims to be?), Authentication (1s this user infact who s/he daims to be?), and Authorization (1s this user authorized to have the resource or service that s/he is requesting?). Inquiry particularly on user authentication is vital. Without authentication, a computer system often has no foundation for establishing if access should be granted or not. Furthermore, the majority of contemporary computer users for example need to authenticate to a company network several times during their work day. Another particular concern in authentication according to Cranor and Garfinkel (2005) is that authentication systems do not fai! gracefully. It means that if an average consumer computer user forgets her usemame but gets right the password the system does not enable her partial access to an online magazine, for instance, or for an average corporate computer user access to the system's less important files, or an emergency or temporary access. However there are a few companies that are in the initial stages of implementing sorne of these ''fai! grace[ully" functionalities 2 in the corporate area. There is no established and recognized mechanism to accommodate user error, which means that most likely the productivity will be strongly compromised and the user's dissatisfaction with the system will be high. Figure 1.\ models the relationship between usability and security. General princip les for User Interface Design (UID) have already been weil recognized in the Human Computer Interaction (HCI) field. These general principles 2 Users who have lost their hardware authenticator, for instance, can still log in to their accounts with an emergency access code through the on-demand authentication method, without having to contact the system administrator. RSA SecurlD On-demand (SMS) Authenticator. RSA - The Security Division of EMC <http://www.rsa.com/node.aspx?id=348)>

19 5 are called "heuristics" because they are more in the nature of rules of thumb than specifie usability guidelines (Molich and Nielsen, 1990) (e.g. "User Control and Freedom" is one ofthese principles). Context of Use Intimate Causes Effects Relationship, , Problem ~ Problem Usability Scenario Security Scenario Ideal Solution based on HCI Principle and Measures, -- Ideal Solution based on Security Principle and Measur;? Figure 1.1: Usability and Security Trade-off: A Common Solution Based on a Compromise (Braz and Seffah, 2007). So far, there has been very little research on the security usability of user authentication methods, although a considerable body of research work in usable security (a terminology adopted in this thesis when referring to security and usability) has been made for computer security mechanisms in general other than authentication methods. Therefore a usable security protocol is needed for user authentication. This thesis defines the concept of Usable Security as the study of how security infonnation and usability factors should be handled in either front-end or back-end user authentication processes, taking into consideration resources and costs. But why take front-end/back-end processes into consideration? Graphical User Interface (GUI) Developers should have knowledge of user interface design, and tools for implementing designs correctly. This knowledge will result in better front-end design, minimize the number of bugs in the software, and result in lower development costs per feature. GUI Developers should be assigned responsibility for accurate

20 6 implementation of front-end design, as well as back-end functionality. GUI Developers should understand interface issues sufficiently weil to know when to raise design issues during implementation, rather than disregarding them or implementing them inaccurately. lt is crucial to note that the tenn -interface- in this thesis is not only related ta GUI, but also to a shared limit through which the information flows (Maffezzini, 2006). It consists of a hardware or software component that makes the junction between the interface and the user with the purpose of transiting information between them (e.g. an atp token is an interface between the autbentication server and the user) (Figure 1.2). Hardware Token User VVeb Interface Figure 1.2: abjects with which users might interact: An authentication token J, a wireless device, and a Web interface. According to Sasse (2004), one of the most recognized researchers in usable security-, "Don't focus on Uis to security tools - the big problems are in security requirements, job design and user involvement." That is exactly what this thesis is ail about: requirements and design. Additionally, according to Whitten and Tygar (1999), most of the research in HCISec focuses on providing better UIs, but it is obvious that usability problems with secure systems are more than only Uis and need application of HCI factors and design methodology. Whitten and Tygar (1999) claim that using conventional methods for usabi lity evaluation that concentrate on the 3

21 7 impact of usability on security effectiveness will assist developers to discover usability probjems that threaten-i security. Both analytical and empiricaj evaluations were performed in testing the usability goals of Pretty Good Privacy (PG P) Desktop software (i.e. public keyencryption software for desktops and laptops) (Whitten and Tygar, 1998). A number of usability problems causing security failures were discovered in the study, providing the foundation in the Whitten and Tygar (1999) study that specifie usability goals are needed for usability evaluation of security mechanisms. It is important to note that the PGP software has been cited throughout this dissertation as an example of public key authentication. This is due ta the fact that PGP is one of the most common solutions for encryption, supports -major security standards, and interoperates with most accepted security software solutions. The value of usable security was pointed out as early as 1883 by the Belgian cryptographer and linguist Auguste Kerckhoffs in two articles on cryptography. Kerckhoffs is most famous for establishing the principle that security should not be based on obscurity. Moreover, four out of six of Kerckhoffs' cipher principles of design (Kerckhoffs, 1883) are related to usable security (3 to 6) in bold) as follows: 1. The system must be practically, ifnot mathematically, indecipherable; 2. It must not be required to be secret, and it must be able to fall into the hands of the enemy without inconvenience; 3. lts key must be communicable and retainable without the help of written notes, and changeable or modifiable at the will of the correspondents; 4. It must be applicable to telegraphic correspondence; 5. It must be portable, and its usage and function must not require the concourse of several people; 6. Finally, it is necessary, given the circumstances that command its application that the system should be easy to use, requiring neither mental strain nor the knowledge of a long series of rules to observe.

Securing e-government Web Portal Access Using Enhanced Two Factor Authentication

Securing e-government Web Portal Access Using Enhanced Two Factor Authentication Securing e-government Web Portal Access Using Enhanced Two Factor Authentication Ahmed Arara 1, El-Bahlul Emhemed Fgee 2, and Hamdi Ahmed Jaber 3 Abstract This paper suggests an advanced two-factor authentication

More information

Information Security Basic Concepts

Information Security Basic Concepts Information Security Basic Concepts 1 What is security in general Security is about protecting assets from damage or harm Focuses on all types of assets Example: your body, possessions, the environment,

More information

Strong Authentication for Secure VPN Access

Strong Authentication for Secure VPN Access Strong Authentication for Secure VPN Access Solving the Challenge of Simple and Secure Remote Access W H I T E P A P E R EXECUTIVE SUMMARY In today s competitive and efficiency-driven climate, organizations

More information

Advanced Authentication

Advanced Authentication White Paper Advanced Authentication Introduction In this paper: Introduction 1 User Authentication 2 Device Authentication 3 Message Authentication 4 Advanced Authentication 5 Advanced Authentication is

More information

More effective protection for your access control system with end-to-end security

More effective protection for your access control system with end-to-end security More effective protection for your access control system with end-to-end security By Jeroen Harmsen The first article on end-to-end security appeared as long ago as 1981. The principle originated in ICT

More information

Designing Usable, Yet Secure User Authentication Service: The Cognitive Dimension

Designing Usable, Yet Secure User Authentication Service: The Cognitive Dimension Designing Usable, Yet Secure User Authentication Service: The Cognitive Dimension Christina Braz a, Pierre Porrier a, and Ahmed Seffah b a University of Quebec a Montreal, Canada {braz.christina, pierre.poirier}@uqam.ca

More information

A brief on Two-Factor Authentication

A brief on Two-Factor Authentication Application Note A brief on Two-Factor Authentication Summary This document provides a technology brief on two-factor authentication and how it is used on Netgear SSL312, VPN Firewall, and other UTM products.

More information

Alternative authentication what does it really provide?

Alternative authentication what does it really provide? Alternative authentication what does it really provide? Steve Pannifer Consult Hyperion Tweed House 12 The Mount Guildford GU2 4HN UK steve.pannifer@chyp.com Abstract In recent years many new technologies

More information

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi Purpose This paper is intended to describe the benefits of smart card implementation and it combination with Public

More information

Multi-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access

Multi-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access Multi-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access CONTENTS What is Authentication? Implementing Multi-Factor Authentication Token and Smart Card Technologies

More information

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 10 Authentication and Account Management

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 10 Authentication and Account Management Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 10 Authentication and Account Management Objectives Describe the three types of authentication credentials Explain what single sign-on

More information

CHOOSING THE RIGHT PORTABLE SECURITY DEVICE. A guideline to help your organization chose the Best Secure USB device

CHOOSING THE RIGHT PORTABLE SECURITY DEVICE. A guideline to help your organization chose the Best Secure USB device CHOOSING THE RIGHT PORTABLE SECURITY DEVICE A guideline to help your organization chose the Best Secure USB device Introduction USB devices are widely used and convenient because of their small size, huge

More information

Strong Authentication. Securing Identities and Enabling Business

Strong Authentication. Securing Identities and Enabling Business Strong Authentication Securing Identities and Enabling Business Contents Contents...2 Abstract...3 Passwords Are Not Enough!...3 It s All About Strong Authentication...4 Strong Authentication Solutions

More information

Certified Information Systems Auditor (CISA)

Certified Information Systems Auditor (CISA) Certified Information Systems Auditor (CISA) Course Introduction Course Introduction Module 01 - The Process of Auditing Information Systems Lesson 1: Management of the Audit Function Organization of the

More information

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Contents Authentication and Identity Assurance The Identity Assurance continuum Plain Password Authentication

More information

The Convergence of IT Security and Physical Access Control

The Convergence of IT Security and Physical Access Control The Convergence of IT Security and Physical Access Control Using a Single Credential to Secure Access to IT and Physical Resources Executive Summary Organizations are increasingly adopting a model in which

More information

RSA SecurID Two-factor Authentication

RSA SecurID Two-factor Authentication RSA SecurID Two-factor Authentication Today, we live in an era where data is the lifeblood of a company. Now, security risks are more pressing as attackers have broadened their targets beyond financial

More information

Security Management. Keeping the IT Security Administrator Busy

Security Management. Keeping the IT Security Administrator Busy Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching

More information

Evaluation of different Open Source Identity management Systems

Evaluation of different Open Source Identity management Systems Evaluation of different Open Source Identity management Systems Ghasan Bhatti, Syed Yasir Imtiaz Linkoping s universitetet, Sweden [ghabh683, syeim642]@student.liu.se 1. Abstract Identity management systems

More information

Moving to Multi-factor Authentication. Kevin Unthank

Moving to Multi-factor Authentication. Kevin Unthank Moving to Multi-factor Authentication Kevin Unthank What is Authentication 3 steps of Access Control Identification: The entity makes claim to a particular Identity Authentication: The entity proves that

More information

KEYSTROKE DYNAMIC BIOMETRIC AUTHENTICATION FOR WEB PORTALS

KEYSTROKE DYNAMIC BIOMETRIC AUTHENTICATION FOR WEB PORTALS KEYSTROKE DYNAMIC BIOMETRIC AUTHENTICATION FOR WEB PORTALS Plurilock Security Solutions Inc. www.plurilock.com info@plurilock.com 2 H IGHLIGHTS: PluriPass is Plurilock static keystroke dynamic biometric

More information

RSA Solution Brief. RSA SecurID Authentication in Action: Securing Privileged User Access. RSA Solution Brief

RSA Solution Brief. RSA SecurID Authentication in Action: Securing Privileged User Access. RSA Solution Brief RSA SecurID Authentication in Action: Securing Privileged User Access RSA SecurID solutions not only protect enterprises against access by outsiders, but also secure resources from internal threats The

More information

3D PASSWORD. Snehal Kognule Dept. of Comp. Sc., Padmabhushan Vasantdada Patil Pratishthan s College of Engineering, Mumbai University, India

3D PASSWORD. Snehal Kognule Dept. of Comp. Sc., Padmabhushan Vasantdada Patil Pratishthan s College of Engineering, Mumbai University, India 3D PASSWORD Tejal Kognule Yugandhara Thumbre Snehal Kognule ABSTRACT 3D passwords which are more customizable and very interesting way of authentication. Now the passwords are based on the fact of Human

More information

Sun Management Center Change Manager 1.0.1 Release Notes

Sun Management Center Change Manager 1.0.1 Release Notes Sun Management Center Change Manager 1.0.1 Release Notes Sun Microsystems, Inc. 4150 Network Circle Santa Clara, CA 95054 U.S.A. Part No: 817 0891 10 May 2003 Copyright 2003 Sun Microsystems, Inc. 4150

More information

The Convergence of IT Security and Physical Access Control

The Convergence of IT Security and Physical Access Control The Convergence of IT Security and Physical Access Control Using a Single Credential to Secure Access to IT and Physical Resources Executive Summary Organizations are increasingly adopting a model in which

More information

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai 2001. Siemens AG 2001, ICN M NT

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai 2001. Siemens AG 2001, ICN M NT Part I Contents Part I Introduction to Information Security Definition of Crypto Cryptographic Objectives Security Threats and Attacks The process Security Security Services Cryptography Cryptography (code

More information

French Justice Portal. Authentication methods and technologies. Page n 1

French Justice Portal. Authentication methods and technologies. Page n 1 French Justice Portal Authentication methods and technologies n 1 Agenda Definitions Authentication methods Risks and threats Comparison Summary Conclusion Appendixes n 2 Identification and authentication

More information

Identity Access Management: Beyond Convenience

Identity Access Management: Beyond Convenience Identity Access Management: Beyond Convenience June 1st, 2014 Identity and Access Management (IAM) is the official description of the space in which OneLogin operates in but most people who are looking

More information

IDRBT Working Paper No. 11 Authentication factors for Internet banking

IDRBT Working Paper No. 11 Authentication factors for Internet banking IDRBT Working Paper No. 11 Authentication factors for Internet banking M V N K Prasad and S Ganesh Kumar ABSTRACT The all pervasive and continued growth being provided by technology coupled with the increased

More information

The Benefits of an Industry Standard Platform for Enterprise Sign-On

The Benefits of an Industry Standard Platform for Enterprise Sign-On white paper The Benefits of an Industry Standard Platform for Enterprise Sign-On The need for scalable solutions to the growing concerns about enterprise security and regulatory compliance can be addressed

More information

Chapter 1: Introduction

Chapter 1: Introduction Chapter 1 Introduction 1 Chapter 1: Introduction 1.1 Inspiration Cloud Computing Inspired by the cloud computing characteristics like pay per use, rapid elasticity, scalable, on demand self service, secure

More information

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

Frequently Asked Questions (FAQs) SIPRNet Hardware Token

Frequently Asked Questions (FAQs) SIPRNet Hardware Token Air Force Public Key Infrastructure System Program Office (ESC/HNCDP) Phone: 210-925-2562 / DSN: 945-2562 Web: https://afpki.lackland.af.mil Frequently Asked Questions (FAQs) SIPRNet Hardware Token Updated:

More information

White Paper. Information Security -- Network Assessment

White Paper. Information Security -- Network Assessment Network Assessment White Paper Information Security -- Network Assessment Disclaimer This is one of a series of articles detailing information security procedures as followed by the INFOSEC group of Computer

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

AIRBUS VHT Framework - Mascot-NuM presentation - Emmanuelle Garcia

AIRBUS VHT Framework - Mascot-NuM presentation - Emmanuelle Garcia AIRBUS Virtual Hybrid Testing Framework: focus on V&V concerns Dr. Emmanuelle Garcia, Airbus Toulouse, EZMM, strategy, process, methods and tools, simulation projects GdR Mascot-NuM workshop on Model V&V,

More information

Economic and Social Council

Economic and Social Council UNITED NATIONS E Economic and Social Council Distr. GENERAL ECE/TRANS/WP.30/AC.2/2008/2 21 November 2007 Original: ENGLISH ECONOMIC COMMISSION FOR EUROPE Administrative Committee for the TIR Convention,

More information

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1 sm Open Data Center Alliance Usage: Provider Assurance Rev. 1.1 Legal Notice This Open Data Center Alliance SM Usage:Provider Assurance is proprietary to the Open Data Center Alliance, Inc. NOTICE TO USERS

More information

ABSTRACT I. INTRODUCTION

ABSTRACT I. INTRODUCTION Mobile Backup Web Application Using Image Processing Authentication 1 Walse Reshma S. 2 Khemnar Archana M. 3 Padir Maya S. 4 Prof.K.P.Somase Department Of Computer Engineering, Jcoe(Kuran),Tal:Junnar,Dist:Pune

More information

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit. The hidden risks of mobile applications This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit. To learn more about TraceSecurity visit www.tracesecurity.com

More information

INCIDENT RESPONSE CHECKLIST

INCIDENT RESPONSE CHECKLIST INCIDENT RESPONSE CHECKLIST The purpose of this checklist is to provide clients of Kivu Consulting, Inc. with guidance in the initial stages of an actual or possible data breach. Clients are encouraged

More information

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

defending against advanced persistent threats: strategies for a new era of attacks agility made possible defending against advanced persistent threats: strategies for a new era of attacks agility made possible security threats as we know them are changing The traditional dangers IT security teams have been

More information

The 4 forces that generate authentication revenue for the channel

The 4 forces that generate authentication revenue for the channel The 4 forces that generate authentication revenue for the channel Web access and the increasing availability of high speed broadband has expanded the potential market and reach for many organisations and

More information

XYPRO Technology Brief: Stronger User Security with Device-centric Authentication

XYPRO Technology Brief: Stronger User Security with Device-centric Authentication Ken Scudder Senior Director Business Development & Strategic Alliances XYPRO Technology Talbot A. Harty CEO DeviceAuthority XYPRO Technology Brief: Stronger User Security with Device-centric Authentication

More information

Guide to Evaluating Multi-Factor Authentication Solutions

Guide to Evaluating Multi-Factor Authentication Solutions Guide to Evaluating Multi-Factor Authentication Solutions PhoneFactor, Inc. 7301 West 129th Street Overland Park, KS 66213 1-877-No-Token / 1-877-668-6536 www.phonefactor.com Guide to Evaluating Multi-Factor

More information

IIABSC 2015 - Spring Conference

IIABSC 2015 - Spring Conference IIABSC 2015 - Spring Conference Cyber Security With enough time, anyone can be hacked. There is no solution that will completely protect you from hackers. March 11, 2015 Chris Joye, Security + 1 2 Cyber

More information

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0 EUCIP - IT Administrator Module 5 IT Security Version 2.0 Module 5 Goals Module 5 Module 5, IT Security, requires the candidate to be familiar with the various ways of protecting data both in a single

More information

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security

More information

Designing and Coding Secure Systems

Designing and Coding Secure Systems Designing and Coding Secure Systems Kenneth Ingham and Anil Somayaji September 29, 2009 1 Course overview This class covers secure coding and some design issues from a language neutral approach you can

More information

Information Security

Information Security Information Security Dr. Vedat Coşkun Malardalen September 15th, 2009 08:00 10:00 vedatcoskun@isikun.edu.tr www.isikun.edu.tr/~vedatcoskun What needs to be secured? With the rapid advances in networked

More information

Remote Access Securing Your Employees Out of the Office

Remote Access Securing Your Employees Out of the Office Remote Access Securing Your Employees Out of the Office HSTE-NB0011-RV 1.0 Hypersecu Information Systems, Inc. #200-6191 Westminster Hwy Richmond BC V7C 4V4 Canada 1 (855) 497-3700 www.hypersecu.com Introduction

More information

Multifactor authentication systems Jiří Sobotka, Radek Doležel

Multifactor authentication systems Jiří Sobotka, Radek Doležel Multifactor authentication systems Jiří Sobotka, Radek Doležel Fakulta elektrotechniky a komunikačních technologií VUT v Brně Email: sobotkaj@feec.vutbr.cz Fakulta elektrotechniky a komunikačních technologií

More information

ITAR Compliance Best Practices Guide

ITAR Compliance Best Practices Guide ITAR Compliance Best Practices Guide 1 Table of Contents Executive Summary & Overview 3 Data Security Best Practices 4 About Aurora 10 2 Executive Summary & Overview: International Traffic in Arms Regulations

More information

PCI DSS Requirements - Security Controls and Processes

PCI DSS Requirements - Security Controls and Processes 1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data

More information

plantemoran.com What School Personnel Administrators Need to know

plantemoran.com What School Personnel Administrators Need to know plantemoran.com Data Security and Privacy What School Personnel Administrators Need to know Tomorrow s Headline Let s hope not District posts confidential data online (Tech News, May 18, 2007) In one of

More information

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft) 1- A (firewall) is a computer program that permits a user on the internal network to access the internet but severely restricts transmissions from the outside 2- A (system failure) is the prolonged malfunction

More information

Effective Software Security Management

Effective Software Security Management Effective Software Security Management choosing the right drivers for applying application security Author: Dharmesh M Mehta dharmeshmm@mastek.com / dharmeshmm@owasp.org Table of Contents Abstract... 1

More information

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

REGULATIONS FOR THE SECURITY OF INTERNET BANKING REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY

More information

Multi-factor authentication

Multi-factor authentication CYBER SECURITY OPERATIONS CENTRE (UPDATED) 201 (U) LEGAL NOTICE: THIS PUBLICATION HAS BEEN PRODUCED BY THE DEFENCE SIGNALS DIRECTORATE (DSD), ALSO KNOWN AS THE AUSTRALIAN SIGNALS DIRECTORATE (ASD). ALL

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report Management of Los Alamos National Laboratory's Cyber Security Program DOE/IG-0880 February 2013 Department

More information

Achieving Universal Secure Identity Verification with Convenience and Personal Privacy A PRIVARIS BUSINESS WHITE PAPER

Achieving Universal Secure Identity Verification with Convenience and Personal Privacy A PRIVARIS BUSINESS WHITE PAPER with Convenience and Personal Privacy version 0.2 Aug.18, 2007 WHITE PAPER CONTENT Introduction... 3 Identity verification and multi-factor authentication..... 4 Market adoption... 4 Making biometrics

More information

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

Payment Cardholder Data Handling Procedures (required to accept any credit card payments) Payment Cardholder Data Handling Procedures (required to accept any credit card payments) Introduction: The Procedures that follow will allow the University to be in compliance with the Payment Card Industry

More information

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN) MIS5206 Week 12 Your Name Date 1. Which significant risk is introduced by running the file transfer protocol (FTP) service on a server in a demilitarized zone (DMZ)? a) User from within could send a file

More information

Enhancing Organizational Security Through the Use of Virtual Smart Cards

Enhancing Organizational Security Through the Use of Virtual Smart Cards Enhancing Organizational Security Through the Use of Virtual Smart Cards Today s organizations, both large and small, are faced with the challenging task of securing a seemingly borderless domain of company

More information

Managing IT Security with Penetration Testing

Managing IT Security with Penetration Testing Managing IT Security with Penetration Testing Introduction Adequately protecting an organization s information assets is a business imperative one that requires a comprehensive, structured approach to

More information

User Authentication Guidance for IT Systems

User Authentication Guidance for IT Systems Information Technology Security Guideline User Authentication Guidance for IT Systems ITSG-31 March 2009 March 2009 This page intentionally left blank March 2009 Foreword The User Authentication Guidance

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

Smithsonian Enterprises

Smithsonian Enterprises Smithsonian Enterprises Audit of the Effectiveness of the Information Security Program Table of Contents I. Introduction... 1 II. Background... 2 III. Results of Audit... 3 Finding #1: Needed Improvement

More information

Secure Data Exchange Solution

Secure Data Exchange Solution Secure Data Exchange Solution I. CONTENTS I. CONTENTS... 1 II. INTRODUCTION... 2 OVERVIEW... 2 COPYRIGHTS AND TRADEMARKS... 2 III. SECURE DOCUMENT EXCHANGE SOLUTIONS... 3 INTRODUCTION... 3 Certificates

More information

Layered security in authentication. An effective defense against Phishing and Pharming

Layered security in authentication. An effective defense against Phishing and Pharming 1 Layered security in authentication. An effective defense against Phishing and Pharming The most widely used authentication method is the username and password. The advantages in usability for users offered

More information

IT Security. Securing Your Business Investments

IT Security. Securing Your Business Investments Securing Your Business Investments IT Security NCS GROUP OFFICES Australia Bahrain China Hong Kong SAR India Korea Malaysia Philippines Singapore Sri Lanka Securing Your Business Investments! Information

More information

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006 Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates September 2006 Copyright 2006 Entrust. All rights reserved. www.entrust.com Entrust is a registered trademark

More information

ADAPTIVE AUTHENTICATION ADAPTER FOR JUNIPER SSL VPNS. Adaptive Authentication in Juniper SSL VPN Environments. Solution Brief

ADAPTIVE AUTHENTICATION ADAPTER FOR JUNIPER SSL VPNS. Adaptive Authentication in Juniper SSL VPN Environments. Solution Brief ADAPTIVE AUTHENTICATION ADAPTER FOR JUNIPER SSL VPNS Adaptive Authentication in Juniper SSL VPN Environments Solution Brief RSA Adaptive Authentication is a comprehensive authentication platform providing

More information

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room MAXIMUM DATA SECURITY with ideals TM Virtual Data Room WWW.IDEALSCORP.COM ISO 27001 Certified Account Settings and Controls Administrators control users settings and can easily configure privileges for

More information

Information Technology Branch Access Control Technical Standard

Information Technology Branch Access Control Technical Standard Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,

More information

Decision on adequate information system management. (Official Gazette 37/2010)

Decision on adequate information system management. (Official Gazette 37/2010) Decision on adequate information system management (Official Gazette 37/2010) Pursuant to Article 161, paragraph (1), item (3) of the Credit Institutions Act (Official Gazette 117/2008, 74/2009 and 153/2009)

More information

AB 1149 Compliance: Data Security Best Practices

AB 1149 Compliance: Data Security Best Practices AB 1149 Compliance: Data Security Best Practices 1 Table of Contents Executive Summary & Overview 3 Data Security Best Practices 4 About Aurora 10 2 Executive Summary & Overview: AB 1149 is a new California

More information

Authentication Solutions Buyer's Guide

Authentication Solutions Buyer's Guide WHITE PAPER: AUTHENTICATION SOLUTIONS BUYER'S GUIDE........................................ Authentication Solutions Buyer's Guide Who should read this paper Individuals who would like more details regarding

More information

SECUDROID - A Secured Authentication in Android Phones Using 3D Password

SECUDROID - A Secured Authentication in Android Phones Using 3D Password SECUDROID - A Secured Authentication in Android Phones Using 3D Password Ms. Chandra Prabha K M.E. Ph.D. 1, Mohamed Nowfel 2 E S, Jr., Gowtham V 3, Dhinakaran V 4 1, 2, 3, 4 Department of CSE, K.S.Rangasamy

More information

White Paper for Software Publishers. Strong Authentication: Securing Identities and Enabling Business

White Paper for Software Publishers. Strong Authentication: Securing Identities and Enabling Business White Paper for Software Publishers Strong Authentication: Securing Identities and Enabling Business A l a d d i n. c o m / H A S P Table of Contents Abstract...3 Introduction...4 Passwords Are Not Enough!...4

More information

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Meaning Why is Security Audit Important Framework Audit Process Auditing Application Security

More information

Bellevue University Cybersecurity Programs & Courses

Bellevue University Cybersecurity Programs & Courses Undergraduate Course List Core Courses: CYBR 250 Introduction to Cyber Threats, Technologies and Security CIS 311 Network Security CIS 312 Securing Access Control CIS 411 Assessments and Audits CYBR 320

More information

Mobile Identity: Improved Cybersecurity, Easier to Use and Manage than Passwords. Mika Devonshire Associate Product Manager

Mobile Identity: Improved Cybersecurity, Easier to Use and Manage than Passwords. Mika Devonshire Associate Product Manager Mobile Identity: Improved Cybersecurity, Easier to Use and Manage than Passwords Mika Devonshire Associate Product Manager 1 Agenda 2 What is Cybersecurity? Quick overview of the core concepts 3 Cybercrime

More information

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Security COMPLIANCE Checklist For Employers Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major

More information

Simplifying Security with Datakey Axis Single Sign-On. White Paper

Simplifying Security with Datakey Axis Single Sign-On. White Paper Simplifying Security with Datakey Axis Single Sign-On White Paper Copyright and trademark notice 2003 Datakey Inc. All rights reserved. Version 1.0 No part of this document may be reproduced or retransmitted

More information

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services 1 Contents 3 Introduction 5 The HIPAA Security Rule 7 HIPAA Compliance & AcclaimVault Backup 8 AcclaimVault Security and

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

Regulations on Information Systems Security. I. General Provisions

Regulations on Information Systems Security. I. General Provisions Riga, 7 July 2015 Regulations No 112 (Meeting of the Board of the Financial and Capital Market Commission Min. No 25; paragraph 2) Regulations on Information Systems Security Issued in accordance with

More information

ADDING STRONGER AUTHENTICATION for VPN Access Control

ADDING STRONGER AUTHENTICATION for VPN Access Control ADDING STRONGER AUTHENTICATION for VPN Access Control Adding Stronger Authentication for VPN Access Control 1 ADDING STRONGER AUTHENTICATION for VPN Access Control A VIRTUAL PRIVATE NETWORK (VPN) allows

More information

University of Sunderland Business Assurance PCI Security Policy

University of Sunderland Business Assurance PCI Security Policy University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial

More information

Security Requirements Analysis of Web Applications using UML

Security Requirements Analysis of Web Applications using UML Security Requirements Analysis of Web Applications using UML Salim Chehida 1, Mustapha kamel Rahmouni 2 1 Department of Informatics, University of Mostaganem, Algeria salimchehida@yahoo.fr 2 Department

More information

PortWise Access Management Suite

PortWise Access Management Suite Create secure virtual access for your employees, partners and customers from any location and any device. With todays global and homogenous economy, the accuracy and responsiveness of an organization s

More information

Multi-Factor Authentication

Multi-Factor Authentication Making the Most of Multi-Factor Authentication Introduction The news stories are commonplace: Hackers steal or break passwords and gain access to a company s data, often causing huge financial losses to

More information

N1 Grid Service Provisioning System 5.0 User s Guide for the Linux Plug-In

N1 Grid Service Provisioning System 5.0 User s Guide for the Linux Plug-In N1 Grid Service Provisioning System 5.0 User s Guide for the Linux Plug-In Sun Microsystems, Inc. 4150 Network Circle Santa Clara, CA 95054 U.S.A. Part No: 819 0735 December 2004 Copyright 2004 Sun Microsystems,

More information

Enhancing Web Application Security

Enhancing Web Application Security Enhancing Web Application Security Using Another Authentication Factor Karen Lu and Asad Ali Gemalto, Inc. Technology & Innovations Austin, TX, USA Overview Introduction Current Statet Smart Cards Two-Factor

More information

Using Entrust certificates with VPN

Using Entrust certificates with VPN Entrust Managed Services PKI Using Entrust certificates with VPN Document issue: 1.0 Date of issue: May 2009 Copyright 2009 Entrust. All rights reserved. Entrust is a trademark or a registered trademark

More information

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus Information Technology Engineers Examination Information Security Specialist Examination (Level 4) Syllabus Details of Knowledge and Skills Required for the Information Technology Engineers Examination

More information

AUTHENTIFIERS. Authentify Authentication Factors for Constructing Flexible Multi-Factor Authentication Processes

AUTHENTIFIERS. Authentify Authentication Factors for Constructing Flexible Multi-Factor Authentication Processes AUTHENTIFIERS Authentify Authentication Factors for Constructing Flexible Multi-Factor Authentication Processes Authentify delivers intuitive and consistent authentication technology for use with smartphones,

More information

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous

More information